US Department of Homeland Security heeds calls for tougher transportation cybersecurity rules


Adam Bannister December 08, 2021 at 16:23 UTC

Updated: December 09, 2021 at 10:56 UTC

TSA publishes mandatory requirements for “high risk” rail infrastructure

The United States Transportation Security Administration (TSA) has ordered operators of critical rail infrastructure to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.

A pair of security guidelines issued by the TSA on December 2 also require organizations involved in freight railways, passenger trains and “high-risk” rail transit to appoint a cybersecurity coordinator.

Among other things, the Cybersecurity Coordinator will report to TSA and CISA and oversee the formulation and implementation of a cybersecurity incident response plan as well as the conduct of a security vulnerability assessment. cybersecurity.

The TSA, part of the Department of Homeland Security (DHS), has issued separate, voluntary guidelines recommending that the same measures be adopted by owners and operators of low-risk surface transportation.

“Evolving threats”

“These new cybersecurity requirements and recommendations will help ensure the safety of the traveling public and protect our critical infrastructure against evolving threats,” said Homeland Security Secretary Alejandro N Mayorkas.

“DHS will continue to work with our partners at all levels of government and in the private sector to increase the resilience of our critical infrastructure nationwide. “

Keep up to date with the latest news on critical infrastructure security

The aviation industry was also recently tasked with appointing a cybersecurity coordinator and advising the CISA of security incidents within 24 hours, with the TSA indicating that further arrangements are in the works.

The TSA also plans to launch a rule-making process for certain surface transport entities to increase their cybersecurity resilience, according to a Press release published by DHS.

Safety sprints

The measures emerged from a 60-day transport security ‘sprint‘, which follows other DHS sprints focused on ransomware, an infosec recruiting campaign and industrial control systems. Election security and international capacity building sprints are yet to come.

While the mandatory requirements will likely be welcomed by many players in the infosec industry, Tara Wisniewski, executive vice president of advocacy, global markets and member engagement at nonprofit infosec training ( ISC) ², has already suggested that such measures are necessary but not sufficient.

“The key to establishing and maintaining these standards is education and professional development, which must be mandated alongside technology and other measures of good practice,” she said. The daily sip in October, after lawmakers urged DHS to introduce tougher safety standards for the transportation sector.

Cyber ​​security has been a cornerstone of President Biden’s agenda following a series of devastating cyber attacks that have impacted federal agencies and critical infrastructure.

A sweeping executive order signed in May ordered an overhaul of the federal software supply and called on software vendors to promptly notify U.S. federal government customers of security breaches.

RELATED FTC Implements Stricter Data Protection Rules to Protect Customer Information


Comments are closed.