A forthcoming Transportation Security Administration directive will require high-risk air and rail transit entities to appoint cybersecurity coordinators, establish a contingency and recovery plan, and report cyberattacks to the government, according to the Department of Homeland Security secretary.
DHS launched the fourth in a series of 60-day cybersecurity sprints in September aimed at strengthening the resilience of the transportation sector, in light of the “indiscriminate nature” of ransomware, said Alejandro Mayorkas.
The directive will be modeled after similar ones issued to pipeline operators following the Colonial Pipeline ransomware attack requiring robust vulnerability testing, appointment of cyber coordinators and reporting of cyberattacks within 12 hours of detection.
“I think fundamentally if we can drive the elevation of the cybersecurity hygiene of our country in all sectors, in all aspects — not just the sophisticated business but the small business, not just the small business but the home — that is No. 1,” Mayorkas said, during the Billington CyberSecurity Summit on Wednesday.
Separate guidance will be released for low-risk air and rail entities recommending the same actions, as will an information circular recommending cyber self-assessments, he added. TSA is already updating its aviation security program.
DHS’s isn’t neglecting sea transportation. The Coast Guard released its first Cyber Strategic Outlook since 2015 over the summer, and cyber specialists are being deployed at major U.S. ports to improve preparedness. About 2,300 maritime entities are being required to submit cyber plans to the Coast Guard, which is also working with the International Maritime Organization to ensure cargo and passenger vessels conduct cyber risk assessments and develop mitigation plans.
Mayorkas expressed optimism legislation putting further pressure on critical infrastructure operators to report cyber breaches quickly would pass, though he was concerned about setting reporting timelines.
“Candidly I worry a little bit about timeframes being legislated, given how dynamic the landscape is and whether legislation can match that dynamism as things evolve,” he said.
DHS’s first cyber sprint in March led to the launch of StopRansomware.gov, while the second led to the largest cyber hiring effort in the department’s history and paved the way for the launch of the DHS Cybersecurity Service on Nov. 15. The third sprint focused on industrial control systems.