Cyberattacks Become Looming Threat to Public Safety, Industry Leaders Step In

When we think of safety in the transportation industry, we may overlook one very important factor in keeping transportation as safe as possible–cybersecurity.

After a recent cyberattack on a large petroleum pipeline, the U.S. House of Representatives’ transportation committee is pushing for boosted insight regarding such cybersecurity operations. Chairman Peter DeFazio of Oregon told stakeholders at a Transportation and Infrastructure Committee hearing that cybersecurity improvements are imperative, and increasing oversight throughout transportation network cybersecurity–particularly within rail, aviation, and transit–should be prioritized now.

“I understand [the Transportation Security Administration] intends to issue a security directive for passenger rail, high-risk freight rail, and the transit sector,” he said while members discussed TSA’s cybersecurity guidelines. “For those that care about the public’s safety and the nation’s economic and national security, these efforts–in both the public and private sectors–should not be controversial.”

This kind of security needs to be taken much more seriously, DeFazio added, noting that public safety relies on keeping these sectors secure.

“The public’s safety and the nation’s security depend on these systems,” he continued. “While no single change can prevent every cyberattack, we need to raise the bar significantly and make cyberattacks on our systems much more difficult to accomplish.”

Additionally, TSA should welcome further stakeholder and public input regarding the creation of any new pipeline cybersecurity regulations, noted Railroads, Pipelines, and Hazardous Materials Subcommittee ranking member Representative Rick Crawford of Arkansas.

“We’re considering all of our options, including the most transparent option,” said deputy assistant administrator for policy, plans, and engagement at TSA, Victoria Newhouse, who added that this kind of input will help TSA to develop cybersecurity policies in the future. “As we have continued robust engagement, both at the classified and unclassified [levels], with all of our surface transportation stakeholders, in particular our pipeline, rail–freight rail, passenger rail–and aviation stakeholders, we’re considering all of those options.”

U.S. Department of Transportation agencies are also working together to find methods of avoiding cyberattacks like that of the Colonial Pipeline.

“We’ll continue to improve our existing systems to make them more secure, while they continue to operate, so that they resiliently support DOT’s operations and the American people,” said USDOT chief information officer Cordell Schachter. “We will also meet the challenge of continuously improving the cybersecurity of DOT information technology systems while keeping these systems available for use. We look forward to working with this committee, our agency partners, and the White House to strengthen and protect our infrastructure and systems.”

These collaborative efforts didn’t take long to bring actionable steps to fruition, as major freight and passenger railroads will now be required to report any cybersecurity breaches promptly and to regularly review their cyberattack vulnerability, as part of the Biden administration’s efforts to urge the private sector to further protect national infrastructure from hackers.

This new mandate was announced earlier this month by the U.S. Department of Homeland Security and will come into full effect on December 31st of this year.

“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” said Alejandro Mayorkas, Homeland Security Secretary. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”

This new requirement will call for a designated cybersecurity coordinator for most railroads, who will need to conduct vulnerability assessments, create incident-response plans, and report any hacking-related incidents within 24 hours. Congress has given authority to the government to issue previous notice-and-comment period-bypassing directives for federal regulations. Additionally, TSA has recently required airport and airline operators to also designate a cybersecurity coordinator and report all cybersecurity incidents and issues to the Cybersecurity and Infrastructure Security Agency.

“The federal government should be part of the solution,” said Commerce Committee Chairwoman Maria Cantwell of these new regulations, adding that there is still an economic threat looming with future potential cyberattacks. “We need to bring about critical infrastructure investments in technology that can help the electricity grid and companies secure their networks from these kinds of intrusions.”