The Transportation Security Administration issued new requirements for train and airport travel intended to strengthen cybersecurity.
Under the new requirements, passengers and freight rail operators will have to establish a person in charge of cybersecurity who will report any incidents to the Cybersecurity and Infrastructure Security Agency. They will also assess the operator’s vulnerability and develop contingency and recovery plans in the event of a cyber security attack. Airport operators will have similar requirements, according to TSA.
“TSA is increasing the cybersecurity of the transportation sector through Security Directives, appropriately tailored regulations, and voluntary engagement with key stakeholders,” the agency said in its announcement. “In developing its approach, including these new Security Directives, TSA sought input from industry stakeholders and federal partners, including the Department’s Cybersecurity and Infrastructure Security Agency (CISA), which provided expert guidance on cybersecurity threats to the transportation network and countermeasures to defend against them.”
The agency is also recommending some cybersecurity changes to smaller rail and airport operators that are not as vulnerable.
The Biden administration described the requirement as a part of the larger effort to protect critical infrastructure amid ransomware attacks and cyberespionage.
Homeland Security Secretary Alejandro Mayorkas said in a statement, “These new cybersecurity requirements and recommendations will help keep the traveling public safe. ... DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”
During a congressional hearing on Dec. 2, TSA deputy assistant Victoria Newhouse said the agency had worked closely with private industry officials in crafting the regulations, including holding a classified briefing with freight and passenger rail executives earlier this week covering intelligence reports about cyber threats to the industry.
“The Biden administration has been pushing aggressively for greater private sector reporting of cyber incidents to the federal government,” reports AP News. “The Justice Department recently indicated it would sue government contractors and other companies who receive U.S. government grants if they fail to report breaches of their computer systems or misrepresent their cybersecurity practices.”
The requirements, made public on Dec. 2, will go into effect at the end of 2022.