Nobody will ever forget the scenes from September 11th, 2001. Bad actors also remember the deep and lasting impact the attacks had, not just on the United States but the whole world. Replicating this attack becomes harder as defenses and intelligence build but transportation is still very much on every terrorist’s wish list, which means they have to think outside the box and try a different tactic or even a different mode of transportation if they want another 9/11.
Much of the focus to date on guarding against attacks to transportation and travelers has come in the form of physical security and screening technology. This is particularly true for surface transportation. Cyber attacks against the whole transportation sector are a growing and emerging threat due to the prevalence of remote and anonymous connectivity to systems and networks, and the capability to cause catastrophic physical consequences through virtual means.
On December 2, the Transportation Security Administration (TSA) announced two new Security Directives and additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to surface transportation systems and associated infrastructure. These actions are among several steps the Department of Homeland Security (DHS) is taking to increase the cybersecurity of U.S. critical infrastructure, including initiatives for critical infrastructure control systems, which will have an impact on the transportation sector and many others.
Announcing the directives, Secretary of Homeland Security, Alejandro N. Mayorkas, said the new cybersecurity requirements and recommendations will help keep the traveling public safe and protect U.S. critical infrastructure from evolving threats.
In developing its approach to increase cybersecurity in the transportation sector, including these new Security Directives, TSA sought input from industry stakeholders and federal partners, including the Department’s Cybersecurity and Infrastructure Security Agency (CISA), which provided expert guidance on cybersecurity threats to the transportation network and countermeasures to defend against them.
The new TSA Security Directives – effective December 31 – target higher-risk freight railroads, passenger rail, and rail transit. These directives require owners and operators to designate a cybersecurity coordinator; report cybersecurity incidents to CISA within 24 hours; develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption; and, complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.
TSA is also releasing guidance recommending that all other lower-risk surface transportation owners and operators voluntarily implement the same measures. In addition, TSA expects to initiate a rule-making process for certain surface transportation entities to increase their cybersecurity resiliency.
DHS provides the Surface Transportation Cybersecurity Resource toolkit – a collection of documents designed to provide cyber risk management information to surface transportation operators who have fewer than 1,000 employees. The materials are drawn from three primary sources: the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity; Stop.Think.Connect, a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online; and the United States Computer Emergency Readiness Team, better known as US-CERT.
Following a ransomware attack on Colonial Pipeline in May, TSA issued a security directive requiring high-risk pipeline operators to report any cybersecurity incident to CISA within 12 hours. A further directive in July outlined specific actions pipeline operators must take to mitigate cybersecurity risks, including basic cyber hygiene practices like regularly patching software and implementing multi factor authentication. While transportation is given 24 hours to report incidents to CISA, the 12-hour requirement remains for pipeline operators.
TSA also recently updated its aviation security programs to require that airport and airline operators designate a cybersecurity coordinator, and report cybersecurity incidents to CISA within 24 hours. TSA says it intends to expand the requirements for the aviation sector and issue guidance to smaller operators.
In October, 2020, the Government Accountability Office (GAO) found vulnerabilities in avionics cybersecurity. These included insufficient patches applied to commercial software, insecure supply chain networks, malicious software, outdated legacy systems, and flight data spoofing. As a result, GAO made several recommendations to the Federal Aviation Administration, most of which met with agreement.
Secretary Mayorkas first outlined his vision for the Department’s cybersecurity priorities in March. He announced a series of “sprints” or focus areas, and the transportation sprint was scheduled to be announced in October, with election security to follow at the end of the year and the international cybersecurity sprint kicking off 2022. At the time of the announcement in March, Mayorkas promised that DHS would “empower TSA to increase the cyber resilience of other transportation systems – from rail to pipelines – that fuel so much of our economy”.
The new directives come almost three years to the day after TSA released its Cybersecurity Roadmap, which guides efforts to prioritize cybersecurity measures within TSA and across the transportation systems sector. Much work has already been done yet the changes to travel imposed on operators by the COVID-19 pandemic, have opened up new potential routes for cyberterrorists.
Writing for Homeland Security Today in February, Steve Karoly, former Acting Assistant Administrator for TSA’s Office of Requirements and Capabilities Analysis said reducing touchpoints within the airport passenger screening process has been a focus area for several years now but the COVID-19 pandemic changed the timeline.
“The deployment and use of automation and self-service technologies through biometrics, electronic IDs, or mobile applications have accelerated in 2020 with expectations they will continue to accelerate in 2021 (and beyond). Although these new ‘conveniences’ give passengers a more seamless passenger experience, they also provide cyberterrorists additional opportunities to locate and attack system vulnerabilities.
“Although policies, processes, and technologies are normally put in place by companies to help prevent or limit security incidents and data breaches, we need to be sure their products that are being deployed in airport environments, along with the associated airport’s IT infrastructure, have similar policies, processes, and technologies in place to prevent or limit cyber incidents.”