A bipartisan group of Senators has written to the Department of Homeland Security (DHS) and the Department of Transportation (DOT) to seek information about specific measures regarding planned cyber defense of U.S. critical infrastructure.
Addressed to Secretaries Mayorkas and Buttigieg, the letter says DHS and DOT must have the capabilities and resources to prevent and address the increasing cyber threat to transportation systems.
The Senators say that many state and local transit agencies “are not fully equipped to implement more than basic cybersecurity protections”. The letter points to a study by the Mineta Transportation Institute which found that only 60% of transit agencies had a cybersecurity plan in place last year.
“Other entities in the extensive and diverse transportation sector, which includes aviation, highways, motor carriers, maritime transportation, railroads, rail transit, and pipelines, have been implementing comprehensive cybersecurity plans for decades in collaboration with Federal agencies,” the letter reads. “As such, federal efforts to ensure that our nation is properly prepared to address cybersecurity threats to the transportation system require a delicate balance to provide critical assistance to entities that need new or additional cybersecurity support, while recognizing effective practices that some entities already have in place.”
The Senators request information about how DHS and DOT are meeting six key responsibilities:
- Support risk sector management,
- Assess sector risk,
- Sector coordination,
- Facilitating information sharing of information regarding physical security and cybersecurity threats within the designated sectors or subsectors,
- Supporting incident management, and
- Contributing to emergency preparedness efforts.
The letter also calls for an update on how DHS and DOT collaborate to avoid both gaps and redundancies in Federal risk management including specific roles for each agency and delineation of law enforcement and safety responsibilities.
The Senators add that while the Transportation Systems Sector-Specific Plan from 2015 is a helpful tool, the nature of risk to U.S. critical infrastructure has changed over the past six years. “Our society and economy are increasingly dependent on computer networks and information technology solutions,” the letter states. “Ransomware attacks on the transportation industry, just one derivative of cyberattacks, increased by 186% between June 2020 and June 2021. Therefore, we request information on any efforts to update the Transportation Systems Sector-Specific Plan to provide the most effective assistance possible to improve the security and resilience posture of the nation’s transportation system.”
It is worth noting that on December 2, the Transportation Security Administration (TSA) announced two new Security Directives and additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to surface transportation systems and associated infrastructure. The new TSA Security Directives – effective December 31 – require owners and operators to designate a cybersecurity coordinator; report cybersecurity incidents to CISA within 24 hours; develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption; and, complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.