From June 2020 to June 2021, the U.S. transportation industry experienced a 186 percent increase in weekly ransomware attacks. Other types of cyber attacks continue to rise at similar rates. In October 2022, pro-Russian hackers attacked the public-facing websites of numerous U.S. airports. While these attacks were mostly a nuisance, cyber experts speculate they were likely probes by hackers to learn and launch more malicious attacks in the future.
As cyber attacks continue to rise, transportation operators are simultaneously facing market demands to automate functions ranging from ticketing to the use of autonomous vehicles. Increased automation requires operators to rely even more heavily on information systems, resulting in a catch-22 between innovation and vulnerability.
In response, the Transportation Security Administration (TSA) and Cybersecurity and Infrastructure Security Agency (CISA) are broadening cybersecurity requirements for airport, airline, rail, pipeline, and mass transit operators. These detailed requirements include designating a cybersecurity coordinator, reporting cyber incidents, conducting cybersecurity assessments, and developing remediation and incident response plans.
Supporters applaud these new requirements as a necessary first step to hardening our transportation system’s vulnerability to attacks. Others – including some airport operators – argue that they are simply checklist activities that do little to actually improve cybersecurity.
TSA’s New Cyber Requirements Underscore Existing Resource Challenges on Both Sides
One underlying reason for criticism is the shortage of cybersecurity resources at the operator and government levels. On the operator side, a recent report by the Mineta Institute finds that few U.S. transit systems are sufficiently staffed for cybersecurity, regardless of their size, sophistication, or even whether the system incurred losses from a previous cyber attack.
Similarly, TSA and the broader Department of Homeland Security (DHS) struggle to recruit and retain cybersecurity personnel. Despite efforts to expedite recruiting processes, TSA and DHS must compete with both the private sector and other U.S. government departments for the same talent. According to Cyberseek, which is backed by the National Institute of Standards and Technology, there were over 714,000 cybersecurity vacancies in the United States as of August 2022.
As a result, the TSA’s newly imposed cybersecurity requirements cause implementation and oversight/remediation challenges due to insufficient resources to accomplish TSA’s objectives in the collaborative manner required. In addition, and at a higher level, TSA’s recent efforts beg the question as to whether TSA isn’t overregulating in this instance altogether. As an example, European legislators set high-level requirements that airport operators should have cybersecurity programs in place, but they do not dictate in detail what should be included in such programs. They leave this to the private sector.
TSA is excellent at compliance, and over the years it has matured its regulatory role to create a collaborative approach with regulated parties, particularly in aviation and surface venues. However, much of that outstanding work is because TSA had hundreds of experienced and well-trained aviation and surface inspectors to work through security requirements with operators well beyond a compliance checklist. TSA is not similarly staffed to address the evolving cybersecurity landscape.
Just as TSA’s resources may not be aligned with the need, the requirement to keep security information controlled also presents additional obstacles to improving security. The Sensitive Security Information (SSI) labels prevent potential vendors from viewing the cybersecurity requirements until after they have entered a vendor/contractor relationship with operators. This prohibits potential vendors from engineering novel and cost-competitive offerings. Instead, operators are left to try to solve their cyber challenges in-house for fear of releasing SSI to unauthorized parties.
Overcoming the Resource Challenges by Leveraging Industry
To overcome these challenges, TSA will need to strengthen its public/private partnerships and can decide to approach requirements in one of two ways: set high-level requirements and let the private sector take care of it, or build a cadre of certified private assessors who can work with operators to meet the ever-increasing cybersecurity needs of our transportation systems. Given TSA does not seem prone to go with the first option, the second may be of greater relevance.
Similar to its use of certified K9 firms in cargo screening facilities, TSA could certify cybersecurity firms to act as qualified program assessors. Operators could then use the certified program assessors to achieve compliance and truly bolster cybersecurity posture. The program assessors would assist operators in conducting the initial TSA-required assessment, developing a remediation plan, and developing an incident response plan.
Once this evaluation is completed to TSA standards, a TSA cybersecurity inspector would simply need to conduct a cursory document review and sign off on the plan. In turn, the TSA cybersecurity inspector could then direct their limited bandwidth to more vulnerable systems that need greater attention.
Benefits of the Proposed Framework
- Supports TSA’s Outcome-Focused Compliance Goals. In 2018, TSA released the Administrator’s Intent 1.0, which addressed partnering with industry to achieve positive security outcomes through Outcome-Focused Compliance (OFC) and emphasized collaboration over prescriptive compliance. Enlisting private cyber experts to help tailor plans to an operator’s needs and network while still ensuring regulatory compliance will support this goal and allow TSA to build a collaborative relationship and environment with its operators.
- Allows TSA to Focus on the Most Vulnerable Systems. TSA’s cybersecurity expertise and resources should be focused on solving systemic issues and addressing the most vulnerable systems in our transportation network. By creating a pool of private assessors, TSA shrinks the pool of operators it needs to focus on and allows TSA’s cybersecurity experts to concentrate on addressing system-wide issues and work with operators that are most vulnerable, resulting in more targeted outreach.
- Agile and Trusted Network of Qualified Cybersecurity Service Providers Results in More Responsive Cyber Defense. Under the proposed framework, this program would be open to any cyber provider who works through the certification process and agrees to the associated SSI restrictions. Creating this network of trusted providers gives TSA an expanded network to disseminate and receive emerging threat information. For instance, if a new ransomware attack emerges, TSA could engage its third-party providers, who already know the operators and their systems, to help resolve vulnerabilities.
- Cost Savings. According to the Mineta survey, cybersecurity is frequently underfunded by the leadership of transportation systems. Private assessors can provide a cost-effective solution without the long-term cost tail of full-time staff. In addition, allowing cybersecurity providers access to SSI requirements will help them devise more cost-effective offerings, including automating much of the routine cyber hygiene work required. Finally, once this assessment and certification process has matured, transportation operators can work with insurance providers to show cyber resilience when negotiating premiums and other risk-avoidance measures.
Regulatory Approaches Must Evolve to Meet New Threats
Cybersecurity presents new challenges for TSA and the industries it regulates. When TSA created its regulatory framework for aviation, the iPhone had yet to be released, and network integration into every aspect of transportation had yet to be realized. Now, networks control everything from airline ticketing to rail movement to the flow of resources through pipelines across the country. This new reality calls for new approaches and solutions to evolving threats. Leveraging private-public partnerships is one step toward creating a cyber-resilient system.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected].