The Transportation Security Administration (TSA) is taking steps to strengthen cybersecurity across the nation’s transportation systems, but additional actions are required to address vulnerabilities effectively, particularly in the face of ransomware attacks according to a new GAO report. The Government Accountability Office (GAO) has highlighted key areas where TSA’s cybersecurity initiatives show promise and where critical gaps remain.
The TSA, as part of the Department of Homeland Security (DHS), oversees the security of the nation’s transportation sector, which includes freight rail, passenger rail, pipelines, and other critical infrastructure. In response to increasing cyber threats, TSA has issued five security directives since May 2021 to mitigate risks, particularly after a significant ransomware attack on a U.S. pipeline company. These directives, developed with industry feedback, aim to strengthen the cybersecurity posture of the transportation systems sector.
In November 2024, TSA issued a notice of proposed rulemaking to formalize cybersecurity requirements for surface transportation owners and operators. This rule builds on performance-based cybersecurity requirements outlined in earlier directives. However, GAO has raised concerns that these measures do not fully align with best practices for mitigating ransomware risks, which have become increasingly disruptive to transportation systems.
GAO has identified several challenges in TSA’s cybersecurity approach. For instance, while TSA has worked to address risks associated with internet-connected devices within the transportation sector, it has yet to develop effective metrics to measure the success of its efforts. Furthermore, TSA has not conducted sector-wide cybersecurity risk assessments specific to these devices, leaving gaps in understanding and mitigating potential vulnerabilities.
GAO recommended in prior reports that DHS assess the adoption of leading cybersecurity practices across the transportation systems sector, particularly to combat ransomware. GAO also advised TSA to develop a sector-specific plan with clear metrics and to include internet-connected devices in sector-wide risk assessments. As of November 2024, these recommendations have not been fully implemented, limiting TSA’s ability to comprehensively address cybersecurity risks.
The GAO’s findings underscore the persistent threats facing transportation systems and the need for a more robust and measurable cybersecurity framework. Domestic and foreign adversaries continue to view critical infrastructure as a strategic target due to its potential for widespread disruption.
GAO has issued six recommendations to DHS and TSA to enhance cybersecurity in the transportation sector. While DHS and TSA have expressed agreement with these recommendations, only one has been fully implemented to date. GAO continues to monitor TSA’s progress in addressing these issues.
Read the full GAO report here.