The Department of Transportation (DOT) could improve how it implements cybersecurity policies, says a new report from the Government Accountability Office (GAO).
Systems supporting critical infrastructure such as transportation are at risk from malicious cyber actors and evolving attack methods. Risks include insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, steady advances in the sophistication of attack technology, and the emergence of new and more destructive attacks.
In March, the European Union Agency for Cybersecurity (ENISA) published its first cyber threat landscape report dedicated to the transportation sector. ENISA noticed an increase in attacks on transportation by cyber criminals and nation-state actors and cited various examples from the U.S. including the first publicly known case of a double-extortion ransomware attack against a U.S. freight rail operator, and the Port of Houston Authority cyber attack which is believed to have originated from a nation-state actor. In addition, Microsoft has reported that ‘Iran-linked’ hackers targeted U.S., EU and Israeli defense and maritime sectors with ‘password spray’ attacks.
As well as intentional attacks, there is potential for environmental disruptions, and human and machine errors, to result in harm to transportation IT and OT infrastructure and the traveling public.
DOT has established cybersecurity roles and responsibilities for officials that manage cybersecurity at agencies within the department. The Office of the Chief Information Officer (CIO) is the authoritative source of departmental policy and associated implementation procedures for the management and execution of all resources within DOT’s $3.5 billion annual IT portfolio. GAO’s review found that CIO regularly communicates with component agencies by sharing information through daily cyber operations meetings and periodic informational emails. In addition, component agency managers told GAO that CIO provides access to cybersecurity tools for incident and vulnerability management and other technical assistance.
GAO also found that DOT supported managers by providing cybersecurity role-based training. However, the DOT Office of Inspector General (OIG) has previously reported deficiencies in the clarity of training requirements, such as the required number of hours, and the monitoring of training completion. GAO determined that OIG’s 2019 and 2021 recommendations to address these deficiencies are not yet implemented.
Indeed, OIG has brought to light a number of longstanding cybersecurity deficiencies at DOT and its components. DOT policy requires annual reviews of component agency cybersecurity programs but GAO found these reviews have not been effective in taking needed actions to implement the 63 unresolved cybersecurity recommendations as reported by OIG in September 2022.
To assess managers’ performance, DOT established performance plans for its component agency senior IT managers. However, while DOT’s strategic plan identified cybersecurity as an organizational objective, GAO found that 15 of 18 managers’ performance plans did not include cybersecurity-related expectations. In addition, GAO said the department CIO did not always participate in evaluating the performance of component agency CIOs.
Given the risks that cybersecurity threats present to the transportation sector, GAO recommends that DOT uses annual reviews to address prior OIG cybersecurity recommendations; includes cybersecurity-related expectations in senior managers’ performance plans; and ensures that the DOT CIO be involved in evaluating component CIOs’ performance. DOT concurred and outlined actions it has already taken to prioritize cybersecurity, including holding daily cybersecurity meetings with component IT and cybersecurity officials, initiating IT program reviews with component IT and budget officials, and prioritizing the recruitment and retention of cybersecurity talent for its workforce.
