“Inaction is not an option” – US lawmakers support mandatory standards for transport and logistics cybersecurity
House Homeland Security Committee hearing focuses on securing “planes, trains and pipelines”
U.S. lawmakers are calling for mandatory cybersecurity measures for the transportation and logistics industry, following an increase in ransomware and other cyber attacks.
An audience from the House Homeland Security Committee this week – Transportation Cybersecurity: Protecting Planes, Trains, and Pipelines from Cyber Threats – learned that transportation, including aviation, rail, shipping, and ports , are increasingly targeted by hackers.
Following the Colonial Pipeline ransomware attack this summer, members of Congress are calling on owners and operators of critical national infrastructure to step up protection of their IT systems.
RELATED Colonial Pipeline Cyber Attack: US Authorities Seize $ 2.3 Million in DarkSide Ransomware
Cybersecurity, Infrastructure Protection and Innovation subcommittee chair Yvette Clarke told the audience: – which is primarily based on voluntary partnerships – actually works, or whether certain security requirements should be imposed .
The congressman stressed that cybersecurity mandates are not new and that warrants have been issued to critical infrastructure operators by President Obama, under Executive Decree 13636, Improve the cybersecurity of critical infrastructures. But transport security has remained on a voluntary basis.
This, she said, poses risks to transportation systems and especially to their users. Thus, the TSA’s decision to impose requirements marks “a crucial transition in the federal government’s approach to cybersecurity.”
When the gas stops flowing
Transportation and Marine Safety Subcommittee Chair Bonnie Watson Coleman said at the hearing: “I want to be absolutely clear: When it comes to transportation cybersecurity, inaction is not an option. When gas stops flowing due to a cyber attack, it doesn’t just affect the owner of the pipeline – it means Americans are struggling to fill their tanks.
“If pirates manage to bring down a plane or derail a train, an airline or a railroad would not pay the highest price. The real cost would be borne by the injured or killed passengers.
But, she said, most transport operators “currently have no obligation” to meet even basic cybersecurity standards. She told the hearing that in recent months, attackers have targeted the New York Public Transportation Authority, the Massachusetts Ferry System and the Port of Houston, Texas.
Learn about the latest critical infrastructure security news from around the world
Earlier this month, the Department of Homeland Security (DHS) announced new requirements for high-risk rail and airline operators. These include the mandatory reporting of incidents to the CISA, allowing organizations to identify a security coordinator and put in place a cybersecurity disaster recovery plan. This should be followed by a safety directive in spring 2022.
Subcommittee chair Bonnie Watson Coleman also warned that higher safety standards should apply to “all modes of transportation,” especially with the growth of connected and autonomous vehicles. And the US Coast Guard must enforce cybersecurity standards in their area of ferries, ports and marine systems.
More collaboration needed
Witnesses at the hearing stressed that better cooperation and collaboration is needed, both between operators and between government agencies. Sometimes security cooperation is made more difficult by duplication between federal and other government agencies, it has been claimed.
Witnesses called included Suzanne Spaulding, senior advisor to the Homeland Security International Security Program, Center for Strategic and International Studies; Patricia Cogswell, Strategic Advisor at Guidehouse and former Assistant Administrator of the Transportation Security Administration; Jeffrey Troy, President and CEO of the Aviation Information Sharing and Analysis Center; and Scott Dickerson, executive director of the Maritime Transportation System Information Sharing and Analysis Center.
The U.S. transportation and logistics industry has suffered dozens of cyberattacks in recent months
“First, the purely voluntary approach just hasn’t got us where we need to be, despite decades of effort,” said Spaulding.
“The threat evolves much faster than our defense, even in these key areas where there has been significant advancement in cyber, there is still a need to ensure continued investments in all critical assets. “
“Cyber risks to the aviation industry have increased,” added AISAC’s Jeffrey Troy. “Together, private industry and the public sector have dramatically increased cooperation on threat intelligence and best practices, and now is the time for industry and government to partner even more closely to create and improve effective cyber risk reduction frameworks. “
ADVISED Ransom Disclosure Act: US bill requires organizations to report ransomware payments
Cyber security professionals have praised the House committee’s focus on the threat to transportation systems.
“There is no doubt that protecting the country’s critical infrastructure from cyber threats is of utmost importance to maintain security as well as the economy,” Tara Wisniewski, executive vice president of advocacy, global markets and of member engagement at infosec nonprofit (ISC) ² told the Daily Swig.
“When (ISC) ² recently surveyed cybersecurity professionals, two-thirds mentioned the need for state- and federal-funded cybersecurity measures, while 57% specifically called for government mandates and ‘application of minimum cybersecurity standards.
“The key to establishing and maintaining these standards is education and professional development, which must be mandated alongside technology and other measures of good practice… professionals charged with protecting key infrastructure and services.
YOU MAY ALSO LIKE Infosec skills gap widens in all regions except Asia-Pacific – report