The US federal government has imposed two cyber security mandates on “higher-risk” railroad and rail transit systems, despite industry efforts to beat back regulations, as reported by CBS News.
In a statement, US Department of Homeland Security Secretary Alejandro Mayorkas explained the new cyber security requirements and recommendations will help keep the travelling public safe and protect critical infrastructure from evolving threats.
The new security measures will order critical passenger and freight railways to take these actions:
- Report cyber incidents to the federal government within 24 hours.
- Appoint a cyber security point-person available 24/7 to liaison with federal agencies.
- Develop an incident response plan.
- Conduct a vulnerability assessment to address cyber security gaps.
- The directives, published by the Department of Homeland Security and Transportation Security Administration Wednesday, expand on pipeline regulations imposed earlier this year that are designed to shore up the nation's critical infrastructure, following a number of ransomware attacks.
Officials representing rail and transit sectors complained to Congress that the reporting requirements were too broad and extensive.
In an October letter to key lawmakers, Paul Skoutelas, president and CEO of the American Public Transportation Association (APTA) wrote that mandating a prescriptive 24-hour reporting requirement in a security directive could negatively affect cyber response and mitigation by diverting personnel and resources to reporting when incident response is most critical.
The nonprofit group represents approximately 1,500 public and private sector stakeholders.
"[T]he additional personnel and resources needed to comply with the requirements will add significant compliance costs just as transit agencies are working to recover from the COVID-19 pandemic," the letter continued.
TSA deputy assistant administrator Victoria Newhouse addressed the industry's concerns.
"These are very tight deadlines, and [stakeholders] have communicated dutifully with us."
"They were very direct and frankly vocal with us when they met challenges," Newhouse said.
One of those challenges, Newhouse added, is ascertaining what kind of cyber security incidents need to be reported.
"We have taken steps and a great deal of feedback to modify that definition to not include all potential incidents," Newhouse said.
The government and industry must strike a balance between reporting incidents the government needs to know about, "while also making sure that we don't request every incident and get drowned out by the noise," a senior homeland security official told CBS News. Wednesday's announcement comes on the heels of months-long Congressional debate over mandatory cyber incident rules, with competing proposals vying for inclusion in the 2022 defense policy package.
Major cyber incidents this year resulted in days-long fuel shortage on the US East Coast, temporary shutdown of one of America's largest beef suppliers and a supply chain attack crippling thousands of businesses over the 4 July weekend.
The new rules will apply to passenger rail companies including Amtrak, as well as subway systems like New York's MTA, though industry leaders say rail and transit sectors have steered clear of the kind of massive breaches that demand emergency action.
In a testimony before Congress, Thomas Farmer, the assistant vice-president of security at the Association of American Railroads, questioned the justification behind the move.
"We have not been apprised of any imminent or elevated threat to railroads or rail transit agencies as a justification for this emergency action, nor are our railroads seeing the sort of activity that would be indicative of an elevated, specific, persistent threat," Farmer said.
Notably, the Southeastern Pennsylvania Transportation Authority, powering Philadelphia's transit network, did fall victim to a ransomware attack in 2020.
A China-linked hacker group gained initial entry to MTA computer systems in 2021 but fell short of accessing networks controlling train cars within the New York City subway system.
Rafail Portnoy, chief technology officer of the New York City Metropolitan Transportation Authority told CBS News in a statement that the MTA will comply with the new regulations.
"The MTA has multilayered cyber security systems, is constantly vigilant against this global threat and will ensure compliance with any TSA regulations," Portnoy said.