Train subway in Chicago on a sunny day showing cybersecurity regulations on rail and aviation

New TSA Cybersecurity Regulations Coming for Rail and Aviation Industries, Including Attack Reporting Requirements

Tighter cybersecurity regulations that have already come for certain critical infrastructure industries are now being applied to rail and aviation, as the Biden administration continues a general program of hardening the country’s online defenses.

The new cybersecurity regulations will apply to “higher risk” rail entities, for example those carrying fuels, and also look to be the new way of doing business for a broad range of both passenger and cargo aircraft operators.

New cybersecurity regulations start with “critical” operators, will expand over time

As with most industries, rail and aviation have been on a voluntary system of guidelines in terms of reporting cyber attacks such as ransomware. That is slated to change, as has already happened for the oil and gas pipeline industry in the wake of troubling ransomware attacks on Colonial Pipeline and other organizations that have a potential impact on national security matters.

The new cybersecurity regulations for the transportation industry will come in the form of a Transportation & Security Administration (TSA) security directive, currently being drafted and set to go into effect by the end of the year. The directive has not yet been fully shaped, but some general points were revealed by Homeland Security Secretary Alejandro Mayorkas last week: a window in which impacted organizations must report cyber incidents to federal agencies, the appointment of cybersecurity point persons for interaction with the government, and the development of a formal contingency and recovery plan. The Cybersecurity and Infrastructure Security Agency (CISA) is the lead agency for reporting and communication on cyber attacks.

The Biden administration’s rapid rollout of new cybersecurity regulations has seen pushback from some quarters, chiefly from oil and gas industry trade groups. The railroad industry was quick to respond in a similar way. The Association of American Railroads, which represents freight carriers, said that the industry was only given three days to review and respond to the draft proposal and that its carriers are already voluntarily coordinating with federal agencies.

The TSA has said that it plans to involve industry groups in longer-term rulemaking efforts, but the initial directive represents the “bare minimum of today’s cybersecurity best practices.” The new cybersecurity regulations impact federal contractors in related industries as well; Deputy Attorney General Lisa Monaco said that the Justice Department is planning to fine government contractors and companies that receive federal funds when they are in violation of the new rules. Contractors can also find themselves in trouble if they misrepresent cybersecurity practices or protocols, or knowingly provide deficient cybersecurity products or services. Monaco said that the fines for these infractions would be “very, very hefty.”

Rules still under development, permanent measures forthcoming

The wording of the announcement appears to include all major commercial airports and passenger airlines, and officials also stated that Amtrak and the larger subway systems of major municipalities (such as the New York City area and Washington DC) would also be included in the initial requirements. “Lower-risk” rail entities, such as local passenger light rail systems, will be given “voluntary guidance” that encourages them to meet the same standards but will not be required by law to do so.

Since the new cybersecurity regulations are established under an emergency directive, they are scheduled to expire in a year. The administration has signaled that it wants these changes to be permanent, but there is a more rigorous formal process that involves a public comment period. The current directives are also subject to legal challenges under the Administrative Procedures Act (APA), something that industry groups have discussed for the similar pipeline directives that were put in place over the summer.

While ransomware attacks on Colonial Pipeline and other elements of critical infrastructure have grabbed headlines in recent months, there has also been something of a trend of attacks on local transit agencies. Some of these, most notably an attack on New York’s Metropolitan Transportation Authority, have been linked to foreign nation-state actors. Some attacks have seen the intruders explore the system but stop short of accessing systems that could cause real-world damage, such as train control systems; the probing is similar to what Russia-backed hacking groups have been suspected of doing in the electric grid for years.

In other cases, criminal actors have hit passenger systems with ransomware in a bid for profit. There has not yet been a shutdown of public transit services attributed to ransomware, but in June attackers hit the booking system of the Steamship Authority of Massachusetts. The attack did not impact movement of the ferries that go between Cape Cod and Nantucket, but passengers were not able to book tickets or modify existing reservations online for about a week. Similar ransomware incidents have happened with the public transit authorities in San Francisco, Santa Clara, Fort Worth and Philadelphia in recent years.