Friday, December 3, 2021

TSA Rolls Out Railroad & Aviation Security Directives

The Transportation Security Administration (TSA), on Thursday, issued Two Security Directives requiring Rail and Rail Transit Groups, to implement steps to strengthen Cybersecurity of the Sector, including a Requirement to Report Cyber Incidents to the Federal Government.

The Security Directives require Higher-Risk Freight Rail, Passenger Rail, and Rail Transit Groups to Report Cybersecurity Incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of Detection and to designate a Cybersecurity Coordinator.

The Directives also require these Groups to Complete Vulnerability Assessments of their Networks, and then develop a Cybersecurity Incident Response Plan, based on Security Issues discovered.

One Directive applies to Freight Rail Groups, while the other to Passenger Rail and Rail Transit Companies, but are Identical.

“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats. Department of Homeland Security (DHS) will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide,” Homeland Security Secretary, Alejandro Mayorkas said.

Mayorkas first announced the upcoming Directive for the Rail Sector in October, pointing to the need, in particular, to Protect against Ransomware Attacks.

Mayorkas also announced that a similar Directive would be rolled out for the Aviation Sector, with Senior DHS Officials telling Reporters Thursday, that TSA had “recently updated aviation security programs to require airport operators to take similar steps” to what Rail Sector Groups were being Required to do.

Since Mayorkas’s announcement, Key Industry Groups have expressed Concerns around the Planned Directive, including the potential Issue of the Reporting Mandate for Incidents being too Broad and Not being aware of Increased Threats to the Rail Sector. One particular iIsue of concern was the need to Define what Type of Cyber Incident to Report.

The Senior DHS Officials said that TSA had worked with Industry Groups to address these Concerns, and had given Two Drafts of the Directives to Stakeholders to Review and provide Feedback prior to the Announcement on Thursday.

“With respect to the definition the key balance that we need to strike is obviously trying to make sure that we capture those incidents that the government needs to be aware of because of the risk associated with it and making sure that we learn of those that rise to that level, while making sure that we don’t track every incident and get drowned out by the noise, so that is the careful balance we have tried to strike as we craft that language,” a senior DHS Official said.

Victoria Newhouse, the Deputy Assistant Administrator for, Policy, Plans and Engagement at TSA, testified during a House Transportation and Infrastructure Committee hearing Thursday, that TSA had taken steps to heighten Industry Input into the Directive, and was working “extremely closely” with other Agencies in this effort.

“We have continued robust engagement,” Newhouse testified. “As recently as this week I along with several of my top leadership here at TSA have met with freight rail and passenger rail executives with a classified briefing in our facility to show them what we are seeing, elicit input, and ask them for more input for either future requirements or other guidelines that we could issue together by us just telling them this is what they need to do.”

Newhouse also noted that on Thursday, ahead of the Directive’s Announcement, “a number of pipeline individuals, CISOs and other security personnel are receiving briefings as we speak, and we do have an apparatus around the United States to support those briefings thanks to our law enforcement and intelligence community partners.”

One of the Groups that had expressed concerns was the Association of American Railroads (AAR), which represents Rail Companies across North America including the National Railroad Passenger Corporation (Amtrak). Jessica Kahanek, a Spokesperson for AAR, said ahead of the announcement, that some initial Concerns had been addressed.

“AAR has had productive consultations with TSA officials in recent weeks to address adverse effects that the Security Directives, as originally drafted, would have on long-standing effective practices maintained by railroads,” Kahanek said. “As a result, we anticipate that changes have been made to the content of the directives to alleviate these significant concerns.”

TSA previously issued Two Security Directives designed to shore up the Cybersecurity of the Pipeline Sector, earlier this year, following the Ransomware attack on Colonial Pipeline, which caused Temporary Shortages of Gas in several States and crippled a Key Supply Chain.

The previous Directives for the Pipeline Sector required Owners and Operators to Report Cybersecurity Incidents to CISA within 12 hours, to take Security Measures to Protect against Ransomware Attacks and Develop Recovery Plans in the event of a successful attack.

NYC Wins When Everyone Can Vote! Michael H. Drucker

No comments: