TSA to impose cybersecurity mandates on major rail and subway systems
WASHINGTON - The federal government will impose cybersecurity mandates on “higher-risk’‘ railroad and rail transit systems this year, expanding its regulatory push beyond pipelines, the nation’s top homeland security official plans to announce Wednesday.
The move reflects a determination by the Biden administration to use its rulemaking muscle to compel critical industries to improve their cybersecurity in the wake of damaging cyberattacks on a major American pipeline and the world’s largest meat supplier.
“Our freight rail system is essential not only to our economic well-being, but also to the ability of our military to move equipment from ‘fort to port’ when needed,” Homeland Security Secretary Alejandro Mayorkas said in prerecorded remarks to be delivered Wednesday, a copy of which was provided in advance to The Washington Post.
The new mandates will apply to passenger rail companies like Amtrak as well as large subway systems including New York’s and Washington’s, officials said.
Following the May ransomware attack on Colonial Pipeline, the Transportation Security Administration, a DHS agency, issued the first of two emergency “security directives.” The first one required pipeline companies to report cyber incidents to DHS and to name a cybersecurity point person.
In July, it followed up with more substantive rules requiring companies to develop an incident response plan, as well as more prescriptive security measures. The rules drew some criticism, with industry groups saying the standards would have benefited by greater consultation.
“Applying lessons learned from that experience, TSA is now laying the foundation for a more secure and resilient ... surface transportation sector,” Mayorkas said in remarks to the Billington Cybersecurity Summit.
The coming directive will require the largest and most critical rail and subway systems to identify a cybersecurity point person, report incidents to the Cybersecurity and Infrastructure Security Agency and create an incident recovery plan, he said.
The new directive, which will expire in one year, will not be as prescriptive as the one issued in July for pipelines. The TSA, Mayorkas said, will undertake a full rulemaking process to develop more permanent regulations - a process that requires the agency to solicit public comment, among other things.
For “lower-risk” rail entities, TSA will issue voluntary guidance that “encourages, rather than requires” these companies to take the same measures, Mayorkas said.
Railroad industry officers said the new mandates are not necessary. “We’re doing all of those [measures], said Thomas Farmer, assistant vice president for security at the Association of American Railroads, which represents the seven largest freight railroads and Amtrak, among other large systems.
Farmer said the railroad industry has had a coordinating committee on cybersecurity matters dating to 1999, when it was formed in anticipation of a global digital crisis occasioned by computers being unable to account for the turn of the millennium. The “Y2K” crisis never materialized but the committee was retained and has been regularly sharing information on cyber threats, protective measures and more with the federal government since 2014.
“So it is surprising to have mandates for these actions that we have been taking for a long time,” he said.
The railroad association was provided only three business days to comment on the planned directive, he said. He said the group “assembled a lot of feedback” and he hopes “it will be seriously considered.”
He said the industry does not believe regulation is the best way to achieve cybersecurity. “From our perspective, we can be far more effective working collaboratively with government than is the case with mandates by security directives or rulemaking,” he said.
Rafail Portnoy, the chief technology officer for the Metropolitan Transportation Authority, which operates New York’s subway system - the country’s largest, said, “The MTA has multilayered cybersecurity systems, is constantly vigilant against this global threat, and will ensure compliance with any TSA regulations.”
Ruth Clemens, a DHS spokeswoman, said the department “applauds the owners and operators who have already taken action based on the voluntary guidance provided by TSA, the Coast Guard, and CISA, but more needs to be done to ensure the transportation sector as a whole is prepared and resilient.”
Suzanne Spaulding, a former senior DHS official, said that despite industry’s opposition to regulation, her sense is the political ground is shifting.
“The attacks on Colonial Pipeline and [meat supplier] JBS got the public’s attention, which gets policymakers’ attention,” said Spaulding, a member of the Cyberspace Solarium Commission, a congressionally mandated group to recommend improvements to cybersecurity. “There is growing bipartisan support for stronger measures, including mandates. Industry needs to significantly up its game in cybersecurity to make the case that voluntary approaches work.”
Mayorkas also said that TSA also plans to issue new requirements for critical U.S. airport operators and air passenger and cargo companies to designate a cybersecurity coordinator and report cyber incidents to CISA.
The Washington Post’s Justin George contributed to this report.