Written by Dave Nyczepir
An upcoming directive from the Transportation Security Administration will require high-risk air and rail transport entities to appoint cybersecurity coordinators, establish a contingency and recovery plan and report cyber attacks to the government, according to the secretary of the Department. of Homeland Security.
DHS launched the fourth in a series of 60-day cybersecurity sprints in September aimed at building the resilience of the transportation sector, in light of the “blind nature” of ransomware, said Alejandro Mayorkas.
The directive will build on similar directives issued to pipeline operators following the Colonial Pipeline ransomware attack requiring robust vulnerability testing, appointment of cyber coordinators and reporting of cyber attacks within 12 hours of detection.
“I fundamentally believe that if we can improve the hygiene of cybersecurity in our country in all sectors, in all aspects – not just sophisticated businesses but small businesses, not just small businesses but the home – it is # 1, ”Mayorkas said at the Billington CyberSecurity Summit on Wednesday.
Separate guidelines will be issued for low-risk aviation and rail entities recommending the same actions, as will an advisory circular recommending cyber self-assessments, he added. TSA is already updating its aviation security program.
DHS does not neglect maritime transport. The Coast Guard released its first Cyber Strategic Outlook since 2015 over the summer, and cyber specialists are deployed to major U.S. ports to improve preparedness. About 2,300 maritime entities are required to submit cyberplans to the Coast Guard, which also works with the International Maritime Organization to ensure that freighters and passenger ships complete cyber risk assessments and develop plans for mitigation.
Mayorkas expressed optimism that legislation putting additional pressure on operators of critical infrastructure to promptly report cyber breaches would pass, though he was concerned about setting reporting deadlines.
“Frankly, I’m a little worried about the legally prescribed timelines, given the dynamism of the landscape and whether the legislation can match that dynamism as things evolve,” he said.
DHS’s first cyber sprint in March led to the launch of StopRansomware.gov, while the second led to the largest cyber-hiring effort in department history and paved the way for the launch of DHS’s cybersecurity service. November 15. The third sprint focused on industrial control systems.