The Transportation Security Administration is issuing new directives and recommendations aimed at strengthening the cybersecurity defenses of U.S. rail and airport operators.
The Biden administration said the requirements made public Thursday are part of a broader effort at protecting the nation’s critical infrastructure from ongoing cyberespionage and a surge in disruptive ransomware attacks.
“These new cybersecurity requirements and recommendations will help keep the traveling public safe,” Homeland Security Secretary Alejandro Mayorkas said in a statement. He had previously previewed the new regulations in October.
The new TSA directives require most passenger and freight rail operators to identify a cybersecurity point person, report incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency, conduct a vulnerability assessment and develop a contingency and recovery plan in case of malicious cyber activity. They go into effect at the end of the year and the TSA said it is making similar changes to requirements for airport operators.
The TSA said it is recommending but not mandating cybersecurity requirements to some smaller and lower-risk rail and airport operators.
The new regulations are similar to ones issued in May for pipeline operators following the Colonial Pipeline ransomware attack that disrupted gas supplies in several states.
Republican lawmakers have expressed concern that the TSA has crafted new cybersecurity directives without enough transparency and input from affected industries.
“We believe that care must be taken to avoid unnecessarily burdensome requirements that shift resources away from responding to cyberattacks to regulatory compliance,” a group of Republican senators said in an October letter to DHS’ Office of Inspector General asking for a review of TSA’s process for developing new cybersecurity regulations.
Victoria Newhouse, a TSA deputy assistant administrator, said at a congressional hearing Thursday that the agency had worked closely with private industry officials in crafting the regulations. She said that included a classified briefing with freight and passenger rail executives earlier this week to share intelligence reports about cyber threats to their industry and to solicit input on regulations.
The Biden administration has been pushing aggressively for greater private sector reporting of cyber incidents to the federal government. The Justice Department recently indicated it would sue government contractors and other companies who receive U.S. government grants if they fail to report breaches of their computer systems or misrepresent their cybersecurity practices.