The Transportation Security Administration will impose new cybersecurity mandates on the railroad and airline industries, including reporting requirements as part of a department effort to force compliance in the wake of high-profile cyberattacks on critical industries, Homeland Security Secretary Alejandro Mayorkas announced Wednesday.
DHS is moving to require more companies in critical transportation industries to meet a cybersecurity baseline, chipping away at voluntary cybersecurity incident reporting.
As part of a forthcoming “security directive,” TSA will require higher-risk railroad and rail transit entities to report cyber incidents to the federal government, identify cybersecurity point persons and put together contingency and recovery plan in case they become victims of cyberattacks.
The directive will be issued by the end of the year, Mayorkas said at the annual Billington CyberSecurity Summit, where he spoke virtually.
“Reducing cybersecurity risk is in every organization’s self-interest, especially considering the indiscriminate nature of ransomware,” Mayorkas said.
The Biden administration on Wednesday pushed several new initiatives as officials fanned out to public events amid Cybersecurity Awareness Month to promote new efforts and urge companies to better protect themselves and the American public, including a Department of Justice effort to impose fines on companies that don’t meet certain standards.
Members of the railroad industry immediately pushed back on the announcement, arguing that the security directive would require railroads to undertake actions that have long been in place.
The rail industry had only three business days to review and provide feedback on the draft security directive, according to a spokesperson for the Association of American Railroads, an industry groups for the freight rail sector, who added that railroads have “consistently reported to federal security agencies on cybersecurity intelligence and incidents for several years.”
“AAR hopes the substantive comments provided will be thoroughly considered in the decision on whether to proceed with the directive and to ensure any actions taken enhance, not hinder, coordinated cybersecurity efforts,” the spokesperson added in a statement.
Earlier this year, TSA issued two security directives aimed at critical pipeline companies in the months after a crippling ransomware attack that prompted the shutdown of one of America’s most important pipelines and led to gasoline shortages and very long lines at the pump.
For the airline industry, TSA will require critical US airport operators, passenger aircraft operators and all-cargo aircraft operators to designate cybersecurity coordinators and report cyber incidents to the Cybersecurity and Infrastructure Security Agency by the end of the month.
The agency will expand the covered entities gradually and consider additional measures over time, Mayorkas said.
“Taken together, these elements – a dedicated point of contact, cyber incident reporting and contingency planning – represent the bare minimum of today’s cybersecurity best practices,” Mayorkas added.
In additional to the immediate steps, TSA is working on a longer-term rule-making process to “strengthen cybersecurity and resilience in the transportation sector,” he said, which will include input from industry.
Padraic O’Reilly, co-founder of CyberSaint Security, told CNN that for some industries “voluntary standards just don’t do it,” pointing out that companies put more resources into baseline security and protecting their systems when it’s required by the federal government.
“We’re now in the middle of a maelstrom,” he said of the cybersecurity threats facing critical industries and the need to protect them.
Also on Wednesday, Deputy Attorney General Lisa Monaco announced that for the first time the Justice Department plans to impose substantial fines on government contractors or companies that receive federal funds when they fail to follow cybersecurity standards, such as a requirement to report ransomware attacks.
Under the new initiative, the Justice Department will go after contractors for knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
“Where those who are entrusted with government dollars, who are trusted to work on sensitive government systems, fail to follow required cybersecurity standards, we’re going to go after that behavior and extract very hefty, very hefty fines,” Monaco said.
CNN’s Jessica Schneider contributed to this story.