US airlines and railroads will have to report cyber breaches to the federal government, the Biden administration said Thursday, as officials warn of increasing danger from attempted hacks.
There have been several reported cyber attacks on the rail sector over the past year, such a breach of New York’s Metropolitan Transportation Authority’s computer systems, a ransomware attack on Toronto’s transit agency and a cyberattack on the Ann Arbor Area Transportation Authority that caused temporary disruptions to real-time bus information.
Since the crippling ransomware attack on Colonial Pipeline earlier this year, US authorities have scrambled to implement measures to help protect critical infrastructure in the US from cyber attacks.
Under the new Transportation Security Administration mandates, major rail operators will be required to designate a cybersecurity coordinator, report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours, complete a vulnerability assessment and develop a cybersecurity incident response plan.
Airport and airline operators will also be required to designate a cybersecurity coordinator and report cybersecurity incidents within 24 hours.
“Cybersecurity incidents affecting transportation are a growing, evolving and persistent threat,” Victoria Newhouse, TSA’s deputy assistant administrator, told the House Transportation Committee on Thursday. “Across US critical infrastructure, cyber threat actors have demonstrated their willingness and ability to conduct malicious cyber activities targeting critical infrastructure by exploiting the vulnerability of operational technology and information technology systems.”
Following the ransomware attack on Colonial Pipeline earlier this year, TSA issued two security directives mandating cybersecurity requirements on the pipeline industry.
Since the issuance of those security directives, pipeline operators have reported 591 cyber-related incidents, according to the Department of Homeland Security.
Of those 591 incidents, one was rated as having a “low” impact, meaning it is “unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.”
The rest were rated “negligible” or “minor” – designations that are considered baseline and present even less concern than “low.”