House Committee on Homeland Security hearing pulls focus on securing ‘planes, trains, and pipelines’

US lawmakers are calling for mandatory cybersecurity measures for the transport and logistics sector

US lawmakers are calling for mandatory cybersecurity measures for the transport and logistics sector, in the wake of an increase in ransomware and other cyber-attacks.

A hearing of the House Committee on Homeland Security this week – Transportation Cybersecurity: Protecting planes, trains, and pipelines from cyber threats – heard that transport, including aviation, rail, shipping and ports, is increasingly being targeted by criminal hackers.

Following the Colonial Pipeline ransomware attack over the summer, members of congress are calling on owners and operators of critical national infrastructure to increase protection of their IT systems.

RELATED Colonial Pipeline cyber-attack: US authorities seize $2.3m in DarkSide ransomware payments

Cybersecurity, Infrastructure Protection, and Innovation Subcommittee chairwoman Yvette Clarke told the hearing: “Shocked by what we learned during their oversight of Colonial Pipeline and other recent high-profile cyber incidents, members of congress have begun to question whether the federal government’s approach to cybersecurity – which relies primarily on voluntary partnerships – actually works, or whether some security requirements ought to be mandated.”

The congresswoman pointed out that cybersecurity mandates are not new, and that mandates were issued to critical infrastructure operators by then President Obama, under Executive Order 13636, Improving Critical Infrastructure Cybersecurity. But transport security has continued to be on a voluntary basis.

That, she said, poses risks to transport systems and above all, to their users. So, the move by the TSA to mandate requirements marks “a pivotal transition in the federal government’s approach to cybersecurity”.

When the gas stops flowing

Transportation and Maritime Security Subcommittee chairwoman Bonnie Watson Coleman told the hearing: “I want to be crystal clear: when it comes to transportation cybersecurity, inaction isn’t an option. When gas stops flowing due to a cyber-attack, it doesn’t just impact the pipeline’s owner – it means Americans struggle to fill up their tanks.

“If hackers succeed in bringing down a plane or derailing a train, it’s not an airline or railroad that would pay the steepest price. The real cost would be borne by the passengers injured or killed.”

But, she said, most transportation operators “currently have no obligation” to meet even baseline cybersecurity standards. She told the hearing that, in recent months, attackers have targeted New York’s public transport authority, the Massachusetts ferry system, and the Port of Houston, Texas.

Read more of the latest critical infrastructure security news from around the world

Earlier this month, the Department of Homeland Security (DHS) announced new requirements for higher-risk rail and aviation operators. These include mandatory reporting of incidents to CISA, for organizations to identify a security co-ordinator, and to put in place a cybersecurity incident recovery plan. This is set to be followed by a security directive in spring 2022.

Subcommittee chairwoman Bonnie Watson Coleman also warned that higher security standards should apply to “all transportation modes”, especially with the growth in connected and autonomous vehicles. And the US Coastguard needs to enforce cybersecurity standards within its domain of ferries, ports, and maritime systems.

More collaboration needed

Witnesses to the hearing pointed out that better cooperation and collaboration is needed, both between operators and between government agencies. Sometimes security co-operation is made harder by duplication among federal and other government agencies, it was claimed.

Witnesses called included Suzanne Spaulding, senior adviser at Homeland Security International Security Program, Center for Strategic and International Studies; Patricia Cogswell, strategic advisor at Guidehouse and former deputy administrator for the Transportation Security Administration; Jeffrey Troy, president and CEO of the Aviation Information Sharing and Analysis Center; and Scott Dickerson, executive director at the Maritime Transportation System Information Sharing and Analysis Center.

The US transport and logistics sector has suffered dozens of cyber-attacks over recent monthsThe US transport and logistics sector has suffered dozens of cyber-attacks over recent months

“First, the purely voluntary approach simply has not gotten us to where we need to be, despite decades of effort,” acknowledged Ms Spaulding.

“The threat is evolving much more quickly than our defense, even in these key sectors where there has been significant progress on cyber, there is still a need to ensure continued investment across all vital assets.”

“The cyber risks to the aviation industry have increased,” added AISAC’s Jeffrey Troy. “Together, both private industry and the public sector that significantly increased cooperation in threat intelligence and best practices and now’s the time for industry and government to partner even more closely in creating and enhancing effective cyber risk reduction frameworks.”

RECOMMENDED Ransom Disclosure Act: US bill mandates organizations to report ransomware payments

Cybersecurity professionals welcomed the House Committee’s focus on the threat to transport systems.

“There is no question that securing the nation’s critical infrastructure from cyber threats is of paramount importance to maintaining safety as well as the economy,” Tara Wisniewski, executive vice president of advocacy, global markets, and member engagement at infosec non-profit (ISC)² told The Daily Swig.

“When (ISC)² recently polled cybersecurity professionals, two-thirds cited a need for state and federal-funded cybersecurity measures, while 57% specifically called for government mandates and enforcement of minimum cybersecurity standards.

“The key to establishing and maintaining those standards is education and professional development, which needs to be mandated side-by-side with technology and other best practice measures… To do so ensures a clear and repeatable benchmark for competence while maintaining readiness among the very professionals charged with protecting key infrastructure and services.”

YOU MIGHT ALSO LIKE Infosec skills gap widens in all regions bar Asia-Pacific – report