Cybersecurity Mandates and Reporting Requirements for Transportation Discussed in T&I Hearing

Cybersecurity Mandates and Reporting Requirements for Transportation Discussed in T&I Hearing

November 05, 2021  | Katie Donahue

Yesterday, the House Transportation and Infrastructure Committee met in a hearing to discuss “The Evolving Cybersecurity Landscape: Industry Perspectives on Securing the Nation’s Infrastructure.” In this full committee hearing, each of the six T&I subcommittees had a respective witness. In many ways, this is a complementary hearing to last week’s Homeland Security hearing on cybersecurity in transportation (covered here in last week’s ETW).

Witnesses included:

  • Scott Belcher, President and CEO, SFB Consulting, LLC, Testifying on behalf of Mineta Transportation Institute
  • Megan Samford, Vice President, Chief Product Safety Office, Energy Management, Schneider Electric and ISA Global Cybersecurity Alliance (ISAGCA)
  • Thomas L. Farmer, Assistant Vice President, Security, Association of American Railroads
  • Michael Stephens, General Counsel and Executive Vice President, Tampa International Airport
  • John Sullivan, Chief Engineer, Boston Water and Sewer Commission, Testifying on behalf of the Water Information Sharing and Analysis Center (WaterISAC)
  • Gary Kessler, PhD, Non-Resident Senior Fellow, Atlantic Council

While this also included witnesses from the water and emergency protection sectors, the majority of this hearing was directed at cybersecurity in transportation, with most questions addressed to Belcher (transit), Farmer (railroads), and Kessler (maritime), and a few questions for Stephens (aviation). Similar to last week’s Homeland Security hearing, discussion generally fell into two categories: cybersecurity mandates and reporting cybersecurity incidents.

Cybersecurity mandates

While last week’s Homeland Security hearing had many cybersecurity pro-mandate voices, this hearing was more varied: while Belcher, Stephens, and Kessler were pro-mandate, Farmer was anti-mandate.

Rep. Ritchie Torres (D-NY) last week mentioned “common sense” cybersecurity measures (see here), and this was a recurring theme in this hearing as well: many mentioned mandates for basic security measures such as two-factor authentication, annual password resetting, and software updates. Many argued that implementing these would be a light lift on all sectors, who should be doing this already as part of cybersecurity best practices.

Belcher recounted the poor state of cybersecurity in many transit agencies. He listed some troubling statics:

  • Only 60 percent of transit agencies have a cybersecurity preparedness program
  • 43 percent do not believe they have the resources necessary for cybersecurity preparedness
  • Only 47 percent audit their cybersecurity program at least once per year
  • Between June 2020 and June 2021, there was a 186% increase in ransomware attacks in the transportation sector

Agencies do not purposefully leave cyber initiatives out, but rather many small agencies simply do not have the capacity or know-how to strengthen their cyber protections. This is why Belcher is pro-mandate, saying that transit agencies want regulation because they do not have the proper guidance. They get some advice from industry trade groups like APTA and AASHTO, but must get top-down guidelines, as well as funding and tools to support their cybersecurity initiatives. This is all the more pressing given the recent hacks within SETPA, the Martha’s Vineyard Ferries, and just last week at Toronto transit. Belcher recommends that since many transit agencies do not have dedicated cybersecurity personnel, that they make cybersecurity part of their enterprise management.

Belcher makes clear that there needs to be a cybersecurity overhaul within the transit sector. In order to do this, Belcher first recommended that transit agencies do an analysis of current cybersecurity measures, as he has seen that most agencies do not know what current their current protocols are. Then, he recommends that agencies put a cybersecurity plan in place.

In addition, Belcher recommended that companies keep adequate data logs. This way, if there were a ransomware attack, a company can easily can go back and recreate everything without having to pay a hacker’s ransom. He recommended trade associations spread the word and provide guidance to industry on the value of data logs.

The maritime sector has strong reporting requirement for safety already, told Kessler, so it would not be a big deal to have targeted cybersecurity reporting requirements, so long as the threshold for reporting is well-defined.

Farmer, however, was against mandates, arguing that the industry knows best. He believes that there is already a robust cybersecurity sharing network within the railroad industry, and additional sharing measures are unnecessary. CISA, he said, should provide the industry with “signals and not noise,” and focus on effective communications on real cyber threats instead of warning the industry on every potential threat.

Reporting cybersecurity incidents

Similar to last week’s Homeland Security hearing, this T&I hearing also emphasized the inefficient and often confusing process of reporting cybersecurity incidents. Many witnesses in this hearing criticized the 24-hour reporting mandate from the TSA. Farmer and Stephens, in particular, argued that 24 hours leads to rushed analysis as it is not enough time to accurately assess the nature of a cyber threat. Rather, said Stephens, the FBI’s 72-hour reporting policy is a more reasonable timeline.

Witnesses also agreed that if there is a reporting mandate, there is need for a reporting threshold. Stephens stated that Tampa International Airport received three million “cyber attempts” a year. It is unreasonable to report every one of these, so there needs to be guidelines on which cyber threats need to be reported. Another area of confusion with reporting is the lines are often fuzzy on which agency a cybersecurity report should be submitted to. Farmer said this leads to sending different reports to multiple agencies for a singular incident (a main theme in the Homeland Security hearing). He recommended clearer guidance on reporting (while in last week’s hearing, many recommended CISA act as a centralized repository for reporting).

Share

Related Articles

Cybersecurity Mandates and Reporting Requirements for Transportation Discussed in T&I Hearing

Cybersecurity Mandates and Reporting Requirements for Transportation Discussed in T&I Hearing

Yesterday, the House Transportation and Infrastructure Committee met in a hearing to discuss “The Evolving Cybersecurity Landscape:...

Mandatory Cybersecurity Incident Reporting, Better Protection Measures for Critical Infrastructures Pushed at Homeland Security Committee Hearing

Mandatory Cybersecurity Incident Reporting, Better Protection Measures for Critical Infrastructures Pushed at Homeland Security Committee Hearing

This past Tuesday, the House Homeland Security Committee convened a hearing to discuss cybersecurity mandates on nationally significant...

Rethinking Cybersecurity Policies for Critical  U.S. Transportation Infrastructure

Rethinking Cybersecurity Policies for Critical  U.S. Transportation Infrastructure

Cyberattacks are posing an increasing threat on critical transportation infrastructure in the United States. A recent, high-profile...

Webinar: Automated Vehicle Technology, Public Policy, and BMW's Level 3 AV System

Webinar: Automated Vehicle Technology, Public Policy, and BMW's Level 3 AV System

While much of the transportation-related news has been focused on COVID-19 recovery, automated vehicle technologies are quietly progressing...

Webinar: Transportation Cybersecurity: Understanding Risks and Creating a Culture of Security

Webinar: Transportation Cybersecurity: Understanding Risks and Creating a Culture of Security

Essential transportation technologies, such as connected vehicles, tolling payment systems, back office systems, and road side units, need...

Webinar: Geofencing and the Potential of Connected Vehicles

Webinar: Geofencing and the Potential of Connected Vehicles

Full obedience of traffic rules and regulations and the ability to dynamically change them, depending on the current situation in a city or...

Webinar: Transportation in the Age of Biometrics

Webinar: Transportation in the Age of Biometrics

When: 4:00pm ET, Wednesday, July 11, 2019 Where: Via webinar Register In October, the TSA released their Biometrics Roadmap for...

Eno Staff to Participate in Infrastructure Week 2019

Eno Staff to Participate in Infrastructure Week 2019

May 9, 2019 Eno staff will participate in several events during Infrastructure Week, May 13-20, 2019. Register for our webinars and...

Eno at Infrastructure Week: Webinar Series

Eno at Infrastructure Week: Webinar Series

Smarter Cities and Intelligent Transportation Through Breakthrough Technology When: 4:00pm ET, Wednesday, May 15,...

Homeland Panel Examines Cyber Threats to Surface Transportation

Homeland Panel Examines Cyber Threats to Surface Transportation

March 1, 2019 On February 26, the House Homeland Security Committee held a joint hearing to look at ways to secure the U.S. surface...

Capitol Hill Events - Week of February 25, 2019

Capitol Hill Events - Week of February 25, 2019

Tuesday, February 26 – House Homeland Security – Subcommittee on Transportation and Maritime Security – subcommittee hearing on...

WMATA Urges Congressional Action on Railcar Supply Concerns, As EU Rejects Siemens-Alstom Merger

WMATA Urges Congressional Action on Railcar Supply Concerns, As EU Rejects Siemens-Alstom Merger

February 8, 2019 This week, the director of the Washington Metropolitan Area Transit Authority (WMATA) told Congress that he has ordered...

Be Part of the Conversation
Sign up to receive news, events, publications, and course notifications.
No thanks