Cybersecurity Mandates and Reporting Requirements for Transportation Discussed in T&I Hearing
Yesterday, the House Transportation and Infrastructure Committee met in a hearing to discuss “The Evolving Cybersecurity Landscape: Industry Perspectives on Securing the Nation’s Infrastructure.” In this full committee hearing, each of the six T&I subcommittees had a respective witness. In many ways, this is a complementary hearing to last week’s Homeland Security hearing on cybersecurity in transportation (covered here in last week’s ETW).
- Scott Belcher, President and CEO, SFB Consulting, LLC, Testifying on behalf of Mineta Transportation Institute
- Megan Samford, Vice President, Chief Product Safety Office, Energy Management, Schneider Electric and ISA Global Cybersecurity Alliance (ISAGCA)
- Thomas L. Farmer, Assistant Vice President, Security, Association of American Railroads
- Michael Stephens, General Counsel and Executive Vice President, Tampa International Airport
- John Sullivan, Chief Engineer, Boston Water and Sewer Commission, Testifying on behalf of the Water Information Sharing and Analysis Center (WaterISAC)
- Gary Kessler, PhD, Non-Resident Senior Fellow, Atlantic Council
While this also included witnesses from the water and emergency protection sectors, the majority of this hearing was directed at cybersecurity in transportation, with most questions addressed to Belcher (transit), Farmer (railroads), and Kessler (maritime), and a few questions for Stephens (aviation). Similar to last week’s Homeland Security hearing, discussion generally fell into two categories: cybersecurity mandates and reporting cybersecurity incidents.
While last week’s Homeland Security hearing had many cybersecurity pro-mandate voices, this hearing was more varied: while Belcher, Stephens, and Kessler were pro-mandate, Farmer was anti-mandate.
Rep. Ritchie Torres (D-NY) last week mentioned “common sense” cybersecurity measures (see here), and this was a recurring theme in this hearing as well: many mentioned mandates for basic security measures such as two-factor authentication, annual password resetting, and software updates. Many argued that implementing these would be a light lift on all sectors, who should be doing this already as part of cybersecurity best practices.
Belcher recounted the poor state of cybersecurity in many transit agencies. He listed some troubling statics:
- Only 60 percent of transit agencies have a cybersecurity preparedness program
- 43 percent do not believe they have the resources necessary for cybersecurity preparedness
- Only 47 percent audit their cybersecurity program at least once per year
- Between June 2020 and June 2021, there was a 186% increase in ransomware attacks in the transportation sector
Agencies do not purposefully leave cyber initiatives out, but rather many small agencies simply do not have the capacity or know-how to strengthen their cyber protections. This is why Belcher is pro-mandate, saying that transit agencies want regulation because they do not have the proper guidance. They get some advice from industry trade groups like APTA and AASHTO, but must get top-down guidelines, as well as funding and tools to support their cybersecurity initiatives. This is all the more pressing given the recent hacks within SETPA, the Martha’s Vineyard Ferries, and just last week at Toronto transit. Belcher recommends that since many transit agencies do not have dedicated cybersecurity personnel, that they make cybersecurity part of their enterprise management.
Belcher makes clear that there needs to be a cybersecurity overhaul within the transit sector. In order to do this, Belcher first recommended that transit agencies do an analysis of current cybersecurity measures, as he has seen that most agencies do not know what current their current protocols are. Then, he recommends that agencies put a cybersecurity plan in place.
In addition, Belcher recommended that companies keep adequate data logs. This way, if there were a ransomware attack, a company can easily can go back and recreate everything without having to pay a hacker’s ransom. He recommended trade associations spread the word and provide guidance to industry on the value of data logs.
The maritime sector has strong reporting requirement for safety already, told Kessler, so it would not be a big deal to have targeted cybersecurity reporting requirements, so long as the threshold for reporting is well-defined.
Farmer, however, was against mandates, arguing that the industry knows best. He believes that there is already a robust cybersecurity sharing network within the railroad industry, and additional sharing measures are unnecessary. CISA, he said, should provide the industry with “signals and not noise,” and focus on effective communications on real cyber threats instead of warning the industry on every potential threat.
Reporting cybersecurity incidents
Similar to last week’s Homeland Security hearing, this T&I hearing also emphasized the inefficient and often confusing process of reporting cybersecurity incidents. Many witnesses in this hearing criticized the 24-hour reporting mandate from the TSA. Farmer and Stephens, in particular, argued that 24 hours leads to rushed analysis as it is not enough time to accurately assess the nature of a cyber threat. Rather, said Stephens, the FBI’s 72-hour reporting policy is a more reasonable timeline.
Witnesses also agreed that if there is a reporting mandate, there is need for a reporting threshold. Stephens stated that Tampa International Airport received three million “cyber attempts” a year. It is unreasonable to report every one of these, so there needs to be guidelines on which cyber threats need to be reported. Another area of confusion with reporting is the lines are often fuzzy on which agency a cybersecurity report should be submitted to. Farmer said this leads to sending different reports to multiple agencies for a singular incident (a main theme in the Homeland Security hearing). He recommended clearer guidance on reporting (while in last week’s hearing, many recommended CISA act as a centralized repository for reporting).