Mandatory Cybersecurity Incident Reporting, Better Protection Measures for Critical Infrastructures Pushed at Homeland Security Committee Hearing

Mandatory Cybersecurity Incident Reporting, Better Protection Measures for Critical Infrastructures Pushed at Homeland Security Committee Hearing

October 29, 2021  | Katie Donahue

This past Tuesday, the House Homeland Security Committee convened a hearing to discuss cybersecurity mandates on nationally significant infrastructure sectors such as aviation, rail, and pipelines. This hearing, titled “Transportation Cybersecurity: Protecting Planes, Trains, and Pipeline from Cyber Threats,” was a dual hearing of their Infrastructure Protection, & Innovation and the Transportation & Maritime Security subcommittees.

In light of the catastrophic Colonial Pipeline ransomware attack in May 2021, the Homeland Security Committee has met to discuss next steps for better cybersecurity, particularly for infrastructures of national significance.

Much of the hearing discussed mandates for reporting cybersecurity incidents. Most participants agreed that there is need for increased mandates while reducing redundant reporting. All also agreed on the need to harmonize reporting processes between the many agencies that deal with cybersecurity incidents (DHS, DOT, FBI, TSA, FAA), and recommended using PPPs to take over for capacity-strapped agencies like CISA (Cybersecurity and Infrastructure Security Agency). Witnesses also recommended CISA act as centralized repository for incident reporting.

Witnesses included:

  • Hon. Suzanne Spaulding, Senior Adviser, Homeland Security International Security Program, Center for Strategic and International Studies, Former Under Secretary, National Protection and Programs Directorate
  • Ms. Patricia F.S. Cogswell, Strategic Advisor, Guidehouse, Former Deputy Administrator, Transportation Security Administration
  • Mr. Jeffrey L. Troy, President & CEO, Aviation Information Sharing and Analysis Center, Former Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation
  • Mr. Scott Dickerson, Executive Director, Maritime Transportation System Information Sharing and Analysis Center

All witnesses agreed that we no longer can rely solely on voluntary measures for cybersecurity protections. Instead, we must turn to mandates. Currently, Spaulding said, almost no companies report cybersecurity incidents, and many put off safety measures until it is too late – she noted that Colonial Pipeline was due for a cybersecurity update, but they had put it off. Cogswell noted the value of TSA’s Security Directives, which immediately mitigate a threat and sending message to hackers. DHS enacted one following the Colonial hack, mandating critical pipelines take immediate cybersecurity measures.

Nevertheless, while enacting these mandates, Troy recommended consulting and working with the industry, citing the DOD’s successful model of working with defense contractors on cybersecurity requirement. He also recommended using a phased approach to regulation so the industry can get requirements squarely in place.

However, the problem with some reporting mandates come when a facility is intermodal, such as ports. Some ports own, in addition to their maritime infrastructure, the last mile of rail lines or pipelines. Dickerson pointed out that having mandates specific to each type of mode can lead to ports spending much money on redundant reporting to satisfy mode-specific requirements.

Many witnesses mentioned the concept of “harmonizing” the cybersecurity reporting system. The redundancies mentioned above show why harmonizing the reporting process is so essential: if there is an incident and a facility must report it, staff do not have to use their time and resources to craft reports specific to local, state, and federal or mode-specific reporting requirements instead of dealing with the issue itself. Dickerson recommends standardizing incident reports to ease the burdens on facilities.

In addition, it is often unclear who to submit the report to. There are often overlapping jurisdictions within DHS, TSA, FBI, FAA, DOD, and DOT, and an incident report could be submitted to multiple agencies. Spaulding also noted that the need for better inter-agency cooperation so all are kept up to date, particularly as agency jurisdictions overlap.

In line with the harmonization theme, Troy recommended that Congress streamline the federal and state reporting process, so resources are not wasted on customizing reports for multiple agencies. This is why Dickerson and Spaulding both recommended that CISA act as the standard depository for all cybersecurity incident reports. Troy also recommended that CISA should distribute timely information on cyberattacks. When autonomized incident reports are shared widely and quickly, the industry is better informed against potential threats. One place where the reporting-sharing exist, told Dickerson, is within the maritime sector. Many security advisories are being distributed, mostly because of the anonymization of identities, which reinforces trust within maritime community.

Cogswell and Spauling were both advocates for using public-private partnerships that include reputable third parties. For example, there is precedent for P3s as TSA’s canine program contracts out to a third-party to train the animals. This way, TSA can regulate both the entity that is providing the service and entity that is using it. With this model, agencies can expand services without worrying about a lack of resources. CISA’s resources are stretched, and P3s are a good way to expand capacity.

In addition, even when some in the industry give the government information on cyber-attacks, they do not hear back. Dickerson confirmed that sometimes it can be months before the Coast Guard give anything back to the industry. They are working to lessen the wait time and get information reports back to industry in a timely manner.

While improving cybersecurity was at the top of each of these participants’ minds, there was some disagreement on classification. Spauling stumbled while answering Rep. Ritchie Torres’ (D-NY) question on whether the Colonial Pipeline should be classified as a “significant incident” (hint: it was not). If that incident, which led to skyrocketing gas prices and gas shortages on the East Coast is not a significant incident, then what is? Torres also pressed Spaulding on why there are no universal cybersecurity measures, such as multiple factor authentication, software updates, password updates, and contingency planning. If these are the most basic best practices in all sectors, he wondered why we don’t mandate. Spaulding, nor others, had a good answer.

Share

Related Articles

Cybersecurity Mandates and Reporting Requirements for Transportation Discussed in T&I Hearing

Cybersecurity Mandates and Reporting Requirements for Transportation Discussed in T&I Hearing

Yesterday, the House Transportation and Infrastructure Committee met in a hearing to discuss “The Evolving Cybersecurity Landscape:...

Mandatory Cybersecurity Incident Reporting, Better Protection Measures for Critical Infrastructures Pushed at Homeland Security Committee Hearing

Mandatory Cybersecurity Incident Reporting, Better Protection Measures for Critical Infrastructures Pushed at Homeland Security Committee Hearing

This past Tuesday, the House Homeland Security Committee convened a hearing to discuss cybersecurity mandates on nationally significant...

Rethinking Cybersecurity Policies for Critical  U.S. Transportation Infrastructure

Rethinking Cybersecurity Policies for Critical  U.S. Transportation Infrastructure

Cyberattacks are posing an increasing threat on critical transportation infrastructure in the United States. A recent, high-profile...

Webinar: Automated Vehicle Technology, Public Policy, and BMW's Level 3 AV System

Webinar: Automated Vehicle Technology, Public Policy, and BMW's Level 3 AV System

While much of the transportation-related news has been focused on COVID-19 recovery, automated vehicle technologies are quietly progressing...

Webinar: Transportation Cybersecurity: Understanding Risks and Creating a Culture of Security

Webinar: Transportation Cybersecurity: Understanding Risks and Creating a Culture of Security

Essential transportation technologies, such as connected vehicles, tolling payment systems, back office systems, and road side units, need...

Webinar: Geofencing and the Potential of Connected Vehicles

Webinar: Geofencing and the Potential of Connected Vehicles

Full obedience of traffic rules and regulations and the ability to dynamically change them, depending on the current situation in a city or...

Webinar: Transportation in the Age of Biometrics

Webinar: Transportation in the Age of Biometrics

When: 4:00pm ET, Wednesday, July 11, 2019 Where: Via webinar Register In October, the TSA released their Biometrics Roadmap for...

Eno Staff to Participate in Infrastructure Week 2019

Eno Staff to Participate in Infrastructure Week 2019

May 9, 2019 Eno staff will participate in several events during Infrastructure Week, May 13-20, 2019. Register for our webinars and...

Eno at Infrastructure Week: Webinar Series

Eno at Infrastructure Week: Webinar Series

Smarter Cities and Intelligent Transportation Through Breakthrough Technology When: 4:00pm ET, Wednesday, May 15,...

Homeland Panel Examines Cyber Threats to Surface Transportation

Homeland Panel Examines Cyber Threats to Surface Transportation

March 1, 2019 On February 26, the House Homeland Security Committee held a joint hearing to look at ways to secure the U.S. surface...

Capitol Hill Events - Week of February 25, 2019

Capitol Hill Events - Week of February 25, 2019

Tuesday, February 26 – House Homeland Security – Subcommittee on Transportation and Maritime Security – subcommittee hearing on...

WMATA Urges Congressional Action on Railcar Supply Concerns, As EU Rejects Siemens-Alstom Merger

WMATA Urges Congressional Action on Railcar Supply Concerns, As EU Rejects Siemens-Alstom Merger

February 8, 2019 This week, the director of the Washington Metropolitan Area Transit Authority (WMATA) told Congress that he has ordered...

Be Part of the Conversation
Sign up to receive news, events, publications, and course notifications.
No thanks