Transportation and Cybersecurity: What’s New and What’s Next
May 12 marked the one-year anniversary of the end of the Colonial Pipeline ransomware attack. When hackers took over an important petroleum pipeline serving the East Coast, it caused fuel shortages and demonstrated very publicly the cyber vulnerabilities in the United States. All sectors of transportation are vulnerable to cyber threats, including transit agencies large and small, the maritime sector and port complexes, freight railroads, the aviation sector, and roads and highways (due to infrastructure such as signals, sensors, and message boards). Attacks are not one-off events: the newly-created Cyber Resilience Center at the Port of Los Angeles is reportedly stopping more than 40 million cyber threats a month, double what it was just two years ago. Furthermore, cyber threats have increased due to Russia’s invasion of Ukraine and are expected to continue to escalate during this global unrest.
Cybersecurity experts agree that despite this heightened vulnerability, the transportation sector lags behind other industries in preventing and preparing for cyber threats. To combat this, cybersecurity is increasingly being regulated, prioritized, and funded by federal policymakers through long-range plans such as the Department of Transportation’s Strategic Plan FY18-22, policy priority plans such as the President’s FY23 budget and last year’s Executive Order 14028 focused entirely on improving cybersecurity, as well as funding schemes like the Infrastructure Investments and Jobs Act (IIJA) and the 2022 omnibus bill. This federal emphasis has elevated the importance of cybersecurity at the state and local levels and has long-term implications for better preparing the industry for future attacks.
Federal transportation cybersecurity policy structure
From 2007 to 2018, federal cybersecurity efforts were managed by the National Protection and Programs Directorate (NPPD), a component of the Department of Homeland Security (DHS), that worked to identify and eliminate cyber threats to critical infrastructure in the United States. The Cybersecurity and Infrastructure Security Agency (CISA) was created in 2018 by Congress and signed into law by President Trump as a separate agency within DHS. CISA fills the cyber mission of the former NPPD and has more resources to meet increasing cyber threats.
CISA has two roles as mandated by Congress: first, it is the operational lead for federal cybersecurity across all sectors, partnering with the Office of Management and Budget. It also works with the public and private sectors to reduce risk to cyber and physical infrastructure, including critical U.S. infrastructures.
For its part, U.S. DOT also plays an active role in providing cybersecurity guidance to state and local agencies as well as private companies. It also manages cybersecurity for the infrastructure that it operates, like the air traffic control system. The Department of Transportation’s Strategic Framework for FY22-26 emphasizes cybersecurity, mentioning it in two of the plan’s 27 strategic goals: investing in ‘Critical Infrastructure Cybersecurity’ under the safety category and ‘Enterprise Cyber Risks’ under their organizational category. The framework promotes increasing system resilience to cyber threats by improving information sharing, building in cyber protections rather than retrofitting, and bolstering system response plans. It also aims to improve internal DOT cyber practices, increase departmental cybersecurity awareness, and provide cyber professional development training to all DOT staff.
Because CISA is such a young agency, there are current debates about its future authorities, including its relationship with U.S. DOT. As it stands now, cyber incidents in transportation often must be reported to multiple agencies, yet each has differing reporting requirements, further stretching staff capacity and decreasing willingness to report incidents. But in an October 2021 House Homeland Security hearing, some witnesses advocated for CISA to act as a deposit for all cybersecurity reporting to help unify overlapping jurisdictions for cyber incidents between FBI, TSA, DOD, FAA, FTA, and others. President Biden’s FY23 budget increases CISA’s funding, and there is a strong bipartisan appetite for increasing financial support for this new agency.
New federal transportation cyber funding
Congress has funded new cyber programs through both the Infrastructure Investments and Jobs Act (IIJA) and the 2022 omnibus appropriations act. Notably, total cyber funding in the IIJA totals over $2 billion, split between the transportation, homeland security, and energy sectors. The IIJA authorizes $1.15 billion in cybersecurity funding eligible for transportation-related purposes, though much of it must still be appropriated in annual spending bills.
- State and Local Cybersecurity Grant Program – $1 billion administered by CISA. Eligibility includes implementing cybersecurity plans and addressing cybersecurity threats. (New program, section 70612 of IIJA.)
- Cyber Response and Recovery Fund – $100 million ($20 million per year until 2028) administered by CISA. A provision of the Cyber Response and Recovery Act (Section 70601 of IIJA). Establishes a Cyber Response and Recovery Fund for CISA to use when there’s a significant cyber incident. Funding determined by DHS Secretary’s definition of a significant incident.
- Sector Risk Management Agencies – $35 million administered by CISA. Will allow CISA to coordinate with Sector Risk Management Agencies throughout the federal government to bolster cross-sector expertise. Three eligible uses: execute cross-sector governance, execute risk management across the 16 critical infrastructure sectors, and CISA will maintain the process for collecting information about critical infrastructure from the Sector Risk Management Agencies.
- Cybersecurity research – $14.5 million administered by DHS’ Bureau of Science and Technology. Academic or federally funded research centers are eligible for research and development on technology to strengthen cybersecurity.
In addition to new funding programs, the IIJA also changed the eligibility of existing grant programs, like the National Highway Performance Program and the Surface Transportation Block Grant Program. (And those are fully funded.) For the National Highway Performance Program (NHPP), Title 1 §119(d)(2), eligible projects now include “activities to protect segments of the National Highway System from cybersecurity threats.” In addition, the Surface Transportation Block Grant Program (STBGP), Title 23 §133(b)(19), can now fund “Measures to protect a transportation facility otherwise eligible for assistance under this section from cybersecurity threats.” There are no limits on the maximum dollar amount or percentage of the programs that can be spent on cyber.
The 2022 omnibus appropriations bill, used to appropriate money to agencies and programs across the government, funded new cyber initiatives at U.S. DOT (including new funding for the FAA).
- $39.4 million for departmental cybersecurity initiatives
- This is allocated to OST and can include upgrades to equipment, identity management and authentication, protecting data, and enhancing security on agency devices. This is for DOT directly, and not for grants to states.
- $38 million for departmental cybersecurity initiatives
- $4.8 million for information/cybersecurity initiatives within research and development for the airport and airway trust fund
- $10 million for UAS research at the UAS Center of Excellence, including areas of cybersecurity
- $1.99 billion (FY21 allocated $1.66 billion to CISA, so FY22 represents a 20 percent funding increase).
The President’s FY23 budget, indicative of administration priorities, also emphasizes cybersecurity. The budget lists advancing cybersecurity as a major strategy out of its list of tools to combat threats. The budget recognizes the need to bolster cybersecurity for critical infrastructure, proposing a $2.5 billion allocation to the CISA, a $486 million increase from the enacted 2022 level.
New federal transportation cyber regulation
President Biden’s first direct action on cybersecurity came in May 2021, when he signed Executive Order 14028, “Improving the Nation’s Cybersecurity.” This requires service providers to share information on cyber incidents that could affect government networks, changes government networks to cloud services with zero-trust architecture and multi-factor authentication, sets higher cybersecurity standards for third-party software used by the government, and improves cyber incident detection within the government network.
Aside from funding, the 2022 omnibus bill created a new cyber reporting mandate by including the Cyber Incident Reporting for Critical Infrastructure Act. This new law will mandate any “covered entity” to report a cyber incident to CISA within 72 hours of reasonable belief of a cyber attack or within 24 hours of making a ransom payment. The CISA Director, in coordination with the Sector Risk Management Agencies, will publish a proposed rulemaking no later than 24 months after the omnibus was passed. There is much interest in the cyber community about what will count as a “covered entity,” and the rulemaking and public comment process will help define the term and other specifics of the requirement by March 2024. In addition, a new proposed rule by the U.S. Securities and Exchange Commission would require all publicly traded companies (affecting many transportation entities in the logistics, railroad, and aviation sectors) to enhance protections and standardize disclosures for cybersecurity.
This mandate is significant because there are currently few cyber reporting requirements for critical infrastructure, including transportation. Most reporting of incidents has been voluntary: Colonial Pipeline was not required to announce its attack but did so because of the vast scale of the incident and its effects on gas shortages. It was only after the attack that TSA announced cyber incident reporting requirements for pipelines. Entities rarely voluntarily report cyber incident information as it is perceived as putting them at a competitive disadvantage by appearing unprepared. However, best practices show that transparent and rapid reporting helps the entire sector recognize the threat and strengthen its defenses.
The 2022 omnibus also reaffirms the Section 889 ban that prohibits government agencies from purchasing certain telecommunication or surveillance equipment manufactured by Huawei, ZTE Corporation, Hytera Communications, and other companies owned by the People’s Republic of China. It also directs the Non-Traditional and Emerging Transportation Technology (NETT) Council within DOT to research the safety, cybersecurity, and regulatory needs of emerging transportation technologies, using unspent NETT funding from the previous year.
Next steps in transportation cybersecurity
The recent policy changes and new funding at the federal level reveal important things about the future of cybersecurity in transportation. The first is that cybersecurity has emerged from an obscure topic to one that is front and center for the transportation industry. Policymakers have prioritized, funded, and are increasingly regulating how states, localities, and private companies are protecting and preparing their systems for current and future attacks.
While these cyber initiatives were passed on the federal level, the impetus is now on the state, local, and private sectors to make cybersecurity a priority and comply with new cyber regulations. The transportation sector cannot continue to outsource cyber protections to IT departments. Instead, cybersecurity must become part of the broader safety mission of the organization. This might be a steep learning curve, particularly for entities such as small transit agencies that have not made cybersecurity an institutional priority.
New federal funding streams and regulations will help organizations create an effective cyber roadmap. Luckily, the transportation industry can build on a long history of prioritizing the safety of their operations. The FAA operates the largest and safest airspace on the planet. Transit agencies move millions of people daily with few incidents. Commercial trucking has stringent requirements for its drivers. Infusing cybersecurity measures into the existing safety framework will achieve the goals of the new federal priorities and ensure that the transportation system is as safe as it can be.