Examining Cybersecurity in the Transportation Sector: Insights from the U.S. House Homeland Security Subcommittee Hearing
On a pivotal Tuesday, the U.S. House Homeland Security Subcommittee on Transportation and Maritime Security convened to scrutinize the Transportation Security Administration’s (TSA) management of cybersecurity risks within the transportation sector. This hearing, titled "Impacts of Emergency Authority Cybersecurity Regulations on the Transportation Sector," comes in the wake of the TSA’s recent Notice of Proposed Rulemaking (NOPR) aimed at enhancing cybersecurity practices across rail, pipeline, and bus transportation systems.
The Context of the Hearing
The subcommittee hearing featured two panels of witnesses. The first panel included key TSA officials: Steve Lorincz, deputy executive assistant administrator for security operations; Chad Gorman, deputy executive assistant administrator for operations support; and Tina Won Sherman, director for Homeland Security and Justice at the Government Accountability Office. The second panel brought in industry perspectives from Ian Jefferies, president and CEO of the Association of American Railroads, and Kimberly Denbow, vice president of security and operations at the American Gas Association.
Chairman Carlos Gimenez, a Florida Republican, opened the hearing with a critical assessment of the TSA’s current approach to cybersecurity. He expressed concerns that the TSA’s numerous Security Directives, while well-intentioned, often appear reactive and hastily implemented, lacking adequate consultation with industry stakeholders. This disconnect raises questions about the effectiveness of these directives in addressing the unique cybersecurity needs of various operators.
The Challenges of Regulatory Compliance
Gimenez emphasized that the TSA’s directives can be overly prescriptive, which may hinder operators’ ability to tailor cybersecurity practices to their specific operational contexts. He warned that regulations lacking clarity and flexibility could lead to a "checkbox mentality," where compliance is prioritized over genuine risk reduction. This concern is particularly relevant given the recent NOPR, which spans over 300 pages and could overwhelm smaller operators with limited resources.
The chairman urged the TSA to empower operators to develop and implement customized cybersecurity strategies that effectively address their unique risks. He highlighted the evolving nature of cyber threats, which can exploit vulnerabilities in both Operational Technology (OT) and Information Technology (IT) systems. The testimony from Gorman and Lorincz underscored the urgency of this issue, noting that nation-state actors have demonstrated their capability to conduct malicious cyber activities targeting critical infrastructure, including transportation systems.
The TSA’s Response to Cyber Threats
In response to the growing cyber threats, the TSA has utilized its emergency authorities to mitigate risks in a rapidly evolving cyber environment. The current cybersecurity Security Directives require higher-risk pipelines, freight railroads, and passenger rail operators to take several critical actions, including developing and submitting a Cybersecurity Implementation Plan (CIP) and maintaining an up-to-date Cybersecurity Incident Response Plan (CIRP).
Gorman and Lorincz highlighted the TSA’s efforts to engage with stakeholders to enhance understanding of the threat landscape and gather industry feedback. Since August 2023, the TSA has conducted numerous meetings with pipeline owners and operators to discuss cybersecurity measures and gather insights. Additionally, the TSA has established regular communication channels with various transportation sectors to share information and address challenges.
The Proposed Rulemaking and Industry Concerns
The recent NOPR aims to codify the provisions of the Security Directives into a comprehensive Cybersecurity Risk Management Program for certain surface modes of transportation. While the proposed rules are generally seen as a positive step toward establishing a sustainable cybersecurity framework, industry representatives raised concerns about specific provisions.
Denbow from the American Gas Association pointed out that certain aspects of the NPRM, particularly regarding corporate cybersecurity governance and supply chain integrity, are overly prescriptive and could pose challenges for compliance. Similarly, Jefferies from the Association of American Railroads noted that the NPRM’s requirement for railroads to report incidents within 24 hours contradicts the 72-hour reporting timeframe established by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). This inconsistency could lead to confusion and hinder effective incident response.
The Path Forward
Despite the challenges, industry leaders expressed cautious optimism about the TSA’s shift toward a more formal rulemaking process. Jefferies acknowledged that moving away from Security Directives to a structured regulatory approach would enhance the effectiveness of cybersecurity regulations. However, both he and Denbow emphasized the need for ongoing dialogue between the TSA and industry stakeholders to ensure that regulations are practical, achievable, and aligned with the realities of the transportation sector.
As the transportation sector grapples with the complexities of cybersecurity, the insights from this hearing underscore the importance of collaboration between government agencies and industry experts. By fostering an environment of open communication and flexibility, the TSA can better equip operators to navigate the evolving landscape of cyber threats while ensuring the safety and security of critical transportation infrastructure.