U.S. Homeland Security Secretary Alejandro Mayorkas said an upcoming directive from the Transportation Security Administration would require high-risk aviation and rail transit agencies to appoint cybersecurity coordinators, establish contingency and recovery plans, and report to the government Report a cyber attack incident.
Alejandro Mayorkas said the Department of Homeland Security in September launched the fourth key item in a 60-day cybersecurity sprint series aimed at strengthening the transportation sector, given the “spam” of ransomware. elasticity.
The directive will follow similar directives issued to pipeline operators following the Colonial pipeline ransomware attack, requiring robust vulnerability testing, the appointment of a cyber coordinator and reporting within 12 hours of a cyber attack being discovered.
For example, in terms of network security management in the railway industry, TSA will play a more high-profile and active role. “Higher risk” rail freight and rail companies will be required to designate a cybersecurity contact for the government and report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency.
On the aviation side, TSA is planning new requirements for key industry players, including airport operators, passenger airlines and cargo aircraft operators, to designate a cybersecurity contact and report cybersecurity incidents to CISA.
“I think fundamentally if we can drive the level of cybersecurity hygiene in the U.S. in all areas, in all respects — not just complex business,” Majorkas said at the Billington Cybersecurity Summit on October 6, local time. , including small businesses, not only SMEs – this is Project 1.”
He added that separate guidance would be issued for low-risk aviation and rail entities recommending the same action, as well as an information circular advising the network to self-assess. The Transportation Security Administration is already updating its aviation safety program.
DHS isn’t ignoring ocean shipping. The Coast Guard released its first cyber strategy outlook since 2015 this summer (the U.S. Coast Guard publishes a new cyberspace strategy), and cyber experts are being deployed at major U.S. ports to improve preparedness. Some 2,300 maritime entities are required to submit cyber plans to the Coast Guard, which also works with the International Maritime Organization to ensure that cargo and passenger ships conduct cyber risk assessments and develop mitigation plans.
Majorcas expressed optimism about legislation that would further put pressure on critical infrastructure operators to report cyber intrusions quickly, although he was concerned about setting a reporting timeline.
“Frankly, I’m a little concerned about the time frame for the legislation, given how quickly the situation is changing and whether the legislation can match that dynamic as it unfolds.” “In general, these elements — specifically point of contact, cyber incident reporting, and contingency plans—representing the minimum requirements for today’s cybersecurity best practices,” Mayorkas said in his speech.
DHS’ first cyber sprint launched the StopRansomware.gov website in March, while the second sprint was the largest cyber recruiting operation in DHS history and set the stage for the Nov. 15 launch of the DHS Cyber Security services paved the way. The third sprint focuses on industrial control systems.
Regarding the cybersecurity incident report, the Senate Homeland Security and Government Affairs Committee introduced two pieces of cybersecurity legislation on Oct. 6.
The Cyber Incident Reporting Act of 2021 sets a 72-hour reporting requirement for intrusions and other incidents involving companies, including critical infrastructure companies. In addition, the bill requires companies to report any ransomware payments to hackers within 24 hours. The act also creates a new office at CISA to receive reports from protected companies. The bill did pass, but met some opposition from committee Republicans for being too broad — currently covering small businesses with 50 or more employees. The act was amended to exclude mandatory disclosures required by the act from findings in cybersecurity breach lawsuits.
Earlier this year, a bipartisan group of lawmakers on the Senate Select Committee on Intelligence introduced bills of their own that would require critical infrastructure operators and federal contractors to report cybersecurity incidents around the clock.
The Federal Information Security Modernization Act of 2021, which requires federal civil agencies to report cyber intrusions to CISA and the Office of Management and Budget, includes new authorizations that make CISA a The primary responsible agency for cybersecurity incidents affecting federal civil agencies.
Sen. Gary Peters, D-Mich., the chairman of the committee, announced his intention to add the two pieces of legislation to the National Defense Authorization Act, which lawmakers hope to pass by the end of the year.