(Bloomberg) -- Major passenger and freight railroads will soon be required to report cybersecurity breaches quickly and review how susceptible they are to cyberattack, senior officials at the U.S. Department of Homeland Security said Thursday.
The requirements, which take effect Dec. 31, come as the Biden administration has put increasing pressure on the private sector to protect the nation’s critical infrastructure from hackers. That follows a series of devastating hacks that infiltrated federal agencies and major businesses, including the May ransomware attack on Colonial Pipeline Co. that temporarily curtailed fuel supplies along the East Coast.
The new directives from the Transportation Security Administration require that most railroads designate a cybersecurity coordinator, report hacking incidents within 24 hours, conduct a vulnerability assessment and develop an incident-response plan for breaches. Senior officials said Thursday that Congress gave the government the authority to issue new directives that bypass the typical notice-and-comment period for federal regulations, although officials said they consulted with industry.
TSA recently updated its aviation security programs to require that airport and airline operators identify a cybersecurity coordinator and report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency, known as CISA. TSA intends to expand the requirements for the aviation sector and issue guidance to smaller operators.
“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” said Homeland Security Secretary Alejandro Mayorkas, in a statement. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”
The Department of Transportation, which regulates aviation and rail, has already imposed various anti-hacking protections on such things as aircraft computer designs, but hasn’t created the kind of rules announced by DHS.
The DHS requirements are designed to add a new layer of protection on the transportation sector.
When the directive was announced, rail stakeholders said they hadn’t had enough time to provide feedback to the draft directive.
“Unfortunately, we’ve heard concerns about the development of these directives from stakeholders, including from the freight rail industry,” said Representative Rick Crawford, an Arkansas Republican, at a House Transportation and Infrastructure Committee hearing on transportation cybersecurity Thursday.
Victoria Newhouse, deputy assistant administrator for policy, plans and engagement at TSA, said she and other top leadership at TSA met with freight rail and passenger rail executives to hold a classified briefing “to show them what we’re seeing, elicit input and ask them for more input for either future requirements, or other guidelines that we could issue together.”
“We’ve been having some successful engagements,” Newhouse said.
In November, CISA began requiring federal agencies to fix cybersecurity flaws within specific time frames. That order applied to all software and hardware on federal information systems, including those managed by a government agency or hosted by third parties.
(Updates with additional details starting in fifth paragraph.)
©2021 Bloomberg L.P.