The Transportation Security Administration will soon issue new regulations designed to make transit agencies and airlines better prepared for cyberattacks.
Homeland Security Secretary Alejandro Mayorkas says that, under the new directive, railroads and rail-related entities deemed “higher-risk” will be required to appoint a point person in charge of cybersecurity, report cyberincidents to DHS’ Cybersecurity and Infrastructure Security Agency and create a contingency plan for what to do if a cyberattack were to happen.
Lower-risk railroads and related entities will be encouraged but not required to take the same steps, he said. Mayorkas made the comments during a speech given virtually Wednesday at the Billington Cybersecurity Summit.
Additional regulations will boost cybersecurity in the aviation industry, Mayorkas said. “Critical” US airport and passenger aircraft operators, along with all cargo aircraft operators, will also be required to put in place a cybersecurity coordinator and report cyberattacks to CISA.
“We need to be equipped today, not tomorrow,” Mayorkas said. “I can’t overemphasize the urgency of the mission.”
Transit systems, big and small, have been recent targets for cybercriminals. This past spring, a hacking group with possible ties to the Chinese government compromised the computer systems of the Metropolitan Transportation Authority in New York.
Transit officials said at the time that the hackers didn’t gain access to systems that control train cars and that rider safety was not at risk. But they later raised concerns that hackers could have entered those systems or that they could continue to exploit the agency’s computer systems through a back door.
And in June, a ransomware attack shut down the main booking system of the Steamship Authority of Massachusetts, which runs ferries from Cape Cod to Martha’s Vineyard and Nantucket. Ships ran safely, but passengers weren’t able to book or change their reservations online for more than a week, and credit card use was severely limited.