TSA to issue new cyber regulations for rail, aviation sectors

The Transportation Safety Administration will issue cybersecurity regulations later this year for “higher-risk’’ railroad and rail transit systems and the aviation sector, Homeland Security Secretary Alejandro Mayorkas announced on Wednesday.

The forthcoming rules from the Homeland Security Department component mark the Biden administration's latest steps to boost the cyber defenses of critical infrastructure operators against hacks after the high-profile ransomware attack on the Colonial Pipeline. 

TSA issued two security directives to secure pipelines against breaches following the incident, which sparked temporary fuel shortages along the eastern seaboard. President Joe Biden also signed a far-reaching executive order designed to improve federal cybersecurity and congressional lawmakers are pushing new incident reporting legislation.

“Reducing cybersecurity risk is in every organization’s self-interest, especially considering the indiscriminate nature of ransomware,” DHS Secretary Alejandro Mayorkas said during a virtual appearance at the Billington CyberSecurity Summit. Reuters first reported the new regulations.

The directive will require railroad operators and rail transit companies to “identify a cybersecurity point person” charged with reporting incidents to the Cybersecurity and Infrastructure Security Agency. Entities will also have to create “contingency and recovery plans” in the event of cyberattacks.

For "lower-risk surface entities" TSA will "issue separate guidance that encourages, rather than requires, these entities to take the same measures,” according to Mayorkas.

In terms of the aviation sector, TSA will mandate "critical U.S. airport operators, passenger aircraft operators, and all cargo aircraft operators" to designate a cybersecurity coordinator and report cyber incidents to CISA,” he said, adding the aviation regulations would come out around the time DHS wraps a surface transportation cybersecurity sprint it launched last month.

TSA will expand the pool of covered entities "gradually" and "consider additional measures over time,” the DHS chief said.