(Trends Wide) — The Transportation Security Administration (TSA) will impose new cybersecurity mandates on the rail and air sectors, including information requirements as part of a department effort to enforce compliance following high-profile cyberattacks in critical industries, the Secretary of Homeland Security of the United States, Alejandro Mayorkas, announced on Wednesday.
The Department of Homeland Security (DHS) will require a greater number of companies in critical transport sectors to comply with basic cybersecurity regulations, thus reducing the voluntary reporting of cybersecurity incidents.
As part of an upcoming “security directive,” DHS will require higher-risk rail and transit entities to report cyber incidents to the federal government, identify their cybersecurity officers, and develop a contingency plan. and recovery in case they are victims of cyber attacks.
The directive will be published by the end of the year, Mayorkas said at the annual Billington cybersecurity summit, where he intervened virtually.
“Reducing cybersecurity risk is to the benefit of all organizations, especially considering the indiscriminate nature of the ransomware“Mayorkas said.
The Biden administration launched several new initiatives on Wednesday as officials deployed at public events in the framework of Cybersecurity Awareness Month to promote new efforts and urge companies to better protect themselves and the American public, including an effort by the Department of Justice to impose fines on companies that do not meet certain standards.
Members of the rail industry immediately objected to the announcement, arguing that the safety directive would require railroads to take long-established actions.
The rail industry had only three business days to review and provide input on the draft safety directive, according to a spokesperson for the Association of American Railroads (AAR), an industry group for the rail freight industry, which added that railways have “consistently reported to federal law enforcement agencies on intelligence and cybersecurity incidents over several years.”
“The AAR hopes that the substantive comments provided will be fully considered in deciding whether to proceed with the directive and to ensure that any action taken enhances, and does not hamper, coordinated cybersecurity efforts,” the spokesperson added in a statement.
Earlier this year, the TSA issued two security directives targeting critical oil and gas pipeline companies in the months following a bomb attack. ransomware that caused the closure of one of the most important pipelines in the United States and that generated gasoline shortages and long lines at gas stations.
In the airline industry, the TSA will require critical U.S. airport operators, passenger aircraft operators, and cargo aircraft operators to designate cybersecurity coordinators and report cyber incidents to the Agency for Cybersecurity. Cybersecurity and Infrastructure Security before the end of the month.
The agency will gradually expand covered entities and consider additional measures over time, Mayorkas said.
“Together, these elements – a dedicated manager, cyber incident notification and contingency plans – represent the bare minimum of current cybersecurity best practices,” Mayorkas added.
In addition to immediate measures, the TSA is working on a longer-term rule-making process to “strengthen cybersecurity and resilience in the transportation sector,” he said, which will include input from the sector.
Padraic O’Reilly, co-founder of CyberSaint Security, told Trends Wide that for some industries “voluntary standards are not enough,” noting that companies dedicate more resources to basic security and protection of their systems when required by the government. federal.
“Now we are in the middle of a maelstrom,” he said of the cybersecurity threats facing critical industries and the need to protect them.
Also Wednesday, Deputy Attorney General Lisa Monaco announced that, for the first time, the Justice Department plans to impose substantial fines on government contractors or companies that receive federal funds when they fail to follow cybersecurity regulations, such as the requirement. to report attacks type ransomware.
Under this new initiative, the Department of Justice will pursue contractors who knowingly provide substandard cybersecurity products or services, knowingly misrepresent their cybersecurity practices or protocols, or knowingly fail to comply with their obligations to monitor and report cybersecurity. cybersecurity incidents and violations.
“When those who are entrusted with government money, who are entrusted to work in sensitive government systems, do not follow the required cybersecurity standards, we are going to pursue that behavior and impose very, very hefty fines,” he said. Monaco.
– Trends Wide’s Jessica Schneider contributed to this report.
