DHS Redefines ‘Cybersecurity Incident’ in Directives for Surface Transportation

teppakorn tongboonto/istockphoto

The new definition allows industry more flexibility to decide what should trigger reporting mandates for the sector.

The Transportation Security Administration has changed the criteria pipeline operators must use when complying with directives to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency that will also soon apply to rail and aviation operators. 

The move is happening as lawmakers try to agree on the shape of incident reporting legislation that would apply to the broader private sector, which controls the vast majority of the nation’s critical infrastructure. The devil will be in the details of key definitions as those negotiations continue with an eye toward passage in the annual National Defense Authorization Act

In May, following a ransomware attack on Colonial Pipeline, TSA issued a security directive requiring high-risk pipeline operators to report any cybersecurity incident to CISA within 12 hours. Under the directive, such incidents should include an event that, “may affect the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system.”

Industry pushed back and Republican lawmakers questioned whether TSA was sufficiently engaging their concerns that the directive would be overly burdensome.   

Testifying before the House Transportation Committee on Thursday, Victoria Newhouse, deputy assistant administrator for policy, plans and engagement, cited a new definition of “cybersecurity incident” to illustrate TSA’s willingness to engage with industry.

“We've taken that feedback and updated definitions of a reportable cybersecurity incident,” she said. “So we've taken that seriously.”

Newhouse said that sort of industry engagement is occurring across TSA’s cybersecurity efforts, including with two new directives the Department of Homeland Security announced Thursday for freight and transit  rail operators. 

Like the May directive for pipelines, the new directives will require operators to designate a cybersecurity coordinator that CISA and TSA could reach around the clock, develop an incident response plan and conduct a vulnerability assessment resulting in a plan to fill any gaps identified.

The new directives for rail operators also similarly mandate cybersecurity incidents be reported to CISA, but narrows the definition of such incidents, noting they should include events that are “under investigation as a possible cybersecurity incident.”

Briefing reporters on the new directives Thursday, senior DHS officials said the new definition is meant to “make sure that we capture those incidents that the government needs to be aware of because of the risk associated with it, and making sure that we learn of those that rise to that level, while making sure that we don't request every incident and get drowned out by the noise.”

Another difference between the May directive for pipelines and the new directives for rail operators is that rail operators are given an additional 12 hours to report their incidents. During the hearing, Newhouse maintained the importance of the faster reporting timeline for pipelines.

“With respect to the security directives to the pipeline industry, we require reporting of the incidents within 12 hours,” she said. “And that is because of the criticality of our nation's pipelines, the fact that they carry the majority of the significant effects that they would have if those were attacked because they carry the majority of the resources needed to run this country.”

The criticality of the pipeline industry also drove TSA to issue a second directive for its operators in July. The July mandate lists specific actions pipeline operators must take to mitigate cybersecurity risks, including basic cyber hygiene practices like regularly patching software and implementing multi factor authentication and appropriate network segmentation.

DHS did not respond to a request for comment on whether a subsequent directive on proactive cybersecurity measures can similarly be expected for the rail operators. 

Asked about TSA’s approach in omitting such measures from the directives announced Thursday, senior DHS officials said the process is ongoing, but that the rail industry is not as mature as the pipeline industry in terms of its familiarity with cybersecurity best practices.

“These directives do not have that [patching] requirement in them,” one senior DHS official said. “What I would add about the why is, for rail surface stakeholders, unlike the pipeline industry, we did not have guidelines in place that provided for all kinds of best practices that aligned in large part with [National Institute of Standards and Technology]-recommended practices, we didn't have those specific guidelines for rail. And so the requirements that we've gone out with at this point we feel are very much baseline requirements that you know, industry should be doing anyway as a matter of best practice and cyber hygiene and again, consistent with these recommended practices ... we will continue to evaluate going forward, necessary and appropriate next steps.”

DHS officials said the new directives will apply to approximately 80% of freight rail and 90% of passenger passenger rail operators, noting that exemptions for smaller entities were based on relevant risk factors such as their revenue and how many people they transport. The officials still recommend that smaller entities follow the directives.  

Separately, TSA is also using other regulatory authorities to update security requirements for high-risk operators in the aviation industry to match those for rail and pipeline operators. Requirements around appointing a cybersecurity coordinator and reporting cyber security incidents are in place, with those around vulnerability assessments and cyber response plans coming shortly, the senior DHS officials said regarding the aviation industry updates. 

“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” Homeland Secretary Alejandro Mayorkas said in a press release. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”