[Stay on top of transportation news: Get TTNews in your inbox.]
The leaders of the transportation committee in the U.S. House of Representatives pressed federal agencies to continue their robust response and review of cybersecurity operations months after a cyberattack disrupted a major petroleum pipeline.
At a hearing of the Transportation and Infrastructure Committee, Chairman Peter DeFazio (D-Ore.) said stakeholders need to focus on enhancing cybersecurity operations. He also pointed to efforts designed to enhance federal agencies’ oversight role on matters of cybersecurity across transportation networks, such as rail and transit systems and the aviation industry.
Cybersecurity guidelines on the part of the Transportation Security Administration dominated parts of the hearing. “I understand TSA intends to issue a security directive for passenger rail, high-risk freight rail and the transit sector,” said DeFazio during the hearing Dec. 2.
“For those that care about the public’s safety and the nation’s economic and national security, these efforts — in both the public and private sectors — should not be controversial,” the chairman added. “The public’s safety and the nation’s security depend on these systems. While no single change can prevent every cyberattack, we need to raise the bar significantly and make cyberattacks on our systems much more difficult to accomplish.”
DeFazio also highlighted efforts by the Cybersecurity and Infrastructure Security Agency, which he noted had recently issued a binding directive ordering agencies to address and repair known software, as well as hardware vulnerabilities.
Rep. Sam Graves (R-Mo.), the committee’s ranking member, as well as senior Republicans on the panel, took aim at certain policy guidelines from TSA soon after the cyberattack on the Colonial Pipeline. Said Graves: “Stakeholders have expressed concerns about aspects of these federal programs — for instance, the recent security directives from the TSA.”
Rep. Rick Crawford (R-Ark.), Railroads, Pipelines and Hazardous Materials Subcommittee ranking member, suggested that TSA allow greater input from stakeholders and the public in regard to the development and implementation of pipeline cybersecurity policies.
Victoria Newhouse, deputy assistant administrator for policy, plans and engagement at TSA, responded that she acknowledged the value in gathering additional input from freight transportation stakeholders in a public forum. The input, she explained, would assist in determining future cybersecurity guidelines.
“We’re considering all of our options, including the most transparent option,” said Newhouse, referring to public notices in the Federal Register. “As we have continued robust engagement, both at the classified and unclassified level, with all of our surface transportation stakeholders, in particular our pipeline, rail — freight rail, passenger rail — and aviation stakeholders, we’re considering all of those options.”
Over the summer, TSA issued policy directives that require owners and operators of TSA-designated critical pipelines to implement mitigation measures meant to protect against ransomware attacks. Prior to that, TSA announced such pipeline owners and operators must report confirmed and potential cybersecurity incidents, as well as designate a cybersecurity coordinator.
“Public-private partnerships are critical to the security of every community across our country and [Department of Homeland Security] will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience,” said Homeland Security Secretary Alejandro Mayorkas when the directives were issued.
The U.S. Department of Transportation, meanwhile, has insisted that to prevent cyberattacks similar to the one involving Colonial Pipeline, its agencies are collaborating with each other, as well as private sector stakeholders.
“We’ll continue to improve our existing systems to make them more secure, while they continue to operate, so that they resiliently support DOT’s operations and the American people,” Cordell Schachter, USDOT chief information officer, told the House panel. “We will also meet the challenge of continuously improving the cybersecurity of DOT information technology systems while keeping those systems available for use. We look forward to working with this committee, our agency partners, and the White House to strengthen and protect our infrastructure and systems.”
On the Senate side, Commerce Committee Chairwoman Maria Cantwell (D-Wash.) warned about the threat of future cyberattacks, citing economic disruptions associated with the attack that took place on the Colonial Pipeline in May.
“The federal government should be part of the solution,” Cantwell said over the summer. “We need to bring about critical infrastructure investments in technology that can help the electricity grid and companies secure their networks from these kinds of intrusions.”
After the Colonial Pipeline cyberattack in May, President Joe Biden issued an executive order aimed at bolstering cyber defenses. Of note, the order established a cybersecurity safety review board.
Colonial Pipeline, with operations consisting of 5,500 miles of pipe to transport about 100 million gallons of fuel daily, confirmed it had paid about $4.4 million to restart its systems after the hack.
Want more news? Listen to today's daily briefing below or go here for more info: