The TSA launches cybersecurity requirements for rail and aviation

The TSA launches cybersecurity requirements for rail and aviation

TSA will issue a new security directive later this year for higher-risk railroad and rail transit entities requiring them to report cyber incidents to the Cybersecurity and Infrastructure Security Agency. It will also require the entities to each identify a cybersecurity coordinator and issue contingency recovery plans in case they are hit by a cyberattack, Mayorkas said at the virtual Billington Cybersecurity Summit.

The Transportation Security Administration will require major rail and aviation entities to meet cybersecurity requirements, Homeland Security Secretary Alejandro Mayorkas said Wednesday.


  • Homeland Security Secretary Alejandro Mayorkas says that, under the new directive, railroads and rail-related entities deemed “higher-risk” will be required to appoint a point person in charge of cybersecurity, report cyberincidents to DHS’ Cybersecurity and Infrastructure Security Agency and create a contingency plan for what to do if a cyberattack were to happen.

  • The directives come after an uptick in cyber and ransomware attacks on the public and private sectors in the U.S. in the last year.

Additional regulations will boost cybersecurity in the aviation industry, Mayorkas said. “Critical” US airport and passenger aircraft operators, along with all cargo aircraft operators, will also be required to put in place a cybersecurity coordinator and report cyberattacks to CISA.

Lower-risk railroads and related entities will be encouraged but not required to take the same steps, he said. Mayorkas made the comments during a speech given virtually Wednesday at the Billington Cybersecurity Summit.

“We need to be equipped today, not tomorrow,” Mayorkas said. “I can’t overemphasize the urgency of the mission.”

Transit systems, big and small, have been recent targets for cybercriminals. This past spring, a hacking group with possible ties to the Chinese government compromised the computer systems of the Metropolitan Transportation Authority in New York.

Transit officials said at the time that the hackers didn’t gain access to systems that control train cars and that rider safety was not at risk. But they later raised concerns that hackers could have entered those systems or that they could continue to exploit the agency’s computer systems through a back door. And in June, a ransomware attack shut down the main booking system of the Steamship Authority of Massachusetts, which runs ferries from Cape Cod to Martha’s Vineyard and Nantucket. Ships ran safely, but passengers weren’t able to book or change their reservations online for more than a week, and credit card use was severely limited.