Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

U.S. to tell key rail, aviation companies to report hacks

Reprints
MTA

(Reuters) — The Transportation Security Administration will introduce regulations that compel the most important U.S. railroad and aviation operators to improve their cybersecurity procedures, Homeland Security Secretary Alejandro Mayorkas said Wednesday.

The upcoming changes will make it mandatory for "higher-risk" rail transit companies and "critical" U.S. airport and aircraft operators to do three things: name a chief cyber official, disclose hacks to the government and draft recovery plans for if an attack were to occur.

The planned regulations come after cybercriminals attacked a major U.S. pipeline operator, causing localized gas shortages along the U.S. East Coast in May. The incident led to new cybersecurity rules for pipeline owners in July.

“Whether by air, land or sea, our transportation systems are of utmost strategic importance to our national and economic security,” Mr. Mayorkas said. “The last year and a half has powerfully demonstrated what’s at stake.”

A key concern motivating the new policies comes from a growth in ransomware attacks against critical infrastructure companies.

“It’s the first of its kind with respect to the cyber focus,” said a senior homeland security official, who declined to be named, about the railway security directive and an update to aviation security programs.

Rafail Portnoy, Chief Technology Officer with the New York City Metropolitan Transportation Authority said the MTA is "constantly vigilant against this global threat and will ensure compliance with any TSA regulations."

The industry group Airlines for America said the issue is important and noted it already works closely with the TSA and other agencies on cybersecurity and noted it wants to “reduce any potential duplicative reporting.”

Ransomware, a type of malware variant that encrypts a victimized system until the owner pays a ransom in the form of cryptocurrency to the hacker, has become increasingly common in recent years.

“If transportation does not work, if people can’t go from A to B, then it can create pressure pretty quickly (to pay the ransom),” the senior official said.

Last month, the TSA notified the private sector about the impending regulations, the senior official said, and the agency is currently receiving feedback.

The regulations will become active before the end of 2021.