WASHINGTON — Major railroads and rail transit operators, along with airports and airlines, will be required to improve cybersecurity under a new directive from the Transportation Security Administration.
Reuters reports that Homeland Security Secretary Alejandro Mayorkas said Wednesday that the companies and agencies will be required to name a chief cyber official, disclose hacks to the government, and draft recovery plans for a potential cyberattack.
The move follows a breach of the computer systems of New York’s Metropolitan Transportation Authority in June [see “Digest: Amtrak Capitol Corridor service to increase …,” Trains News Wire, June 3, 2021] as well as a 2020 ransomware attack on the Southeastern Pennsylvania Transportation Authority. It also comes after an attack on an oil pipeline earlier this year that triggered gas shortages in the eastern U.S., leading to new rules for pipeline owners.
The directive will be effective later this year.
A spokeswoman for the Association of American Railroads told Bloomberg that the rail industry had been given just three days to review and comment on the draft version of the directive, and that it would require railroads to take actions “that have long been in place.
“AAR hopes the substantive comments provided will be thoroughly considered in the decision on whether to proceed with the directive and to ensure any actions taken enhance, not hinder, coordinated cybersecurity efforts,” spokeswoman Jessica Kahanek said in a statement.
Does that statement by the AAR spokeswoman make any sense. If the railroads have been taking the actions proposed in the requirements for years already then there should be no need to “thoroughly consider” comments made by rail carriers.
If a company is paying the paycheck of their Chief Cyber Official, then how much authority does s/he really have effecting the cost of hardening of the company’s cyber resources?
The answer is to treat cyber with the same regulatory scrutiny as the financial sector. It won’t be fun, easy, or cheap.
This same question is asked about the quality programs and quality managers in most manufacturing. How do you avoid having costs over quality or Cyber-security? You must have those positions reporting to the topmost levels of management and not lower levels AND have a top level management committed to those functions as part of how the organization operates.