RICHMOND, Va .– (AP) – The Transportation Security Administration is releasing new guidelines and recommendations aimed at strengthening cybersecurity defenses among U.S. rail and airport operators.
The Biden government said the requirements, released Thursday, were part of a broader effort to protect the country’s critical infrastructure from ongoing cyber espionage and a surge in disruptive ransomware attacks.
“These new cybersecurity requirements and recommendations will help ensure the safety of the traveling public,” Homeland Security Minister Alejandro Mayorkas said in a statement. He had previously given a preview of the new regulations in October.
The new TSA guidelines require most passenger and freight rail operators to identify a person for cybersecurity, report incidents to the cybersecurity and infrastructure security agency within 24 hours, conduct a vulnerability assessment, and an emergency and recovery plan in the event of malicious ones Develop cyber activities. They’ll go into effect at the end of the year, and the TSA said it is making similar changes to the requirements for airport operators.
The TSA said it recommends, but does not mandate, cybersecurity requirements for some smaller and lower risk rail and airport operators.
The new regulations are similar to those enacted for pipeline operators in May following the Colonial Pipeline ransomware attack that disrupted gas supplies in several states.
Republican lawmakers have expressed concern that the TSA has been drafting new cybersecurity guidelines without sufficient transparency and input from the industries involved.
“We believe care must be taken to avoid unnecessarily onerous requests that shift resources from responding to cyberattacks to regulatory compliance,” said a group of Republican senators in an October letter to DHS inspector general in which they asked for a review of the TSA process for the development of new cybersecurity regulations.
Victoria Newhouse, an assistant administrative assistant for the TSA, said at a congressional hearing Thursday that the agency had worked closely with private sector officials in drawing up the regulations. She said this included a secret briefing with freight and passenger executives earlier this week to share intelligence reports on cyber threats to her industry and solicit input on regulations.
The Biden government has aggressively pushed for increased reporting of cyber incidents in the private sector to the federal government. The Justice Department recently announced that it will sue state contractors and other companies that receive US government grants if they fail to report violations of their computer systems or misrepresent their cybersecurity practices.
Copyright 2021 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed in any way without permission.