Speakers like Government Accountability Office (GAO) Director of Information Technology and Cybersecurity Nick Marinos emphasized that agencies must be vigilant because just one attack slipping through could be enough to down systems.
Witnesses also highlighted several initiatives that are underway, with the Transportation Security Administration (TSA) releasing cyber incident reporting requirements for rail operators that same day, and DOT promising deeper focus on cyber.
SECURING THE DOT
The Department of Transportation fails to consistently follow its own cybersecurity policies or sufficiently fix weaknesses, testified Kevin Dorsey, assistant inspector general for Information Technology Audits in the DOT’s Office of Inspector General (OIG).
After auditing the agency, OIG asked for changes. But the department has yet to enact 66 of these recommendations — including the request that it fix more than 10,000 vulnerabilities.
DOT CIO Cordell Schachter, however, said his office is now prioritizing improvements with several cybersecurity sprints and is focusing on system access control, website security and governance, security and departmentwide coordination.
HARDENING AIR TRAFFIC SYSTEMS
Air travel has been rebounding from the pandemic — although the emergence of the omicron variant may impact that trend — and the TSA said Nov. 19 brought the greatest number of air passengers traveling in a single day since the global crisis began, according to Reuters.
But the Federal Aviation Administration (FAA) — which oversees the air traffic control system as well as aircraft and aircraft system design — faces struggles. Dorsey said it needs to adopt tighter security controls for 45 “high-impact” systems essential to safe air traffic management.
The FAA’s National Airspace System (NAS) relies on legacy, custom technology that does not connect to the Internet. This prevents staff from using remote methods to quickly patch or update the software, but also means potential hackers have a harder time accessing the system as well, and strict access controls further help maintain security, said FAA CISO Larry Grossman.
The FAA is making progress on six recommendations the GAO presented to it last year, and will have completed five of them by March 2022, Grossman said. He disagrees with the final GAO recommendation, which calls for periodic, independent security testing of its current aircraft fleet. He believes tests could potentially “leave residual damage” to systems, compromising safety. But he said that the FAA evaluates cyber risks of connected aircraft designs when they are updated or first certified.
Building up the FAA’s cybersecurity workforce is another concern, Grossman said, explaining that with the National Academy of Sciences' released findings in June 2021 that demonstrated the agency’s need to improve.
TSA RAIL DIRECTIVES
Rail travel has not been immune to cyber attack. In October 2020, the private contractor that handles Massachusetts’ commuter rail operations had to shut down its Boston area network after detecting a hack, for example.
Rep. Donald Payne Jr. also raised concern about other lines of attack, asking about the security of positive train control systems, which are designed to prevent certain accidents such as collisions, driving into work zones and derailments.
The TSA last week released new directives for the sector that aim to ensure the incident reporting needed to let agencies respond and support the sector.
These obligate most operators of passenger or freight rails to self-assess their cyber vulnerabilities, create a cyber attack response and recovery plan and report any serious incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours. Operators also would have to designate a cybersecurity coordinator to handle the reporting, said Victoria Newhouse, TSA deputy assistant administrator for policy, plans and engagement.
Airport operators can expect similar requirements, per the Associated Press.
Newhouse told legislators that the TSA consulted with rail-sector executives and gave them classified and unclassified threat briefings. TSA used industry feedback to fine-tune its definition of reporting-worthy incidents to focus on ones likely to impact operations. She said the TSA had to balance a longer feedback period against the need to act urgently against continuous cyber threats.
Rear Adm. John Mauger, assistant commandant for prevention policy for the U.S. Coast Guard, speaking separately during the hearing, said that reporting is an essential piece of improving the nation’s cybersecurity.
“We have to change the paradigm from, ‘What is the minimum I need to disclose?’ to, ‘How can I help protect others?’," Mauger said. “… Reporting really helps make us all stronger.”
ROADWAYS AND MODERN VEHICLES
The Federal Transit Administration (FTA) provides financial and technical support to local public transit systems, but an October 2021 OIG report found weaknesses in the FTA’s financial management systems that could impede its abilities to distribute emergency COVID-19 funds. Rep. Hank Johnson questioned why some long-standing cyber issues have not been resolved.
“In Atlanta, the Metropolitan Atlanta Rapid Transit Authority has been anticipating $284 million in emergency funding which is critical to the mobility of our residents, especially communities of color and essential workers who disproportionately depend on transit to get to work and school. My constituents can't afford a delay in funding because of a cybersecurity incident,” Johnson said.
Dorsey said the FTA is expected to provide information by 2023 about vulnerabilities stemming from outdated databases, which were identified roughly six years ago.
Attention also turned to cars, with Schachter and Marinos explaining that increasing use of chips and electronic control systems in all modern cars — both fossil fuel-powered and electric-powered — introduce more cybersecurity needs. DOT should ensure it has the workforce in place to oversee technologies like autonomous controls systems as such tools become more prevalent, Marinos said.
THE BIG PICTURE
Striking a stronger path requires sector regulators to establish clear plans for overseeing cybersecurity in their industries and the federal government to release and implement a comprehensive cybersecurity strategy, Marinos said. This would allow for various organizations to coordinate efficiently should an attack slip through. The Department of Homeland Security (DHS) also needs to converse with different sectors to ensure its guidance is genuinely helpful.
Speakers like Newhouse pointed to CISA as a key player in their plans for disseminating cyber warnings. But Marinos said CISA hasn’t yet hit all of its 2020 goals, including ones important to incident response, workforce planning and identifying essential functions. Attention needs to be paid to ensure the agency reaches those objectives soon, and CISA needs to ensure local and private entities are aware of the supports it can offer them, he said.
