As The Hill reports, the recently introduced requirements from the Transportation Security Agency and the Department for Homeland Security impose certain mandates on “higher-risk” freight rail, passenger rail and trail transit groups: They must disclose cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours of detection, appoint a cybersecurity coordinator, conduct a vulnerability assessment and develop an incident response plan.
DHS Secretary Alejandro Mayorkas said in a statement, “These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats.”
As CBS News reports, a trade group representing the rail and transit sector has criticized the requirements as excessive. Paul Skoutelas, president and CEO of the American Public Transportation Association, wrote in an October letter to lawmakers, “Mandating a prescriptive 24-hour reporting requirement in a security directive could negatively affect cyber response and mitigation by diverting personnel and resources to reporting when incident response is most critical.”
As ZDNet reports, some security experts echo the rail industry’s view. Jake Williams, CTO at BreachQuest, suggested that regulators would be overwhelmed with a flood of counterproductive malware discovery reports. Ron Brash, vice president at ICS/OT software security firm aDolus Technology, indicated that many companies may lack the security program to comply effectively.
According to The Washington Post, “most experts” said that for critical sectors to withstand cyberattacks will require tougher cybersecurity rules, not lighter regulation. Phil Reitinger, a former top DHS cyber official who now leads the Global Cyber Alliance, said “If DHS doesn’t go beyond this, then some criticism will be justified.” The Post called the latest measure “a baby step.