DOT and TSA Prioritize Cross-Sector Cybersecurity for Transportation Systems
From safeguarding aircraft systems to ensuring the reliability of railway signals, the operational technology (OT) that underpins transportation networks across the country is vital. This technology, however, also faces significant vulnerabilities. At a recent event hosted by Scoop News Group and General Dynamics Information Technology, federal cyber officials, including Katherine Rawls, director of sector cyber engagement at the Department of Transportation (DOT), addressed these challenges.
“We’re talking about preserving the safety and reliability of OT systems that millions rely on daily,” Rawls said. “So we’re focused on, how do we integrate cybersecurity into all hazards safety management systems? How do we bridge gaps … between the cybersecurity and safety community?”
Rawls and other officials emphasized the need for a cross-sector approach to OT safety and how various innovations can strengthen critical infrastructure security measures.
At the DOT, Rawls is part of a new office developing a “one DOT approach.” This approach assesses cyber risks both within the agency and with its external partners. A critical element of this strategy involves coordination with the Department of Homeland Security (DHS), which, along with the DOT, serves as a Co-Sector Risk Management Agency for the Transportation Systems Sector. Together, the DOT and DHS are actively identifying risks across the transportation sector. They are collaboratively developing resources to support businesses of all sizes. These resources will support the systems that society relies on every day, Rawls explained.
The DOT is prioritizing stronger interagency collaboration. Rawls cited partnerships with the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Coast Guard, and the Transportation Security Administration (TSA). She also pointed to the joint procurement guidance developed by the DOT, the Department of Energy, and its national labs. This guidance, which details the best practices for incorporating cybersecurity into electric vehicle supply equipment procurements, serves as an example of the tangible benefits that arise from inter-sector cooperation within transportation.
Kristin Ruiz, the TSA’s deputy chief information officer, highlighted a cultural element related to partnership efforts. She stressed the importance of educating partners on how their operational technology is a critical element of collaboration.
Cybersecurity standards are particularly crucial for the TSA, especially as it pursues a major open architecture initiative for TSA checkpoints. Ruiz noted that this initiative promises to “drive innovation” and will “reduce defender lock-in.” The TSA’s IT leaders are also working on an OT cybersecurity assessment prototype enabling automated system testing. Ultimately, this will limit OT’s impact after an attack, according to Ruiz.
Much of the TSA’s OT work in recent years has been informed by the 2021 ransomware attack on Colonial Pipeline, which prompted the agency to advocate for increased cybersecurity mandates on pipeline owners. Last month, the TSA built on those initial calls by issuing a notice of proposed rulemaking. This notice outlines a comprehensive set of cyber requirements for pipelines, rail operators and airlines.
“We really documented and defined our cybersecurity requirements for the OT space, and we put those out to our partners in those industries, and we brought them in and worked with them,” Ruiz said. “And we’ve done that in a collaborative way.”
Ruiz and Rawls share a common goal: that collaborative efforts with transportation industry partners will ensure that basic cybersecurity measures are observed and that OT systems benefit from better protection going forward.
“One of our key priorities is to really emphasize the remaining importance of cybersecurity self-assessments, understanding your cybersecurity posture, doing risk assessments, prioritizing mitigating the highest risk,” Rawls said
