WASHINGTON — Numerous cyber attacks have threatened U.S. transportation infrastructure over the last year, disrupting ferries, railways and oil supply chains, and leading lawmakers on the House Homeland Security Committee to consider industry-wide cybersecurity mandates at a joint subcommittee hearing on Tuesday.
After hackers breached one of the largest U.S. oil pipelines in May, lawmakers began to question whether the federal government’s approach to cybersecurity — which relies on voluntary partnerships with the private sector — should be updated to better protect all sectors from modern cyber threats.
“Inaction isn’t an option,” said Chair Bonnie Watson Coleman, D-N.J. “When gas stops flowing due to a cyber attack, it doesn’t just impact the pipeline’s owner. It means Americans struggle to fill up their tanks.”
The Colonial Pipeline suffered a ransomware attack on May 7, shutting down the pipeline’s digital interface for several days and cutting off fuel deliveries across much of the East Coast. Hackers were able to breach the system with a single password, using a virtual private network that did not require multifactor identification, Colonial Pipeline CEO Joseph Blount told senators at a committee hearing in June.
In addition to the pipeline, hackers have also targeted New York City’s Metropolitan Transportation Authority, the Steamship Authority of Massachusetts ferry service and the Port of Houston since President Joe Biden took office in January.
As Congress considers a multi-trillion dollar investment in infrastructure through Biden’s Build Back Better Act, Watson Coleman, chair of the Subcommittee on Transportation and Maritime Security, said cybersecurity is paramount to the safety of everyday Americans who rely on public transportation.
“We can’t wait until a hacked plane falls from the sky or a breached railroad gridlocks our nation’s supply chain to take action,” Watson Coleman said. “The real cost would be borne by the passengers injured or even killed.”
The Transportation Security Administration issued a security directive in July, which required pipelines to implement several new protections against cyber intrusions after the Colonial Pipeline breach. Department of Homeland Security Secretary Alejandro Mayorkas announced on Oct. 6 that TSA will issue another cybersecurity directive aimed at the transit and aviation sectors later this year.
Suzanne Spaulding, a senior adviser for homeland security at the Center for Strategic and International Studies, said that although the TSA security directive is still under development, she has heard that it prescribes a “relatively basic” plan for incident response and oversight.
She described the directive as a step in the right direction, noting that the federal government could do more to advise firms on their purchasing decisions, regarding the security of their products and services.
“The threat is evolving much more quickly than our defense,” Spaulding said. “The purely voluntary approach has not gotten us where we need to be, despite decades of effort.”
Rep. Andrew Garbarino, R-N.Y., said he has been working with fellow committee members to draft bipartisan legislation that would mandate cyber incident reporting through the Cybersecurity and Infrastructure Security Agency.
“The issue of transportation cybersecurity hits close to home,” Garbarino said, describing the cyber attack on New York’s MTA in April. “We need to encourage an enhanced public-private partnership with owners and operators of our nation’s transportation system so these breaches don’t keep impacting American livelihood.”
This story was published in conjunction with United Press International.