- On May 15, 2019, the White House issued a new national security Executive Order (EO) focused on Information and Communications Technology (ICT) and Services Supply Chain, which impacts all modes within the transportation sector.
- The U.S. Department of Homeland Security's (DHS) new National Critical Functions list highlights those functions in the U.S. most at risk for a cybersecurity attacks and includes every mode of transportation.
- The Transportation Security Administration's (TSA) Cybersecurity Roadmap makes clear that it has the statutory authority to regulate the transportation sector for cybersecurity.
- Members of Congress are expressing serious concerns over cybersecurity risks to the transportation sector, with specific concerns from a foreign state-owned enterprise (SOE) in the mass transit market in key U.S. cities.
"Infrastructure Week" just celebrated the pivotal role that the transportation sector plays in our national and economic security, facilitating the movement of people and goods around the world and keeping the global economy running. The transportation sector has always prioritized both safety and security, and as a result is one of the safest systems in the world, well known for its impressive technological innovation and intelligent transportation systems. However, as with all other sectors, increased connectivity means increased cyber risk. Compounding this vulnerability, the transportation sector remains one of the few critical infrastructure (CI) sectors1 that does not have cybersecurity mandates or regulations similar to what other CI sectors have seen over the last 10 years. Cybersecurity risks are ever-present and as a result, a large-scale paradigm shift is needed to broaden the awareness and understanding of what safety and security means in today's world. In the last few months, the White House, the U.S. Department of Homeland Security (DHS) and the Congress have begun raising concerns about these issues.
This is the third article focusing on cybersecurity risk to the transportation sector. Previous alerts focused on aviation cybersecurity and pipeline cybersecurity. (See Holland & Knight alerts, "New TSA Cybersecurity Roadmap Articulates Clear Aviation Sector Requirements," Dec. 10, 2018, and "New TSA Cybersecurity Roadmap States Specific Requirements for Pipeline Industry," Dec. 14, 2018.)
Information and Communications Technology (ICT) and Services Supply Chain: New Cybersecurity Risks to the Transportation Sector
Technological innovation has always been the cornerstone of the transportation sector, bringing increased safety, physical security and efficiencies. At the same time, the increasing reliance on ICT technology and services underpins the use of onboard technology, the presence of third-party vendor software and hardware, and the rapid integration of autonomous systems, both revolutionizing the transportation sector, but also brings cybersecurity risks as well.
On May 15, 2019, the White House issued a new national security Executive Order (EO) focused on Information and Communications Technology (ICT) and Services Supply Chain, which will have cascading effects for transportation as well as other sectors.2 The EO covers broad-based ICT and supply chain risk, encompassing 5G issues, and is much more than just the ban on Huawei. The EO bans any entity that is "owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary" from doing business in the U.S. and will impact every mode of transportation, including aviation, transit, rail, maritime, trucking, autonomous vehicles, drones, among others.
DHS Defines National Critical Functions: Mass Transit, Rail and Autonomous Vehicles Covered
The transportation sector carries hundreds of millions of passengers and millions of tons of cargo per year and must address cybersecurity risks to the underlying operational risk to the sector. Building on use of the term CI, DHS recently finalized a list of "National Critical Functions" (Functions) that are at the greatest risk to cybersecurity attacks, functions "so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on the security, national economic security, national public health or safety, or any combination thereof."3
As a result, it is not surprising that the list of Functions encompasses all modes of transportation: mass transit, freight rail, the movement of passengers and goods by aviation/air cargo, the movement of passengers and cargo via highway (covering trucking, passenger vehicles, autonomous vehicles), pipelines as well as the movement of passengers and cargo by vessels (including cruise ships and cargo vessels). The list of Functions makes it explicit that mass transit and rail, as well as the movement of passengers and goods, (via trucking, passenger vehicles including autonomous vehicles and vessels) have considered at risk. It also includes functions that the sector relies on every day to operate, such as electricity, information technology products and services, satellite services, and global positioning, navigation and timing (PNT) services.
While transportation has always been on the list of CI sectors, some modes have argued that it was not truly part of the definition of "critical infrastructure." DHS has settled that debate by listing specific transportation functions on the National Critical Functions list and has indicated that it will ensure these sectors are secure, including using its regulatory authority if need be.
Cybersecurity vs. Safety vs. Physical Security
As is known, safety and security functions were separated when Congress passed the 9/11 Commission Act. The Transportation Security Administration (TSA) assumed security oversight, although primarily physical security, for all modes of transportation under the Aviation and Transportation Security Act 4 with safety left to the U.S. Department of Transportation (DOT).
In 2013, the need to focus on cybersecurity risk coalesced with White House Cybersecurity Executive Order 13636, issued along with Presidential Policy Directive 21 (PPD-21). DHS was directed to assist "critical infrastructure owners and operators . . . to take proactive steps to manage risk and strengthen the security and resilience of the Nation's critical infrastructure."5
From 2013 until late 2018, cybersecurity risks within the transportation sector were primarily addressed in a voluntary public-private partnership model. That ended with the release of the TSA Cybersecurity Roadmap in December 2018.
It is noteworthy that the TSA Cybersecurity Roadmap made clear that it has statutory authority to address cybersecurity to the seven Transportation System Sectors (TSS)6 it oversees, including highway and motor carrier (also autonomous vehicles and trucks), mass transit and passenger rail and freight rail. Prior to this, no agency was in charge of cybersecurity for the sector and made clear it will "utilize its statutory and regulatory authorities to ensure the resilience of the TSS." It builds on the December 2017 White House National Security Strategy that also expressed clear concerns over cyber risk to six particular sectors, one of which was the transportation sector and specifically the aviation, surface and maritime sectors.7
Congressional Concerns Raised Over Gaps in Cybersecurity Oversight and the Rise of Foreign State-Owned Enterprises
Congressional concerns over the cyber posture of the transportation sector, including transit and rail has grown exponentially in just the last year. Starting in 2018, concerns have been mounting in Congress and the executive branch over the quick entrance of a foreign SOE quickly winning key mass transit contracts in key U.S. cities. Mass transit is run and operated by local governmental bodies who conduct traditional procurements to build rail/transit cars and provide long-term operation/maintenance contracts. Like other modes, sophisticated manufacturing, computerized functions and key ICT technology underpins transit and increasingly include Wi-Fi, all areas that require in-depth cybersecurity protections. Congress has raised questions over the safety and cybersecurity of any transit/rail cars manufactured by a foreign SOE as well as the lack of sufficient cybersecurity requirements being included in public procurements by state and local governments. At the same time, in the last two years, there has been an increase in successful cyberattacks on a host of state and local communities, both within the transit systems, and in several cases, the cities themselves.
In 2018, Congress included a mandate in P.L. 115-232, the John S. McCain National Defense Authorization Act (NDAA) that DHS and U.S. Department of Defense (DOD) assess and report to Congress the "national security risks, if any, related to investments in the United States by state-owned or state-controlled entities in the manufacture or assembly of rolling stock or other assets for use in freight rail, public transportation rail systems, or intercity passenger rail systems."8
On Feb. 26, 2019, the House Homeland Security Committee held a hearing on "Securing U.S. Surface Transportation from Cybersecurity Attacks" raising concerns on these issues. Then, on May 16, 2019, the House Transportation and Infrastructure Committee held a hearing "The Impacts of State-Owned Enterprises on Public Transit and Freight Rail Sectors."
Expect Congressional Actions and Potential Regulations to Address the Risk
As with DHS, increased Congressional focus in the sector illustrates a major shift in oversight and potentially new regulations on the sector to replace previous voluntary measures by the industry to address cyber risk. Congress is taking more direct action and has included language in various pending bills to prohibit transit and rail systems from doing business with the SOE. Federal agencies are stepping in to provide security briefings to make clear the cybersecurity and national security risks to state and local elected officials.
The release of the DHS National Critical Functions list covering all modes of transportation, coupled with the issuance of the TSA Cybersecurity Roadmap makes clear that cybersecurity risks to the transportation industry must be addressed. The result is the sector should expect to see potential regulations or security directives coming in the near future and increasing restrictions designed to protect the modes from cybersecurity threats.9 At the same time, the European Union and other nations around the world are also contemplating new regulations, so it would be incumbent on the industry to quickly work together to address the risk and to see global harmonization for whatever new regulations may be on the horizon.
As with all technological innovation, cybersecurity is the No. 1 risk that has to be evaluated and addressed on an ongoing basis. However, cybersecurity risk in this sector is much more than just the serious risk that can come from data loss or data security, it is about protecting the operational risk to the underlying system from cybersecurity attacks that can also have physical and operational outcomes.