⚡NIMITZ TECH NEWS FLASH⚡

“Impacts of Emergency Authority Cybersecurity Regulation on the Transportation Sector”

House Homeland Security Subcommittee on Transportation and Maritime Security

November 19, 2024 (recording linked here)

HEARING INFORMATION

Witnesses and Written Testimony (linked here):

Panel I

• Mr. Steve Lorincz: Deputy Executive Assistant Administrator for Security Operations, TSA

• Mr. Chad Gorman: Deputy Executive Assistant Administrator for Operations Support, TSA

• Ms. Tina Won Sherman: Director, Homeland Security and Justice, Government Accountability Office

Panel II

• Mr. Ian Jefferies: President and Chief Executive Officer, Association of American Railroads

• Ms. Kimberly Denbow: Vice President of Security and Operations, American Gas Association

HEARING HIGHLIGHTS

IN THEIR WORDS

SUMMARY OF OPENING STATEMENTS FROM THE SUBCOMMITTEE

• Chairman Gimenez opened the hearing by emphasizing the critical importance of cybersecurity in safeguarding the nation’s transportation systems. He noted that transportation networks, such as aviation, rail, highways, and maritime ports, are heavily reliant on digital systems, making them particularly vulnerable to cyberattacks from criminals and nation-states. He expressed concerns about the Transportation Security Administration's (TSA) approach to cybersecurity, criticizing the agency’s use of reactive, inflexible directives that lack stakeholder input. He called for a balanced regulatory approach that empowers operators to tailor cybersecurity measures to their specific needs while fostering innovation and efficiency.

• Ranking Member Thanedar highlighted the Colonial Pipeline ransomware attack in May 2021 as a turning point in TSA's cybersecurity efforts. He explained that prior to this event, TSA relied on voluntary compliance with guidelines, but the attack demonstrated the need for a more regulatory approach. He praised TSA’s subsequent shift to performance-based cybersecurity mandates and its efforts to refine directives through stakeholder engagement. He also stressed the importance of continued investment in TSA’s cybersecurity capabilities and supported the proposed rules to codify comprehensive cybersecurity requirements for transportation operators, emphasizing the need to fortify defenses against evolving threats.

SUMMARY OF WITNESS STATEMENTS (Panel I)

• Mr. Lorincz described the broad scope of TSA’s operations, including domestic aviation, international operations, surface transportation, compliance functions, and administrative oversight. He also mentioned TSA’s senior liaison roles with the Cybersecurity and Infrastructure Security Agency (CISA) and the State Department, demonstrating the agency’s broad mandate to respond to cybersecurity threats in the transportation sector.

• Mr. Chad Gorman emphasized his responsibility for intelligence operations, regulatory policy, and stakeholder engagement. He highlighted the persistent cyber threats posed by nation-states, including Russia, China, Iran, and North Korea, which have demonstrated the capability to target critical infrastructure. He outlined TSA's use of emergency authorities to issue security directives following events such as the 2021 Colonial Pipeline cyberattack, requiring stakeholders to implement cybersecurity measures, including reporting incidents and developing cybersecurity plans. Mr. Gorman noted that TSA transitioned to a performance-based regulatory model in 2022 based on stakeholder feedback and is pursuing permanent changes through rulemaking to establish comprehensive cybersecurity risk management programs.

• Ms. Tina Won Sherman emphasized the growing prevalence and sophistication of cyber threats to critical infrastructure, including the transportation sector. She noted that GAO has long identified cybersecurity as a high-risk area and has provided TSA with numerous recommendations, many of which have been implemented. She highlighted a remaining recommendation to update TSA’s 2010 pipeline security and incident recovery protocol plan, which TSA plans to complete by July of the following year. Ms. Sherman stressed the importance of TSA aligning its rulemaking and security directives with leading practices, such as clear stakeholder communication and efficient project management, to address cybersecurity threats effectively.

SUMMARY OF Q and A (Panel I)

• Chairman Gimenez questioned Ms. Sherman about the 300-page proposed cybersecurity rulemaking document, asking whether it focused more on "check-the-box" requirements or genuinely helped the industry defend against cyberattacks. Ms. Sherman responded that while GAO had not conducted an in-depth analysis of the document, it incorporated existing security directives aimed at improving surface transportation cybersecurity. She also highlighted the inclusion of training requirements as a positive step forward, noting that while deterrence is difficult to measure, TSA's efforts represent progress.

  Chairman Gimenez asked Mr. Gorman how much of the U.S. rail infrastructure relies on automated systems and how vulnerable these systems are to cyberattacks. Mr. Gorman explained that a significant portion of the rail network, including systems like Positive Train Control, is automated and interconnected. He stated that TSA’s focus in the proposed rulemaking accounts for these vulnerabilities, particularly for Class I rail entities and smaller operators critical to national security.

  Chairman Gimenez then inquired about the potential impact of a large-scale cyberattack on the rail system and the measures being taken to address this risk. Mr. Gorman emphasized that vulnerabilities vary across the system, but the proposed rules aim to improve resiliency by leveraging existing cybersecurity frameworks, such as those from NIST and CISA, to enhance protections for critical transportation assets.

  Finally, Chairman Gimenez pressed Mr. Gorman on whether the proposed rules account for worst-case scenarios, such as the need to operate off-grid if a cyberattack disrupts critical systems. Mr. Gorman highlighted three key components of the rules: the performance-based model for flexibility and specificity, efforts to prevent critical service disruptions, and mandatory development and regular testing of response plans to ensure redundancy and rapid recovery from incidents. These measures aim to maintain functionality even in the event of a significant cyber disruption.

• Ranking Member Thanedar asked Mr. Lorincz how the additional funding and 41 cybersecurity positions requested in the Biden-Harris administration’s fiscal year 2025 budget would enhance TSA’s efforts and what further support TSA needed from Congress. Mr. Lorincz expressed gratitude for Congressional support and explained that the new resources would help address the growing oversight demands for aviation and surface entities, currently involving 168 aviation and 155 surface entities. He noted that TSA’s current staff-to-entity ratio is stretched, with 32 aviation-focused employees and 60 surface-focused employees handling these responsibilities, and emphasized that the new positions would alleviate workloads and enhance TSA’s ability to respond to industry feedback and inspection needs. Mr. Gorman added that the additional resources would strengthen TSA’s role as a Sector Risk Management Agency by enabling regular engagement with industry stakeholders. He highlighted that this support would enhance the sharing of actionable intelligence with Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) in the transportation sector, facilitating better threat hunting and preparation beyond regulatory requirements. He emphasized that the increased resources would directly support the implementation of cybersecurity measures and address threats more effectively.

  Ranking Member Thanedar then asked how critical TSA’s security directive authority was for the agency’s mission and inquired about its broader use beyond cybersecurity efforts. Mr. Gorman stated that the administrator’s emergency authorities were vital for responding rapidly to cybersecurity threats and cited their use following the Colonial Pipeline attack as a key example. He noted that these directives allowed TSA to address immediate risks when the regulatory process was too slow to keep pace with evolving threats. While he declined to discuss non-cybersecurity uses of the authority due to sensitivity, he offered to provide examples in a secure setting after the hearing.

• Rep. Higgins asked Mr. Lorincz to confirm his role as Deputy Executive Assistant Administrator for Security Operations at TSA under the Department of Homeland Security, which Mr. Lorincz affirmed. Rep. Higgins emphasized the public's growing concern about cybersecurity vulnerabilities across industries and questioned TSA’s use of Security Directives to address emerging cyber threats. Mr. Lorincz acknowledged the challenges of implementing these directives and noted TSA’s significant efforts to collaborate with industry stakeholders. He highlighted that TSA has conducted over 300 surface transportation industry engagements and 126 aviation sector engagements since 2021 to gather feedback and make necessary adjustments to their cybersecurity directives.

  Rep. Higgins also confirmed Mr. Gorman’s role as Deputy Executive Assistant Administrator for Operation Support at TSA. He asked Mr. Gorman about the challenges posed by varying cybersecurity reporting requirements across government agencies, including TSA’s 24-hour rule and the Securities and Exchange Commission’s four-business-day rule. Mr. Gorman expressed TSA’s support for harmonizing cybersecurity requirements across agencies and noted that this was a focus of their recent Notice of Proposed Rulemaking (NPRM). He affirmed TSA’s commitment to incorporating interagency feedback and aligning efforts in the final rule to reduce regulatory complexity for industry stakeholders.

  Rep. Higgins concluded by asking both officials whether they saw anything more important than harmonizing cybersecurity efforts to protect national infrastructure. Mr. Gorman stressed the importance of harmonization and collaboration with industry stakeholders, noting that it remains a key goal as TSA refines its rulemaking process. Mr. Lorincz echoed this sentiment, emphasizing that collaboration with stakeholders is vital to addressing their operational needs effectively. He reiterated that TSA’s ongoing industry engagements are critical for ensuring alignment and adaptability in the face of evolving cybersecurity threats.

• Rep. Lee asked Mr. Gorman to identify critical lessons learned from security directives that TSA is considering for formal regulation. Mr. Gorman emphasized that cybersecurity requires a performance-based approach due to the complexity of threats and diverse business and operational technology networks. He explained that the performance-based model enables industry partners to tailor solutions to their operations while achieving TSA's cybersecurity goals. He highlighted TSA’s interest in industry feedback to address potential challenges and ensure the final rule effectively supports customized cybersecurity measures.

  When Rep. Lee asked how the performance-based model accommodates different sectors, Mr. Gorman detailed that TSA sets outcome-based goals derived from industry standards such as NIST and CISA frameworks. He explained that TSA collaborates with individual operators to craft specific implementation plans tailored to their sector, technology, and operations, with a focus on criticality and a timeline for investments. He noted early successes with this approach and expressed confidence in its continued effectiveness as TSA moves toward finalizing its rules.

  Rep. Lee inquired if TSA’s approach is sufficient to address the unique regulatory needs of various sectors. Mr. Gorman affirmed that flexibility is essential to accommodating different sectors and adapting to a persistent threat environment. Mr. Lorincz added that relationship building with industry stakeholders is critical, ensuring collaboration during the planning process. He emphasized TSA’s supportive approach, which includes pre-inspection discussions to prepare stakeholders, avoiding a “gotcha mentality,” and adjusting plans as needed to maintain safety and efficiency.

SUMMARY OF WITNESS STATEMENTS (Panel II)

• Mr. Ian Jefferies emphasized the industry’s commitment to safety and cybersecurity through a collaborative, risk-based approach. He highlighted the importance of partnerships with TSA and CISA to adapt to emerging cyber threats and improve cybersecurity measures. Mr. Jefferies outlined the rail industry's long-standing cybersecurity framework, managed by committees focused on terrorism and information security, which form the Rail Sector Coordinating Council. He expressed concerns about TSA’s proposed cybersecurity rule, citing conflicting reporting timelines and unnecessary prescriptive mandates that could divert resources from critical threat response activities, and emphasized the need for performance-based standards.

• Ms. Kimberly Denbow discussed the longstanding partnership between natural gas utilities and TSA to advance infrastructure security. She noted challenges stemming from TSA’s initial prescriptive emergency security directives issued after the Colonial Pipeline ransomware incident, which she said were impractical and overly rigid. She commended TSA’s course correction toward a risk-based, outcome-focused regulatory approach and urged Congress to establish guardrails on the use of security directives to prevent misuse. Additionally, she criticized the government’s handling of sensitive critical infrastructure data and called for better cybersecurity practices on the part of federal agencies.

SUMMARY OF Q and A (Panel II)

• Chairman Gimenez questioned Ms. Kimberly Denbow about her remarks criticizing the federal government’s requirement for operators to submit sensitive operational information as part of compliance with cybersecurity regulations. Ms. Denbow explained that while TSA has been a positive partner, the pipeline sector is concerned about vulnerabilities created by government possession of critical information such as network architecture and cybersecurity measures. She argued that this requirement exposes operators to insider threats and foreign adversaries and emphasized that on-site inspections are a safer and more effective alternative.

  Chairman Gimenez then asked why TSA believes it is necessary to collect sensitive information. Ms. Denbow suggested that TSA’s rationale stems from resource constraints, as on-site inspections take more time. She stated that it is the operators' responsibility to protect their systems and the government’s role to safeguard the nation, and extended inspections are preferable to creating unnecessary vulnerabilities through data collection.

  When Chairman Gimenez expressed agreement with Ms. Denbow’s concerns about data security, she commended TSA’s efforts to protect the information it holds but acknowledged the reality that no system is impenetrable. Chairman Gimenez concluded by emphasizing the importance of operational resiliency, arguing that over-reliance on digital systems increases vulnerabilities. He suggested that industries should maintain institutional knowledge for manual operations to ensure continuity in the event of a cyberattack.

• Rep. Higgins asked Mr. Jefferies about the financial burden of federal security regulations on the rail industry and whether TSA fairly evaluates their economic impact. Mr. Jefferies emphasized the rail industry’s longstanding commitment to cybersecurity, noting a positive relationship with TSA overall. However, he expressed concerns about the cost-benefit balance, questioning whether compliance requirements maximize security or merely create administrative burdens. He stated that while TSA acknowledges the financial impact, its fairness will be assessed after reviewing and commenting on the new rule. Mr. Jefferies advocated for an outcomes-based regulatory approach rather than prescriptive measures, emphasizing the importance of targeting specific security challenges.

  Rep. Higgins turned to Ms. Denbow, asking her to elaborate on her earlier claim that government data collection of sensitive security information compromises cybersecurity. Ms. Denbow explained that natural gas utilities support reasonable, performance-based cybersecurity regulations but need consistency to enable long-term planning. She argued that TSA’s practice of requiring possession of critical infrastructure data unnecessarily exposes operators to risks and suggested that audits could be conducted on-site without transferring sensitive information.

  Rep. Higgins clarified that her concern was about the documentation of security mechanisms being vulnerable to breaches once in government possession. Ms. Denbow confirmed this and stressed that utilities have no issue showing TSA their security measures but oppose transferring such information physically or electronically outside their control.

ADD TO THE NIMITZ NETWORK

Know someone else who would enjoy our updates? Feel free to forward them this email and have them subscribe here.