TSA requires rail and airports to strengthen cybersecurity

RICHMOND, Va. (AP) — The Transportation Security Administration is issuing new directives and recommendations aimed at strengthening the cybersecurity defenses of U.S. rail and airport operators.

The Biden administration said the requirements made public Thursday are part of a broader effort at protecting the nation's critical infrastructure from ongoing cyberespionage and a surge in disruptive ransomware attacks.

“These new cybersecurity requirements and recommendations will help keep the traveling public safe," Homeland Security Secretary Alejandro Mayorkas said in a statement. He had previously previewed the new regulations in October.

The new TSA directives require most passenger and freight rail operators to identify a cybersecurity point person, report incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency, conduct a vulnerability assessment and develop a contingency and recovery plan in case of malicious cyber activity. They go into effect at the end of the year and the TSA said it is making similar changes to requirements for airport operators.

The TSA said it is recommending but not mandating cybersecurity requirements to some smaller and lower-risk rail and airport operators.

The new regulations are similar to ones issued in May for pipeline operators following the Colonial Pipeline ransomware attack that disrupted gas supplies in several states.

Republican lawmakers have expressed concern that the TSA has crafted new cybersecurity directives without enough transparency and input from affected industries.

“We believe that care must be taken to avoid unnecessarily burdensome requirements that shift resources away from responding to cyberattacks to regulatory compliance,” a group of Republican senators said in an October letter to...