US To Tell Critical Rail, Air Companies To Report Hacks, Name Cyber Chiefs (reuters.com) 23
The Transportation Security Administration will introduce new regulations that compel the most important U.S. railroad and airport operators to improve their cybersecurity procedures, Homeland Security Secretary Alejandro Mayorkas said on Wednesday. From a report: The upcoming changes will make it mandatory for "higher-risk" rail transit companies and "critical" U.S. airport and aircraft operators to do three things: name a chief cyber official, disclose hacks to the government and draft recovery plans for if an attack were to occur. The planned regulations come after cybercriminals attacked a major U.S. pipeline operator here, causing localized gas shortages along the U.S. East Coast in May. The incident led to new cybersecurity rules for pipeline owners in July.
"Whether by air, land, or sea, our transportation systems are of utmost strategic importance to our national and economic security," Mayorkas said. "The last year and a half has powerfully demonstrated what's at stake." A key concern motivating the new policies comes from a growth in ransomware attacks against critical infrastructure companies.
"Whether by air, land, or sea, our transportation systems are of utmost strategic importance to our national and economic security," Mayorkas said. "The last year and a half has powerfully demonstrated what's at stake." A key concern motivating the new policies comes from a growth in ransomware attacks against critical infrastructure companies.
Re:Today's Internet is a living nightmare. (Score:4)
Do everyone a favor and stop using the internet.
Comment removed (Score:5, Insightful)
Re: (Score:2)
Perhaps requiring a cyber security certification, similar to a structural engineer might help.
no college for that certification and no $1000+ te (Score:2)
no college for that certification and no $1000+ test for that as well.
Also that test needs to be non vendor based. Or some Linux or network pro can fail it as they may not know windows server that well.
Re: (Score:2)
Maybe that Linux or network pro shouldn't be a chief of cyber security if he's not well rounded enough to be up on security concerns for all the platforms under his charge.
Re: (Score:1)
This will fix everything, surely. (Score:2)
Still don't know why these critical devices are connected to the Internet in the first place. Something about convenience? Centralized control? They never heard of private networks?
It's the Internet of Damn Things.
Re: (Score:2)
You do know that even air gaps get bridged on occassion, right? Stuxnet infected an air gapped network because of an infected USB stuck that bridged the network.
I know what "on occasion" means. (Score:2)
Re: which law provides the basis for this regulati (Score:2)
Sounds like article 1 of the Constitution, clauses 3 and 8. I think a clause 1 could be applied too with one other amendment on commerce. Clause 3 seems to be the most applicable unless some of the companies included do not do interstate or international business but I suspect in this industry, they all do. Clause 8 pushes more how the regulations work, to have a scientific approach towards handling cyber security which is only really needed in a legal argument if the company neither does interstate nor int
That's to Congress. Then 49 U.S. Code 114(I) (Score:2)
The sections in Article 1 you mentioned say "Congress ...". They give Congress the power to create laws that cover interstate commerce.
One would then ask what gives the TSA this power. Because TSA isn't Congress.
Congress passed 49 USC 114 to create the Transportation Security Administration. Section i directs the TSA to develop and enforce security regulations for interstate transportation companies.
Re: (Score:2)
So then the answer you want is US Code 114, the TSA Law, which grants the powers of congress to the TSA in matters over both civil aviation security and other modes of transportation that would fall under the DOT.
But to be clear, the question above asks what gives the federal government this authority, not specifically the TSA, and considering congress commonly delegates it's authorities, the first question is what gives the federal government the authority.
Re: (Score:2)
It's literally a national security issue (they are transporting people) so there are slew of them that enable this.
Re: (Score:3)
Not trolling here, but which law gives the federal government the authority to compel businesses to do this. Genuinely curious.
Federal agencies have the power to write and enforce regulations. As an example, the Federal Energy Regulatory Commission (FERC) has made very similar rules, and enforces them, on power plants and electrical transmission companies. STUXNET was a big wakeup call and FERC had the (NERC) write standards [nerc.com] on how to secure networks. These standards can be a good thing. It's relatively common for people to die in extended power outages in extreme weather, and a utility following all the regulations is much les
Re: (Score:2)
Nobody will ask this question. Nobody.
Because one thing is certain: If you do, you WILL be hit by new legislation that makes your head spin. And that law WILL pass, no matter how insane. It's for national security. What politician would vote no on something like that?
Re: (Score:1)
This reminds me of the time I received a notice that I had been designated an important person in the event of the resolution of the bank I worked at. I made sure not to be any more.
Re: (Score:1)
By "improve" (Score:2)
I assume they mean "have".
Cybersecurity is virtually non-existent across the US private sector:
Re: (Score:2)
This might be my favorite one. Every single time an IT department starts patching their systems unplanned downtime just *evaporates*.
Many years ago I worked somewhere that was constantly getting slammed by worms. Huge network, totally flat, oceans of shadow IT, life and death processes being supported, entire environment crippled. At some point, someone finally had the bright idea that maybe they should start patching the enterprise managed infrastructure.
Enterprise assets instantly disappeared from the
Worthless, meaningless, and irrelevant (Score:2)
If you want industries to clean up their cybersecurity act you need -
1.) A detailed and comprehensive set of requirements, both technical and organizational, that they must comply with
2.) A mandatory means of validating compliance with the requirements
3.) Penalties for noncompliance whose costs outweigh the cost of implementing the security controls
Without all three of those things this is just a complete waste of everyone's time. It will have no impact whatsoever.
The fact that the government is asking for