Despite having responsibilities to help ensure that the nation’s surface transportation systems minimize their cyber security risks, the Transportation Security Administration (TSA) Surface Division lacks its own in-house cyber security experts and instead relies on help from cyber specialists within the Department of Homeland Security, an agency official said on Tuesday.
Cyber security is a “specialized field” so the Surface Division relies on experts from the DHS Cybersecurity and Infrastructure Security Agency (CISA) to help where needed, Sonya Proctor, director if Surface Division Policy, Plans and Engagement at TSA, told a joint hearing of the House Homeland Security Subcommittees on Cybersecurity and Transportation Security.
Proctor said she has a staff of five surface transportation policy experts. Her office is being transitioned to the TSA Security Operations division, which has more than 200 Transportation Security Inspectors for surface transportation.
The Surface Division’s responsibilities include security for pipelines, passenger and freight rail, buses and motor carriers.
“TSA’s functions and authorities as a security agency are uniquely structured to tackle the challenges at the intersections of surface transportation and cyber risks,” Proctor said in her written statement.
In response to questions from Rep. James Langevin (D-R.I.) about how many cyber security specialists TSA has for pipeline security and surface transportation security, Proctor replied “none” and that the agency doesn’t have any cyber experts for surface transportation security.
“I find that a troubling answer,” Langevin said.
Later on Tuesday, Langevin provided a statement that said, “I hope TSA will take the opportunity provided by the Cybersecurity Road Map and the forthcoming implementation plan to reassess what resources, including personnel, it needs to adequately coordinate protection of our pipelines, rail networks, and other surface transportation infrastructure.”
TSA in December issued a Cybersecurity Roadmap to guide its efforts to strengthen its cyber security posture and the nation’s transportation systems.
A TSA spokesman told Defense Daily that TSA has about 50 cyber security specialists at the agency to protect its own networks and the transportation security equipment that it owns, such as explosive detection systems and carry-on baggage scanners deployed at the nation’s airports. TSA doesn’t own any equipment or infrastructure for surface transportation security, he said, adding that the agency relies on, and works with, CISA and stakeholders in the surface transportation community for cyber security help.
Proctor highlighted recently revised Pipeline Security Guidelines for which TSA added a cyber security section in 2018, noting that industry has been “supportive and receptive.” She said that TSA worked with CISA to develop the cyber security section.
Robert Kolasky, director of CISA’s National Risk Management Center, said at the hearing that in the coming months his organization will have a finalized list of National Critical Functions to guide risk management for critical infrastructure. DHS defines National Critical Functions as the “’functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating impact on national security, economic security, national public health or safety,’” he said.
Surface transportation systems, including pipelines, are part of the National Critical Functions work and “need to be prioritized in terms of security,” Kolasky said. Work on pipeline security also involves the Department of Energy, he said.
Establishing the critical functions will allow for follow-on analysis that includes “consequence modeling and dependency analysis” that will be used to develop a “Risk Register of the most pressing threats facing the critical infrastructure community,” he said.
Kolasky warned that cyber threats to the nation’s surface transportation systems could impact the range modes, including mass transit, pipelines, highways and rail systems.
Adherence to TSA’s cyber security guidelines that it publishes for the surface transportation sector are voluntary and Proctor said that the agency works with owners and operators to mitigate risks and identify vulnerabilities. For the pipeline segment, she said the response from the community to implement best practices and programs to increase their security has gone well, noting that compliance rates for various guidelines and practices are the 80 to 90 percent range.