The House of Representatives Transportation & Infrastructure Committee held a hearing on November 4 to identify cybersecurity challenges facing the nation’s critical infrastructure and transportation systems, along with possible solutions.
[Above photo by the Missouri DOT]
“When it comes to the nation’s critical infrastructure and transportation networks—pipelines that fuel our economy, water and wastewater treatment plants, shipping, aviation, railroads, and highways that play critical roles in bringing vital supplies to all Americans—getting everything right, every time, must be the goal,” noted Peter DeFazio, D-Ore., the committee’s chair, in his opening statement.
“Lives are on the line, and each day when you turn on a faucet or flush your toilet, when you board a plane, or fill up your car with gas, you trust that these systems will work,” he said.
Megan Samford, vice president and chief product security officer for energy management at Schneider Electric, was one of six witnesses testifying at the hearing.
Samford – who also serves as the advisory board chairperson for the ISA Global Cybersecurity Alliance and co-chair of the Department of Homeland Security Control Systems Working Group – stressed that the private sector lacks a “consistent, repeatable, and scalable framework” to respond to day-to-day cyber incidents.
She explained in her written testimony that private sector cybersecurity plans often suffer during larger crises because of a “lack of coordination capacity” outside of their organization and their control. “Their [cybersecurity] playbooks are comprehensive, but written on a company-by-company basis and lack interoperability. Their individual plans cannot scale effectively into a collaborative response when multiple companies, jurisdictions, and government – state, local, and federal – entities need to be brought to bear for a large-scale attack scenario.”
That is particularly true of transit systems, argued Scott Belcher, a Mineta Transportation Institute research associate.
Belcher noted in his written testimony that “as digital technologies continue to be woven into the operations of even the most conventional public transit agency, any system, process, or function dedicated to reducing physical risk likely includes an array of digital vulnerabilities that need to be managed in concert with current security operations.”
He added that there “needs to be a collaborative effort between the federal government, the industry, and transit agency leadership to establish, maintain, refine, and support cybersecurity programs,” going so far as to argue “that the Federal Transit Administration should require transit organizations to adopt and implement minimum cybersecurity standards prior to receiving federal funding.”
The reason is that transportation infrastructure is a becoming a more attractive target for “nefarious actors” seeking local, regional, and national disruptions, be it for personal or political gain.
“The avenues to exploit this vital infrastructure will continue to evolve along with the technology that enables the industry’s core operations and goals,” Belcher said. “As these technologies are further embedded in operations, new vulnerabilities will arise. Accounting for the risk today will foster greater resiliency and preparedness in the years to come.”
Michael Stephens, general counsel and executive vice president for information technology for the Hillsborough County Aviation Authority, echoed Belcher’s observations in his written testimony.
“Computers, keyboards, and digital code have become the newest tools of criminals and some of the preferred weapons of war for nation-states and other U.S. adversaries,” Stephens said.
“That is why it is of paramount importance that we exercise increased urgency and vigilance to anticipate, identify and mitigate cyber threats to our nation’s airports, airlines, and other critical aviation infrastructure,” he explained.
“Given the nature of these existing and growing threats, proactively implementing standards, protocols, and countermeasures to protect ourselves against potential catastrophic system disruption must become one of our highest priorities,” Stephens noted.