The Transportation Security Administration (TSA), part of the US Department of Homeland Security (DHS), has been accused of failing to implement several key cybersecurity recommendations to improve the security of the transportation sector.
A report from the US Government Accountability Office (GAO) criticized the TSA after it found four of the six cybersecurity recommendations it made to the agency in 2018 have not been actioned six years later.
The six objectives centered around four key areas, reducing the risk the sector faced from ransomware attacks, securing internet-connected devices, updating security and incident recovery protocols, and developing a strategic workforce plan.
The report included a statement from Tina Won Shorman, director of Homeland Security and Justice at the GAO, who noted that “in January 2024, GAO reported that ransomware was having increasingly devastating impacts in the sector and found that the TSA’s security directives did not align with ransomware leading practices.”
“GAO recommended that DHS determine the extent to which the transportation systems sector is adopting leading cybersecurity practices that help reduce the sector’s risk of ransomware. As of November 2024, this recommendation was not yet implemented.”
The TSA oversees the security of the transportation infrastructure around the US, with the GAO report focusing on surface transportation, comprising freight rail, passenger rail, and pipelines.
These networks are classed as critical national infrastructure (CNI) due the integral role they have in underpinning various essential services, which have received increased attacks in recent years.
In May 2024, state security agencies in the UK and US issued a warning over the increased threat to CNI organizations by state-affiliated hacking groups seeking to disrupt critical services in the region.
The objectives set out by the GAO urged the TSA to assess the adoption of leading ransomware security practices and implement routine evaluation procedures to measure the effectiveness of federal support in reducing the risk of ransomware to the transportation systems sector.
The status of both these recommendations was listed as ‘open’ in the GAO report, as were the two recommendations for securing internet-connected devices.
These included the development of a sector-specific plan that has metrics to measure the effectiveness of their attempts to bolster IoT security, and including these devices as part of their cyber environment risk assessments.
The GAO’s recommendations are being made against a backdrop of growing attacks on the public sector around the world, with public sector security debt and supply chain attacks in sectors such as government and healthcare posing a major risk.
Colonial Pipeline attack illustrated pipeline industry’s lack of cyber resilience
The only recommendation the TSA fully implemented was to develop a strategic workforce plan, including determining the number of personnel necessary to meet the goals set for its pipeline security branch. This plan effectively outlines the knowledge, skills, and abilities the sector will need to conduct security reviews of the pipeline industry.
Whereas, the agency was only found to have partially addressed its objective to update the 2010 pipeline security and incident recovery protocols to reflect changes in threats, technology, federal law, and policy.
For example, in the event of an incident the TSA coordinates information sharing between federal and pipeline stakeholders, and federal activities to restore an affected pipeline are coordinated by the Department of Transportation’s Pipeline and Hazardous Materials Safety Administration.
But the GAO report found the TSA had not revised the plan to reflect changes in a number of areas, including cybersecurity.
As of November 2024, TSA officials reported that the protocol plan is still under revision in order to align it with several national-level policy documents, and said they anticipate the completion of the updated protocol by the end of July 2025.
The GAO report raised the 2021 cyber attack on Colonial Pipeline as a recent example of the importance of strong incident response models in place in the pipeline industry.
The ransomware attack on one of the US’s largest oil pipelines which spans 5,500 miles, caused an operational shutdown that lasted five days and resulted in a temporary fuel shortage along the southeast region of the US.
The firm’s CEO, Joseph Blount, confirmed the company had paid $4.4 million to the hackers responsible for the attack, known as DarkSide, shortly after. Blount explained he approved the payment amid doubts over the full extent of the attack and how long it might take to get the company’s operations back online.
