No Longer Optional: New U.S. Directives Require Surface Transportation and Aviation Sector to Report All Cybersecurity Incidents

06 Dec 2021

As cybercriminals activity intensifies and becomes more successful and technologically advanced, the U.S. government takes action to protect its critical transportation infrastructure; 

OTORIO’s automated security and compliance assessment platform helps organizations prepare for new cyber and regulatory challenges 


The U.S. Department of Homeland Security’s Transportation Security Administration (TSA) issued two new directives on December 2, 2021, to strengthen cybersecurity across the surface and aviation transportation sectors. Owners and operators must comply with four cybersecurity measures:

  1. report all cybersecurity incidents to CISA (Cybersecurity and Infrastructure Security Agency) within 24 hours;
  2. designate a cybersecurity coordinator who will be available to TSA and CISA 24-7;
  3. develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption should their IT and/or OT systems be affected by a cybersecurity incident; and
  4. complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their IT/OT systems.

For now, the new cybersecurity requirements target the higher-risk transportation sector—freight railroads, passenger rail, and rail transit. However, airport and airline operators must also comply with reporting requirements and the designation of a cybersecurity coordinator. In addition, DHS Secretary Alejandro Mayorkas said that a similar requirement to assess vulnerability and develop a response plan would be imposed on the airport industry.  In the meantime, TSA recommends that all surface transportation owners and operators voluntarily implement all four requirements. The rule goes into effect at the end of 2021.


The new TSA directives are similar to those issued for pipeline operators back in July in response to the Colonial Pipeline ransomware attack. Those directives require owners and operators of TSA-designated critical pipeline infrastructure to implement measures to protect IT and OT systems from ransomware and other cyber attacks.

IT/OT Convergence Places Transportation Infrastructure At Risk

In its backgrounder to the Directives, DHS-TSA highlights the emerging threats to transportation infrastructure due to the converging of information and operational technology systems. “Railroads, public transportation agencies, and over-the-road bus operators all have technology that needs to be appropriately secured. Cyberattacks across all sectors, including transportation, have shown that information and operational technology systems are vulnerable.”

In early November 2021, DHS published “Binding Operational Directive 22-01- Reducing the Significant Risk of Known Exploited Vulnerabilities.” The directive established a catalog of “known exploited vulnerabilities” to be managed by CISA. All federal agencies are required to remediate any vulnerabilities identified in the CISA catalog. The list of vulnerabilities in the catalog is exhaustive and includes everything from software to infrastructure to mobile apps. While the directive is targeted to federal agencies, its reach extends to “all hardware and software found on federal information systems, managed on agency premises or hosted by third parties on an agency’s behalf. Private sector vendors such as Qualcomm, Microsoft, Adobe, Apache, Linux among others will be impacted by the breadth of this directive.

TSA says that the new cybersecurity requirements were formulated in collaboration with industry stakeholders, federal agencies, including CISA, and based on sensitive intelligence regarding cyber threats to the transportation industry.

Impact Of The Enhanced TSA Cybersecurity Directives

Mandatory Reporting Requirement

Owners and operators will now be required to report to CISA all cybersecurity incidents involving systems that the owner/operator has the responsibility to operate and/or maintain, including:

  • unauthorized access of an IT or OT system
  • discovery of malicious software on an IT or OT system
  • activity resulting in the denial of service to any IT or OT system; and
  • any cybersecurity incident resulting in operational disruption to the IT or OT systems.

To understand the importance of this new directive, we need to first understand the current situation. A survey conducted recently by OTORIO found that many organizations do not report every cyber incident they experience. In fact more than half of the survey respondents said they don’t report as much as 20% of their cybersecurity incidents. The new directives will be a wake-up call to change how cybersecurity incidents are tracked and reported.

CyberSecurity Assessment And Remediation Plan

Another important aspect of the recent TSA directives, is the need for organizations to complete a cybersecurity assessment to identify gaps and vulnerabilities.The Assessment form prepared by the TSA to identify gaps and vulnerabilities utilizes the functions and categories organized by the NIST Cybersecurity Guidance Framework.Owners and operators must implement a plan to rectify identified security gaps and vulnerabilities, including“establishing capability and governance for isolating IT and OT systems in the event of a cybersecurity incident that has the potential to cause operational disruption.”

Especially for these use cases, OTORIO developed an automated security and compliance assessment platform, spOT for Security and Compliance Assessment. By pulling data from a variety of data sources, spOT automatically generates a Security Controls, Risk assessment, Compliance assessment and Governance assessment, shortening assessment and audit time and required resources by up to 75%.

Cybersecurity Regulations 2022: What To Expect

This TSA Directive, like previous ones, recognizes the pivotal role that IT/OT convergence plays in exposing security vulnerabilities in the industrial sector. No longer operating independently, industries and critical infrastructure need cybersecurity mitigation tools that are holistic and proactive. We can expect governments to roll out more cybersecurity directives to protect IT/OT systems across all industries.

Industrial and critical infrastructure owners and operators must prepare immediately to implement reporting requirements and vulnerability assessments beginning in 2022. OTORIO offers comprehensive cybersecurity and digital risk management solutions for converged IT/OT/IOT environments that help organizations harden their operations, and comply with all monitoring, reporting, and remediation regulations.


1 The survey was conducted in November 2021 and covered 200 Directors or Heads of Cybersecurity from North America, Europe Latin-America. Respondents represented industries companies in the Energy, Utilities, and Oil and Gas sectors.