Hackers have targeted New York City’s Metropolitan Transportation Authority, which operates the city's subway system and other rail lines. File Photo by John Angelillo/UPI | License Photo
WASHINGTON, Oct. 26 (UPI) -- Numerous cyberattacks have threatened U.S. transportation infrastructure over the last year, disrupting ferries, railways and oil supply chains, and leading lawmakers on the House Homeland Security Committee to consider industry-wide cybersecurity mandates at a joint subcommittee hearing Tuesday.
After hackers breached one of the largest U.S. oil pipelines in May, lawmakers began to question whether the federal government's approach to cybersecurity - which relies on voluntary partnerships with the private sector - should be updated to better protect all sectors from modern cyber threats.
"Inaction isn't an option," said Rep. Bonnie Watson Coleman, D-N.J., chairwoman of the Transportation & Maritime Security Subcommittee. "When gas stops flowing due to a cyberattack, it doesn't just impact the pipeline's owner. It means Americans struggle to fill up their tanks."
The Colonial Pipeline suffered a ransomware attack May 7, shutting down the pipeline's digital interface for several days and cutting off fuel deliveries across much of the East Coast.
Hackers were able to breach the system with a single password, using a virtual private network that did not require multifactor identification, Colonial Pipeline CEO Joseph Blount told senators at a committee hearing in June.
In addition to the pipeline, hackers have also targeted New York City's Metropolitan Transportation Authority, the Steamship Authority of Massachusetts ferry service and the Port of Houston since President Joe Biden took office in January.
As Congress considers a multitrillion-dollar investment in infrastructure through Biden's Build Back Better Act, Watson Coleman said, cybersecurity is paramount to the safety of everyday Americans who rely on public transportation.
"We can't wait until a hacked plane falls from the sky or a breached railroad gridlocks our nation's supply chain to take action," she said. "The real cost would be borne by the passengers injured or even killed."
The Transportation Security Administration issued a security directive in July, which required pipelines to implement several new protections against cyber intrusions after the Colonial Pipeline breach.
Department of Homeland Security Secretary Alejandro Mayorkas announced Oct. 6 that TSA would issue another cybersecurity directive aimed at the transit and aviation sectors later this year.
Suzanne Spaulding, a senior adviser for homeland security at the Center for Strategic and International Studies, said at the hearing that although the TSA security directive still is being developed, she has heard that it prescribes a "relatively basic" plan for incident response and oversight.
She described the directive as a step in the right direction, noting that the federal government could do more to advise firms on their purchasing decisions, regarding the security of their products and services.
"The threat is evolving much more quickly than our defense," Spaulding said. "The purely voluntary approach has not gotten us where we need to be, despite decades of effort."
Rep. Andrew Garbarino, R-N.Y., ranking member of the Cybersecurity, Infrastructure Protection and Innovation Subcommittee, said he has been working with fellow committee members to draft bipartisan legislation to mandate cyber incident reporting through the Cybersecurity and Infrastructure Security Agency.
"The issue of transportation cybersecurity hits close to home," Garbarino said, describing the cyberattack on New York's MTA in April.
"We need to encourage an enhanced public-private partnership with owners and operators of our nation's transportation system so these breaches don't keep impacting American livelihood."