Yesterday the DOT’s Federal Transit Administration published their notice of proposed rulemaking (NPRM) for public transit system safety plans in the Federal Register (81 FR 6343-6371).
Like the national transportation safety plan that I mentioned a week ago as starting to wend its way through the regulatory process, I had hoped to see a mention of cybersecurity as a component of the safety plan. I had thought that the regulators would see that, with the increasing reliance on automated control systems in the transportation process, protecting those systems from attack would be an important part of ensuring transportation system safety.
Unfortunately, this NPRM completely ignores the security component of safety of any sort, much less cybersecurity. This is not an uncommon point of view for safety professionals. They strive to prevent accidents. Over the years they have specifically excluded deliberate acts from their consideration as being uncontrollable.
The modern world, with its new modern terrorists, requires a rethinking of that outlook by safety professionals. With the ability to access transportation control systems from nearly anywhere in the world via the internet, a terrorist organization no longer needs to infiltrate personnel and weapons into the country to be able to attack public transit. The ability to attack from a distance without exposing its personnel to arrest or death ensures that a modern terrorist organization is going to use this mode of attack, sooner rather than later. This is especially true when you consider that the same team would be able to simultaneously attack multiple transit systems or a single transit system at multiple locations.
It is true that the Transportation Security Administration is technically responsible for security programs across all transportation modes. The reality, however, is that TSA has always been primarily focused on public air transportation due in large part to Congressional funding priorities. On the surface transportation side they have had a very minimal focus on providing security support to surface transit operations, primarily limited to roaming security teams and canine support.
TSA has been incapable of meeting Congressional mandates for even establishing surface security awareness training programs. They would be totally incapable of establishing requirements for cybersecurity requirements for transit control systems, due both to lack of funding and the lack of control system expertise.
The Department of Transportation is going to have to realize that its focus on transportation safety must also include an emphasis on transportation control system security. Without an active program to protect those control systems from terrorist, hactavist and even criminal attacks, DOT and it modal agencies will not be able to guarantee the safety of the associated transportation systems.
The FTA is soliciting public comments on this rulemaking. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FTA-2015-0021). Comments need to be submitted by March 5th, 2016.