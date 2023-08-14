The Transportation Security Administration is sounding the alarm that it needs funding for more employees to stay on top of the growing task of overseeing pipeline, rail and aviation companies’ cybersecurity defenses.

“We have enough folks to do the work that's on our plate today, but in the budget process, we're asking for more,” TSA Administrator David Pekoske told The Messenger during an interview at the DEF CON hacker conference in Las Vegas.

The TSA is best known for its airport security screenings, but the agency also protects pipelines and railroads, and in recent years, it has stepped up its cybersecurity oversight of all three of these transportation modes.

The TSA is now reviewing pipeline and railroad operators’ plans for assessing their own cybersecurity practices, making sure that the companies are conducting rigorous enough tests. Airport and aircraft operators are submitting their assessment plans as well. And depending on what the TSA finds, some of these companies might need to resubmit their plans for additional review.

“It's a significant body of work for us,” Pekoske said. “It’s more complicated … than just going through and checking boxes.”

The growing number of these complicated reviews is expected to significantly increase the TSA’s workload in the coming months, and the agency doesn’t have enough staff to handle it. The TSA is asking Congress for an extra $10.4 million to hire the necessary workers.

The TSA moved quickly to build up its cybersecurity workforce after introducing new regulations, but Pekoske’s comments suggest that without congressional action, the agency could be buried under a backlog of paperwork, leaving it unable to spot weaknesses in transportation companies’ digital security plans.

While he’s concerned about a staffing shortage, Pekoske is also excited about how the plans submitted to the TSA are generating creative ideas for protecting companies from hackers. If one company has a really interesting proposal for complying with one of the TSA’s requirements, the agency will forward it to the rest of the community. And Pekoske said the TSA is also exploring ways to show companies how their performance in meeting specific requirements compares to the rest of their sector.

Pekoske said the TSA is “a little over halfway through” reviewing pipeline owners’ cybersecurity assessment plans. “What we see is, by and large, pretty good,” he said.

In an interview conducted shortly before he took the stage at DEF CON to pitch a room full of hackers on the need to help the government with cybersecurity, Pekoske explained why he and his staff were there in the first place. Given the TSA’s mission to protect vital infrastructure, he said, “what better group... to come and talk to than people that know how to hack [these] systems?”

Indeed, an entire “village” at DEF CON was devoted to discussing cybersecurity weaknesses in the industrial control systems that power infrastructure like pipelines and railroads.

Pekoske visited that village on Saturday to announce a new project to build technology that can test equipment used in the transportation sector for cyber vulnerabilities. His request to DEF CON attendees: Help us identify the most dangerous hacking scenarios to test for.

After conducting simulations based on those scenarios, “we'll get a good assessment, as will the companies, as to how prepared we really are,” Pekoske said.

Prevention is obviously a key goal, but Pekoske noted that being able to withstand intrusions is just as important. “You have to plan for the fact that a threat actor might be partially successful in attacking your system.”

The TSA’s approach to cybersecurity regulation offers important lessons for other agencies that are planning —or, in the case of the Environmental Protection Agency, struggling with— rules for the companies they oversee.

To build support for its rules, the TSA partnered with the intelligence community to give pipeline company CEOs a classified threat briefing. Executives told the agency that they found it very helpful to understand the impetus for the new rules. The briefings also prepared the CEOs for when their cyber executives came to them with budget requests. And Pekoske said the TSA learned valuable information about how the companies operated.

Asked what advice he’d give his fellow regulators as they considered cyber rules, Pekoske emphasized the need to build trust, citing the “incredibly helpful” briefings as well as the TSA’s practice of regularly visiting companies to understand the challenges they face.

The TSA continues to update its mandates, having issued a new version of its pipeline regulations in July. Pekoske said the agency plans to issue a more formal long-term rule covering pipelines and rail infrastructure “sometime toward the end of this calendar year.”