Cybersecurity

Federal transportation officials aim to ‘bridge gaps’ in OT cybersecurity

In a post-Colonial Pipeline world, DOT and TSA leaders say they’re pursuing a cross-sector approach to protecting operational technology.

By Matt Bracken

December 4, 2024

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

Katherine Rawls, the Department of Transportation's director of sector cyber engagement, participates in a Scoop News Group-produced GDIT event on Dec. 3, 2024, in Washington, D.C. Also pictured are John Garstka, left, cyber warfare director at DOD's Office of the Under Secretary of Defense for Acquisition & Sustainment, Dr. Matthew Rogers, right, industrial control systems expert at CISA, and Dr. Emma Stewart, second from right, chief power grid scientist & research strategist at the Idaho National Laboratory. (Scoop News Group photo)

From supporting aircraft systems to ensuring railway signals don’t falter, the operational technology that underpins transportation networks across the country is critical to daily life — and highly vulnerable to threats.

For Katherine Rawls, director of sector cyber engagement at the Department of Transportation, acknowledging that reality sparks various debates on how to meet those challenges head on.

“We’re talking about preserving the safety and reliability of OT systems that millions rely on daily,” Rawls said. “So we’re focused on, how do we integrate cybersecurity into all hazards safety management systems? How do we bridge gaps … between the cybersecurity and safety community?”

Speaking Tuesday at a Scoop News Group-produced General Dynamics Information Technology event, Rawls and other federal cyber officials wrestled with those questions, zeroing in specifically on the importance of a cross-sector approach to OT safety and how various innovations can help bolster critical infrastructure security protections.

At the Department of Transportation, Rawls is part of a new office that’s looking at a “one DOT approach” that assesses cyber risks within the agency and with external partners. Part of that approach includes plenty of coordination with the Department of Homeland Security, which along with DOT are designated as Co-Sector Risk Management Agencies for the Transportation Systems Sector.

Together, DOT and DHS are identifying various risks across the transportation sector, and then figuring out how to “collaboratively develop resources to help support the very small to medium to large enterprises across transportation that support systems that we rely on daily,” Rawls said.

DOT is prioritizing more collaboration across agencies, with Rawls citing specific partnership work with the Cybersecurity and Infrastructure Security Agency, the U.S. Coast Guard and the Transportation Security Administration. She also pointed to the development of procurement guidance by DOT, the Department of Energy and its national labs.

That guidance, which details how to best integrate cybersecurity measures with electric vehicle supply equipment procurements, is an example of “tangible benefits from working together across sectors that we see with transportation,” Rawls said.

Kristin Ruiz, TSA’s deputy chief information officer, said during a separate panel discussion that there is a cultural challenge in working through partnerships when it comes to “getting folks to understand that their operational technology … is a key component” of that collaboration. It’s hugely important, she added, to make sure that TSA’s partners are implementing baseline cybersecurity requirements “from the very beginning.”

Cybersecurity standards are especially important to the agency now as it pursues a major open architecture initiative at TSA checkpoints, which Ruiz said would “drive innovation” and “reduce defender lock-in.” TSA’s IT leaders are also working on an OT cybersecurity assessment prototype that will enable the agency to do automated testing on systems and “ultimately limit the impact to OT.”

Much of the TSA’s OT-related work in recent years has been informed by the 2021 ransomware attack on Colonial Pipeline, which led to the agency’s call for more cybersecurity mandates on pipeline owners. Last month, the TSA built on those initial calls by issuing in a notice of proposed rulemaking a sweeping set of cyber requirements for pipelines, rail operators and airlines.

“We really documented and defined our cybersecurity requirements for the OT space, and we put those out to our partners in those industries, and we brought them in and worked with them,” Ruiz said. “And we’ve done that in a collaborative way.”

At a minimum, Ruiz and Rawls are hopeful that the collaborative approach with transportation industry partners will ensure that cybersecurity basics are followed and OT systems have better protections going forward.

“One of our key priorities is to really emphasize the remaining importance of cybersecurity self-assessments, understanding your cybersecurity posture, doing risk assessments, prioritizing mitigating the highest risk,” Rawls said. “So it’s not novel, but we want to underscore that as something that really helps.”