Watch Now


TSA to require air, rail operators to report cybersecurity incidents

DHS secretary announces security directives as part of bigger push for transportation sector

Cargo and passenger airlines will have to report cybersecurity incidents under a forthcoming TSA directive. (Photo: Jim Allen/FreightWaves)

U.S. rail and air operators will be required to report cybersecurity incidents under new Transportation Security Administration rules, Homeland Security Secretary Alejandro Mayorkas said on Wednesday

TSA will issue directives later this year that will apply to “higher-risk railroad entities,” passenger and all-cargo airlines, and airport operators. The directives will require the appointment of cybersecurity coordinators, while rail entities will need to have contingency and recovery plans as well.

Mayorkas announced the new measures at the virtual Billington Cybersecurity Summit as ransomware attacks continue to proliferate across multiple industries. 

“Ransomware attacks disrupted already-strained hospitals, schools, food suppliers and pipelines in addition to many other organizations that provide critical services,” he said. “These attacks revealed that what is at stake is not simply the way we communicate or the way we work, but the way we live.”


While the U.S. rail and aviation sectors have yet to experience the kind of catastrophic ransomware attack that hit Colonial Pipeline and meat processor JBS, the risks are very real.

CSX and short-line operator OmniTrax were targeted in attacks by ransomware gangs earlier this year, though they did not cause any significant operational impact.

“Our freight rail system is essential not only to our economic well-being but also to the ability of our military to move equipment from ‘fort to port’ when needed,” Mayorkas said. 

Under the TSA directives, cybersecurity incidents will have to be reported to the Cybersecurity and Infrastructure Security Agency (CISA). 


Mayorkas said the TSA will take additional steps including the development of a “longer-term regime to strengthen cybersecurity and resilience in the transportation sector.”

The reporting requirements come amid a broader push for more transparency from companies targeted in ransomware attacks.

The Ransomware Disclosure Act, sponsored by U.S. Sen. Elizabeth Warren, D-Massachusetts, and U.S. Rep. Deborah Ross, D-North Carolina, would require victims to report ransomware payments within 48 hours of making them.

Read more

Click for more FreightWaves articles by Nate Tabak

Nate Tabak

Nate Tabak is a Toronto-based journalist and producer who covers cybersecurity and cross-border trucking and logistics for FreightWaves. He spent seven years reporting stories in the Balkans and Eastern Europe as a reporter, producer and editor based in Kosovo. He previously worked at newspapers in the San Francisco Bay Area, including the San Jose Mercury News. He graduated from UC Berkeley, where he studied the history of American policing. Contact Nate at ntabak@freightwaves.com.