Skip to main content

Surface Transportation: TSA Is Taking Steps to Enhance Cybersecurity, but Additional Actions Are Needed

GAO-25-107947 Published: Nov 19, 2024. Publicly Released: Nov 19, 2024.
Jump To:

Fast Facts

Cyberattacks can disrupt the transportation systems that many people and businesses rely on, like mass transit and freight rail. The TSA is responsible for protecting the nation's transportation sector.

We testified about our work on TSA's efforts to address cybersecurity issues. For example, TSA has taken steps to bolster its cybersecurity workforce and meet workforce needs. But TSA could do more to reduce risks from ransomware attacks—which can make operating software unusable until a ransom is paid. TSA also needs to develop ways to measure the effectiveness of its efforts to combat such attacks.

Pattern of locks and code

Skip to Highlights

Highlights

What GAO Found

The Transportation Security Administration (TSA)—a component within the Department of Homeland Security (DHS)—is responsible for security in the nation's transportation systems. To fulfill that responsibility, TSA has statutory authority to issue security directives imposing requirements on industry without providing notice or the opportunity for public comment.

In July 2021, GAO reported that in May 2021, TSA began issuing security directives pursuant to this authority in response to a ransomware attack on a U.S. pipeline company. TSA has issued, revised, and extended five security directives requiring various actions to mitigate cyber threats in the freight rail, passenger rail, and pipeline modes. According to TSA, it has done so with industry feedback and federal oversight approval.

In November 2024, TSA issued a notice of proposed rulemaking that, according to TSA, builds on the agency’s performance-based cybersecurity requirements issued via security directives since 2021. TSA stated that this rule proposes to mandate cyber risk management and reporting requirements for certain surface transportation owners and operators.

In prior work, GAO identified various challenges to cybersecurity in the transportation systems sector. For example, in January 2024, GAO reported that ransomware was having increasingly devastating impacts in the sector and found that TSA’s security directives did not align with ransomware leading practices. GAO recommended that DHS determine the extent to which the transportation systems sector is adopting leading cybersecurity practices that help reduce the sector's risk of ransomware. As of November 2024, this recommendation was not yet implemented.

In addition, in December 2022, GAO found that TSA had taken steps to enhance the cybersecurity of internet-connected devices in the transportation systems sector. However, TSA had not developed metrics to measure the effectiveness of their efforts or conducted sector-wide cybersecurity risk assessments specific to these devices. GAO recommended that TSA develop a sector-specific plan that includes these metrics and include internet-connected devices in such sector-wide assessments. As of November 2024, these recommendations were not yet implemented.

Status of GAO Recommendations to DHS or TSA to Improve Surface Transportation Cybersecurity, as of November 2024

Status of GAO Recommendations to DHS or TSA to Improve Surface Transportation Cybersecurity, as of November 2024

Why GAO Did This Study

Surface transportation comprises multiple modes—freight rail, passenger rail, and pipelines—and moves billions of passengers and millions of tons of goods each year. Domestic and foreign adversaries likely will continue to threaten the integrity of our nation’s critical infrastructure, including the transportation systems sector. They perceive targeting these sectors would have cascading negative impacts on U.S. industries and citizens, according to a DHS threat assessment.

This statement discusses GAO’s portfolio of work on TSA’s efforts to enhance cybersecurity and its progress addressing prior GAO recommendations.

This statement is based on prior GAO reports issued from December 2018 through July 2024, along with selected updates on TSA’s efforts to enhance cybersecurity and its progress addressing previous GAO recommendations. For these reports and selected updates, GAO reviewed TSA documentation, analyzed data, and interviewed agency officials.

Recommendations

GAO made six recommendations to DHS or TSA to address cybersecurity issues related to the transportation systems sector in the reports covered by this statement. DHS or TSA concurred with all of them. As of November 2024, DHS or TSA implemented one recommendation, partially addressed one recommendation, and has not implemented four recommendations. GAO will continue to monitor the agency’s progress.

Full Report

GAO Contacts

David (Dave) Hinchman
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Critical infrastructureCritical infrastructure protectionCybersecurityHomeland securityLabor forceRisk managementSurface transportationTransportationTransportation systemsRail