Surface Transportation: TSA Is Taking Steps to Enhance Cybersecurity, but Additional Actions Are Needed

What GAO Found

The Transportation Security Administration (TSA)—a component within the Department of Homeland Security (DHS)—is responsible for security in the nation's transportation systems. To fulfill that responsibility, TSA has statutory authority to issue security directives imposing requirements on industry without providing notice or the opportunity for public comment.

In July 2021, GAO reported that in May 2021, TSA began issuing security directives pursuant to this authority in response to a ransomware attack on a U.S. pipeline company. TSA has issued, revised, and extended five security directives requiring various actions to mitigate cyber threats in the freight rail, passenger rail, and pipeline modes. According to TSA, it has done so with industry feedback and federal oversight approval.

In November 2024, TSA issued a notice of proposed rulemaking that, according to TSA, builds on the agency’s performance-based cybersecurity requirements issued via security directives since 2021. TSA stated that this rule proposes to mandate cyber risk management and reporting requirements for certain surface transportation owners and operators.

In prior work, GAO identified various challenges to cybersecurity in the transportation systems sector. For example, in January 2024, GAO reported that ransomware was having increasingly devastating impacts in the sector and found that TSA’s security directives did not align with ransomware leading practices. GAO recommended that DHS determine the extent to which the transportation systems sector is adopting leading cybersecurity practices that help reduce the sector's risk of ransomware. As of November 2024, this recommendation was not yet implemented.

In addition, in December 2022, GAO found that TSA had taken steps to enhance the cybersecurity of internet-connected devices in the transportation systems sector. However, TSA had not developed metrics to measure the effectiveness of their efforts or conducted sector-wide cybersecurity risk assessments specific to these devices. GAO recommended that TSA develop a sector-specific plan that includes these metrics and include internet-connected devices in such sector-wide assessments. As of November 2024, these recommendations were not yet implemented.

Status of GAO Recommendations to DHS or TSA to Improve Surface Transportation Cybersecurity, as of November 2024

Why GAO Did This Study

Surface transportation comprises multiple modes—freight rail, passenger rail, and pipelines—and moves billions of passengers and millions of tons of goods each year. Domestic and foreign adversaries likely will continue to threaten the integrity of our nation’s critical infrastructure, including the transportation systems sector. They perceive targeting these sectors would have cascading negative impacts on U.S. industries and citizens, according to a DHS threat assessment.

This statement discusses GAO’s portfolio of work on TSA’s efforts to enhance cybersecurity and its progress addressing prior GAO recommendations.

This statement is based on prior GAO reports issued from December 2018 through July 2024, along with selected updates on TSA’s efforts to enhance cybersecurity and its progress addressing previous GAO recommendations. For these reports and selected updates, GAO reviewed TSA documentation, analyzed data, and interviewed agency officials.