United States: Surface Transportation Addresses Global Cybersecurity Risks And Potential Safety Impacts

Recent Executive Order Affects Transit, Rail and Autonomous Vehicles

Norma Krayem is a Senior Policy Advisor in Holland & Knight's Washington D.C. office


  • On May 15, 2019, the White House issued a new national security Executive Order (EO) focused on Information and Communications Technology (ICT) and Services Supply Chain, which impacts all modes within the transportation sector.
  • The U.S. Department of Homeland Security's (DHS) new National Critical Functions list highlights those functions in the U.S. most at risk for a cybersecurity attacks and includes every mode of transportation.
  • The Transportation Security Administration's (TSA) Cybersecurity Roadmap makes clear that it has the statutory authority to regulate the transportation sector for cybersecurity.
  • Members of Congress are expressing serious concerns over cybersecurity risks to the transportation sector, with specific concerns from a foreign state-owned enterprise (SOE) in the mass transit market in key U.S. cities.

"Infrastructure Week" just celebrated the pivotal role that the transportation sector plays in our national and economic security, facilitating the movement of people and goods around the world and keeping the global economy running. The transportation sector has always prioritized both safety and security, and as a result is one of the safest systems in the world, well known for its impressive technological innovation and intelligent transportation systems. However, as with all other sectors, increased connectivity means increased cyber risk. Compounding this vulnerability, the transportation sector remains one of the few critical infrastructure (CI) sectors1 that does not have cybersecurity mandates or regulations similar to what other CI sectors have seen over the last 10 years. Cybersecurity risks are ever-present and as a result, a large-scale paradigm shift is needed to broaden the awareness and understanding of what safety and security means in today's world. In the last few months, the White House, the U.S. Department of Homeland Security (DHS) and the Congress have begun raising concerns about these issues.

This is the third article focusing on cybersecurity risk to the transportation sector. Previous alerts focused on aviation cybersecurity and pipeline cybersecurity. (See Holland & Knight alerts, " New TSA Cybersecurity Roadmap Articulates Clear Aviation Sector Requirements," Dec. 10, 2018, and " New TSA Cybersecurity Roadmap States Specific Requirements for Pipeline Industry," Dec. 14, 2018.)

Information and Communications Technology (ICT) and Services Supply Chain: New Cybersecurity Risks to the Transportation Sector

Technological innovation has always been the cornerstone of the transportation sector, bringing increased safety, physical security and efficiencies. At the same time, the increasing reliance on ICT technology and services underpins the use of onboard technology, the presence of third-party vendor software and hardware, and the rapid integration of autonomous systems, both revolutionizing the transportation sector, but also brings cybersecurity risks as well.

On May 15, 2019, the White House issued a new national security Executive Order (EO) focused on Information and Communications Technology (ICT) and Services Supply Chain, which will have cascading effects for transportation as well as other sectors.2 The EO covers broad-based ICT and supply chain risk, encompassing 5G issues, and is much more than just the ban on Huawei. The EO bans any entity that is "owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary" from doing business in the U.S. and will impact every mode of transportation, including aviation, transit, rail, maritime, trucking, autonomous vehicles, drones, among others.

DHS Defines National Critical Functions: Mass Transit, Rail and Autonomous Vehicles Covered

The transportation sector carries hundreds of millions of passengers and millions of tons of cargo per year and must address cybersecurity risks to the underlying operational risk to the sector. Building on use of the term CI, DHS recently finalized a list of "National Critical Functions" (Functions) that are at the greatest risk to cybersecurity attacks, functions "so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on the security, national economic security, national public health or safety, or any combination thereof."3

As a result, it is not surprising that the list of Functions encompasses all modes of transportation: mass transit, freight rail, the movement of passengers and goods by aviation/air cargo, the movement of passengers and cargo via highway (covering trucking, passenger vehicles, autonomous vehicles), pipelines as well as the movement of passengers and cargo by vessels (including cruise ships and cargo vessels). The list of Functions makes it explicit that mass transit and rail, as well as the movement of passengers and goods, (via trucking, passenger vehicles including autonomous vehicles and vessels) have considered at risk. It also includes functions that the sector relies on every day to operate, such as electricity, information technology products and services, satellite services, and global positioning, navigation and timing (PNT) services.

While transportation has always been on the list of CI sectors, some modes have argued that it was not truly part of the definition of "critical infrastructure." DHS has settled that debate by listing specific transportation functions on the National Critical Functions list and has indicated that it will ensure these sectors are secure, including using its regulatory authority if need be.

Cybersecurity vs. Safety vs. Physical Security

As is known, safety and security functions were separated when Congress passed the 9/11 Commission Act. The Transportation Security Administration (TSA) assumed security oversight, although primarily physical security, for all modes of transportation under the Aviation and Transportation Security Act 4 with safety left to the U.S. Department of Transportation (DOT).

In 2013, the need to focus on cybersecurity risk coalesced with White House Cybersecurity Executive Order 13636, issued along with Presidential Policy Directive 21 (PPD-21). DHS was directed to assist "critical infrastructure owners and operators . . . to take proactive steps to manage risk and strengthen the security and resilience of the Nation's critical infrastructure."5

From 2013 until late 2018, cybersecurity risks within the transportation sector were primarily addressed in a voluntary public-private partnership model. That ended with the release of the TSA Cybersecurity Roadmap in December 2018.

It is noteworthy that the TSA Cybersecurity Roadmap made clear that it has statutory authority to address cybersecurity to the seven Transportation System Sectors (TSS)6 it oversees, including highway and motor carrier (also autonomous vehicles and trucks), mass transit and passenger rail and freight rail. Prior to this, no agency was in charge of cybersecurity for the sector and made clear it will "utilize its statutory and regulatory authorities to ensure the resilience of the TSS." It builds on the December 2017 White House National Security Strategy that also expressed clear concerns over cyber risk to six particular sectors, one of which was the transportation sector and specifically the aviation, surface and maritime sectors.7

Congressional Concerns Raised Over Gaps in Cybersecurity Oversight and the Rise of Foreign State-Owned Enterprises

Congressional concerns over the cyber posture of the transportation sector, including transit and rail has grown exponentially in just the last year. Starting in 2018, concerns have been mounting in Congress and the executive branch over the quick entrance of a foreign SOE quickly winning key mass transit contracts in key U.S. cities. Mass transit is run and operated by local governmental bodies who conduct traditional procurements to build rail/transit cars and provide long-term operation/maintenance contracts. Like other modes, sophisticated manufacturing, computerized functions and key ICT technology underpins transit and increasingly include Wi-Fi, all areas that require in-depth cybersecurity protections. Congress has raised questions over the safety and cybersecurity of any transit/rail cars manufactured by a foreign SOE as well as the lack of sufficient cybersecurity requirements being included in public procurements by state and local governments. At the same time, in the last two years, there has been an increase in successful cyberattacks on a host of state and local communities, both within the transit systems, and in several cases, the cities themselves.

In 2018, Congress included a mandate in P.L. 115-232, the John S. McCain National Defense Authorization Act (NDAA) that DHS and U.S. Department of Defense (DOD) assess and report to Congress the "national security risks, if any, related to investments in the United States by state-owned or state-controlled entities in the manufacture or assembly of rolling stock or other assets for use in freight rail, public transportation rail systems, or intercity passenger rail systems."8

On Feb. 26, 2019, the House Homeland Security Committee held a hearing on "Securing U.S. Surface Transportation from Cybersecurity Attacks" raising concerns on these issues. Then, on May 16, 2019, the House Transportation and Infrastructure Committee held a hearing "The Impacts of State-Owned Enterprises on Public Transit and Freight Rail Sectors."

Expect Congressional Actions and Potential Regulations to Address the Risk

As with DHS, increased Congressional focus in the sector illustrates a major shift in oversight and potentially new regulations on the sector to replace previous voluntary measures by the industry to address cyber risk. Congress is taking more direct action and has included language in various pending bills to prohibit transit and rail systems from doing business with the SOE. Federal agencies are stepping in to provide security briefings to make clear the cybersecurity and national security risks to state and local elected officials.

The release of the DHS National Critical Functions list covering all modes of transportation, coupled with the issuance of the TSA Cybersecurity Roadmap makes clear that cybersecurity risks to the transportation industry must be addressed. The result is the sector should expect to see potential regulations or security directives coming in the near future and increasing restrictions designed to protect the modes from cybersecurity threats.9 At the same time, the European Union and other nations around the world are also contemplating new regulations, so it would be incumbent on the industry to quickly work together to address the risk and to see global harmonization for whatever new regulations may be on the horizon.

As with all technological innovation, cybersecurity is the No. 1 risk that has to be evaluated and addressed on an ongoing basis. However, cybersecurity risk in this sector is much more than just the serious risk that can come from data loss or data security, it is about protecting the operational risk to the underlying system from cybersecurity attacks that can also have physical and operational outcomes.


1. Critical Infrastructure sectors are defined as the key sectors in the U.S., and include: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials and waste; transportation; and water and waste water systems.

2. White House Executive Order on "Securing the Information and Communications Technology and Services Supply Chain," May 15, 2019

3. DHS National Critical Functions

4. P.L 107-71

5. Presidential Policy Directive 21: Critical Infrastructure Security and Resilience, Feb. 13, 2013

6. TSS covers aviation, highway and motor carrier, maritime, mass transit and passenger rail, pipeline systems, freight rail, and postal and shipping

7. National Security Strategy of the United States, December 2017

8. P.L. 115-232, Section 217 (b) (1)

9. "Securing U.S. Surface Transportation from Cyber Attacks," testimony of Sonja Proctor, Transportation Security Administration before the House Homeland Security Committee, Feb. 26, 2019

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions