Pendulum swings! TSA’s evolution of surface transportation security

For more than 23 years, TSA has been best known for its aviation security, but the agency's pendulum is strongly swinging with the evolution of TSA's surface transportation efforts.

"TSA is probably always going to be primarily an aviation organization, because there are over 400 federalized airports, and the 9/11 attack on our nation led to the creation of TSA," said TSA Surface Operations Assistant Administrator (AA) Sonya Proctor. "It will be hard to get away from that, but probably since around 2015, there's been a significant focus on the work we do with surface. Given that, aviation will, I'm sure, always be a significant part of TSA's transportation focus."

According to the National Strategy for Transportation Security, mass transit and passenger rail move 34 million passengers every day across the U.S. with over 6,800 train systems throughout the country.

"Most people think of places like Amtrak, New York's Metropolitan Transportation Authority (MTA), Los Angeles MTA and MARTA in Atlanta when they think about surface. They move millions of people and have brought a lot of visibility to surface transportation," Proctor said. "We've had opportunities to work directly with those systems. Many of their security practices have been very forward leaning."

Unlike airports, TSA does not provide security for public transit. Proctor emphasized agencies like New York MTA, MARTA and Amtrak oversee their own security efforts. However, a large majority of TSA's security oversight efforts in surface transportation is derived around non-regulatory programs such as assessments, exercises, training and other industry engagement initiatives.

Despite the potential threats, Proctor believes the nation's surface transportation system is very safe due to the ongoing collaboration between TSA and the agency's transportation security partners in industry.
Security oversight, regulations

May 7, 2021, is a significant date in transportation history that severely swung the pendulum, particularly for surface transportation cybersecurity, especially in the pipeline industry.

That's the day a ransomware attack on a major pipeline captured headlines around the world with pictures of snaking lines of cars at gas stations across the eastern seaboard and panicked Americans filling bags with fuel, fearful of not being able to get to work or get their kids to school.

"This major pipeline went down for a number of days, and people did things that were incredibly unsafe," Proctor recalled. "People were afraid they wouldn't be able to get gasoline."

As a result, TSA issued its first in what would be a series of cybersecurity Security Directives, starting with the pipeline industry and eventually moving to passenger and freight rail.

"Security Directives (SDs) function as regulations," explained Proctor. "The pipeline, freight and passenger rail atmosphere have extensive, complicated operating technology systems, and these systems are under constant threat from adversaries."

Proctor said highway trucking systems don't have the same types of operating technology and aren't targeted in the same manner as mass transit, rail and pipeline. Although, she said TSA is always evaluating the threats and vulnerabilities on transportation technology.

"The threat to operating technology is a sophisticated threat," Proctor noted. "It's a threat we know that our nation state adversaries are capable of carrying out. We know where our attention really needs to be, particularly in industries like pipeline. It's a national security issue and an economic issue for our country. It's also an issue for our way of life."

Historically, especially prior to the onset of SDs in 2021, Proctor said TSA performed what the agency now calls "structured oversight" without direct industry regulations. The agency was mostly involved in training, exercises, engaging with surface transportation operators across the country and assessing their security, practices TSA continues.

"None of these were required, but we built trusted relationships where we could go in and conduct these assessments, have a presence and provide recommendations to them on how they can increase their security without regulations."
Cybersecurity

When asked what she feels is TSA Surface's top accomplishment since the agency created a Surface Operations Division in 2019 , Proctor quickly replied, "the development of our cybersecurity capacity."

"Cybersecurity is likely the most widely known accomplishment of Surface Operations," she said. "No one ever thought Surface would be the lead within TSA for cybersecurity. That's indicative of the current threat."

As TSA continues to evolve its surface transportation security efforts, Proctor emphasized the importance of staying ahead of emerging threats.

"Cybersecurity is the area we really have to monitor over the next number of years," she warned. "It's continuously evolving, and AI is creating a very different environment. We have developed an incredible team of cyber experts and now have them out in the field. We have them in all five of our regions."

TSA also has an expert cybersecurity group supporting the field and partnering with other agencies, including the DHS Cybersecurity and Infrastructure Security Agency.

"They're like a think tank because of the level of expertise they have," said Proctor.

TSA's shift in focus toward surface transportation cybersecurity marks a significant evolution in the agency's mission. As the threat landscape continues to evolve, TSA remains committed to enhancing security practices and staying ahead of emerging threats.

By Don Wagner, TSA Strategic Communications & Public Affairs