The Transportation Security Administration (TSA) has unveiled a long-awaited proposal for cybersecurity mandates that would direct pipeline and railroad owners and operators to set up risk management programs and establish incident reporting protocols.
Through a notice of proposed rulemaking (NOPR) posted to the Federal Register on Nov. 7, TSA aims to build on cybersecurity requirements the agency established in 2021 following the Colonial Pipeline ransomware attack by Russian cybercriminal group DarkSide. That attack led to an emergency declaration following a week-long shutdown of 5,500 miles of East Coast petroleum pipelines, disrupting the supply of critical petroleum-based products.
“TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure,” TSA Administrator David Pekoske said in a statement. “The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation.”
Following the Colonial Pipeline attack, TSA sent out security directives that established cybersecurity requirements for the pipeline sector which had previously been voluntary steps. In late 2022, TSA sought input on rulemaking for establishing cybersecurity standards for high profile cybersecurity transportation modes. The proposed rules unveiled this week would make those mandates permanent.
The cybersecurity risk management (CRM) program outlined by TSA would require owners and operators to annually conduct an enterprise-wide cybersecurity evaluation to meet the rule’s security outcomes; develop a continuity of operations implementation plan that address critical cyber systems in the event of an incident; and have a corrective action plan that includes assessment schedules and annual assessment reports, and identifies unaddressed vulnerabilities.
“Implementation of a CRM program, as described under the proposed rule, could help enhance the security of the regulated population by improving the owner/operator’s ability to identify, detect, protect against, respond to, and recover from cybersecurity incidents,” reads the proposal.
Under the proposed rules, cybersecurity incidents must be reported to the Cybersecurity and Infrastructure Security Agency (CISA), while physical security concerns are to be reported to the TSA.
TSA estimates the proposal will likely affect 73 freight railroads, 34 public transportation agencies and passenger railroads, and 115 pipeline facilities and systems. An additional 71 intercity bus operators would be required to report significant security concerns.
The proposal follows cybersecurity guidance and standards issued by CISA and the National Institute of Standards and Technology (NIST) which aim to help organizations manage and reduce cybersecurity risks. However, CISA has faced pushback as many industry sectors have expressed concern over overreach of regulations.
The proposed rule will also likely be one of the final critical infrastructure cybersecurity pushes of the Biden administration before President-elect Donald Trump takes office. The incoming president’s policy outline promises to “raise the security standards” for critical systems and networks.
Comments on the TSA proposal are due by Feb. 5, 2025.
