TSA Proposes Cybersecurity Requirements for Pipeline, Railroad Operators

The Transportation Security Administration is proposing new rules that would require high-risk pipeline and railroad operators to establish cybersecurity risk management programs.

proposed rule based on TSA cybersecurity requirements has issued annual safety directives in recent years. The agency first began establishing cybersecurity requirements for parts of the transportation sector. following the 2021 Colonial Pipeline ransomware attack.

“TSA is working closely with its industry partners to strengthen the cybersecurity resiliency of the nation’s critical transportation infrastructure,” TSA Administrator David Pekoske said in a statement. “The requirements in the proposed rule are intended to advance these collaborative efforts and further strengthen the cybersecurity posture of ground transportation stakeholders. We look forward to hearing from industry and the public on this proposed regulation.”

The requirements will apply to “high risk” owners and operators. The TSA estimates that the rule will affect “just under” 300 ground transportation owners and operators.

These include 73 freight railways, 34 public transport lines and passenger railways; 71 off-road bus owners and operators; and 115 pipeline facilities and systems regulated by the Pipeline and Hazardous Materials Safety Administration.

The proposed rule would require “higher risk” owners and operators to establish and maintain cyber risk management programs consistent with the National Institute of Standards and Technology’s cybersecurity framework.

They will also be required to report cyber incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours of detection. TSA, the rulemaker, maintains that its proposed regulation is consistent with CISA’s proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) provisions. which are scheduled to be completed next year.

Trump’s influence?

The Biden administration has pushed to establish minimum cybersecurity standards for critical infrastructure sectors. But it is unclear whether President-elect Donald Trump and his administration will implement the TSA’s proposed rule and similar regulatory measures.

Although Trump’s official platform calls for a reduction in “costly and burdensome regulations” overall, the section on critical infrastructure also promises to “not only raise security standards for our critical systems and networks, but also protect them from attackers.”

Regulatory harmonization

The TSA’s proposed rule also hints at “regulatory harmonization.” It refers to efforts backed by both congressional Republicans and the Biden administration to streamline and simplify cybersecurity rules while reducing the burden on industry and other regulated entities.

“TSA emphasizes its commitment to regulatory harmonization and streamlining and notes that this proposed rule, based on the NIST Framework for Improving Critical Infrastructure Cybersecurity, NIST Standards and Best Practices, and CISA (Cyber Security Objectives), is consistent with such priorities. ,” the agency’s rulemaking states. “TSA also acknowledges the ongoing rulemaking by other components of DHS, including the ongoing development of maritime cybersecurity rules and the implementation of CIRCIA.”

However, TSA also notes that its “experience” with security requirements to date, as well as feedback from owners and operators, “indicate that complete harmonization is not possible,” according to the rule.

“Even within the transportation sector, there are issues with different modes of transportation, varying physical controls by other agencies that support defense in depth measures, and other factors that must be considered,” the TSA said in its proposed rules.

For example, TSA points to “out-of-the-box” requirements that could make implementing multi-factor authentication on industrial control workstations “impractical.”

“While TSA believes that differences in cybersecurity requirements may be intentional based on differences in specific sectors, TSA welcomes comments on opportunities to harmonize and streamline regulations where feasible and appropriate,” the agency adds.

Comments on the TSA proposed rule are due February 5.