Join the CyberIntelMatrix Free Membership Program today and be part of a constantly evolving CTI community

    This site is protected by reCAPTCHA and the Google and Terms of Service apply

    Back

    TSA Floats New Rules Mandating Cyber Incident Reporting for Pipelines and Railroads

    Posted on
    Illustration showing modern cybersecurity for pipelines and railroads, featuring protective elements like shield icons, network nodes, and digital grids to symbolize resilience and infrastructure protection.
    Illustration of TSA’s cybersecurity rules enhancing protection for pipelines and railroads, symbolizing resilience in critical infrastructure through digital security elements.

     

    Overview of Proposed Rules

    The Transportation Security Administration (TSA) has proposed new, comprehensive rules aimed at improving cybersecurity across the United States’ critical transportation infrastructure. The rules, if enacted, will formalize and make permanent several temporary directives issued since the infamous ransomware attack on Colonial Pipeline in 2021. The primary goal of these rules is to mandate cyber incident reporting for pipelines, railroads, and, to a lesser extent, certain types of bus operators, ensuring a robust cyber risk management (CRM) plan is in place across these transportation sectors.

    Background and Purpose of the Rule

    Since the 2021 attack on Colonial Pipeline, TSA has recognized the need for more resilient cybersecurity policies. The attack, which resulted in a week-long shutdown of critical fuel pipelines along the East Coast, served as a wake-up call, highlighting the vulnerability of the nation’s infrastructure to cyber threats. TSA Administrator David Pekoske explained that the new rule builds on years of collaboration with industry partners, emphasizing the importance of a secure, well-coordinated approach to protecting critical infrastructure.

    Strengthening Cybersecurity for Transportation Stakeholders

    In his statement, Pekoske noted, “The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders.” The TSA envisions this rule as a long-term commitment to cybersecurity, encouraging operators to adopt a proactive, systematic approach to cyber risk management.

    Scope of the Proposed Rule

    The proposed rule aims to regulate “certain pipeline and rail owner/operators,” while imposing somewhat less stringent requirements on specific bus operators. By taking a targeted approach, TSA intends to prioritize high-risk areas without overburdening smaller or lower-risk segments. The rule mandates the development of a CRM plan that includes three essential elements:

    • Annual Cybersecurity Evaluations: Each year, affected organizations will need to conduct evaluations to assess their cybersecurity stance. This ongoing assessment will help identify vulnerabilities and track progress in addressing cyber threats.
    • Independent Assessment Plans: These plans should identify any unaddressed vulnerabilities within the organization and are to be conducted by individuals who have no personal or financial stake in the outcomes. This measure is designed to ensure objectivity in assessing the system’s cybersecurity needs.
    • Operational Cybersecurity Implementation Plan: Organizations must establish an actionable plan that identifies individuals in charge of cybersecurity, describes the critical cyber systems in place, and details how these systems are protected against potential threats. This plan should outline measures for detecting cyberattacks, as well as procedures for response and recovery from such incidents.

    Reporting Cyber Incidents

    As part of the proposed rule, organizations are required to report cyber incidents directly to the Cybersecurity and Infrastructure Security Agency (CISA). This reporting is intended to improve the collective understanding of cybersecurity threats across industries, allowing CISA to better assess national risk levels and respond accordingly.

    Industry Costs and Implementation Timeline

    Implementing these measures will come at a considerable cost, both to the industry and to TSA. The agency estimates that the cost of implementation and oversight will reach approximately $2.1 billion over the next decade. This financial impact will be felt by a wide range of transportation operators, including about 300 surface transportation owners and operators, 73 freight railroads, 34 public transportation agencies, 71 over-the-road bus operators, and 115 pipeline facilities. The scale of these efforts reflects the breadth of the transportation sector’s role in the nation’s critical infrastructure.

    Formalizing Security Directives

    TSA spokespersons noted that formal rules undergo a much longer rollout and comment period compared to the emergency security directives issued in response to immediate threats. The proposed rule reflects a performance-based, adaptable approach to cybersecurity, allowing operators to tailor solutions that fit their specific operational needs while addressing evolving cyber threats.

    Industry Feedback and Flexible Implementation

    The agency has already consulted with industry stakeholders and is accepting further input from regulated industries until February 5. TSA has expressed a willingness to consider industry feedback to ensure that the final rule is both practical and effective. A TSA spokesperson emphasized the unique challenges posed by nation-state actors, which have necessitated quick action to protect critical systems. The agency continues to refine its requirements to balance security needs with operational feasibility, offering operators the flexibility to build customized defenses that suit their specific infrastructure.

    Challenges and Past Industry Pushback

    In 2022, TSA’s initial security directives faced criticism from industry stakeholders who argued that the measures were overly prescriptive. According to some experts, the directives included “an alphabet soup of buzzwords” like zero trust and MFA (multi-factor authentication), which did not necessarily apply to all environments within the transportation sector. TSA has since made efforts to incorporate industry feedback and increase flexibility, aiming to create a more collaborative framework that meets both security and operational requirements.

    Response to Ongoing Cyber Threats

    The Colonial Pipeline ransomware attack marked a turning point in TSA’s approach to cybersecurity. Since the attack, TSA has issued multiple directives and worked closely with industry stakeholders to create a more resilient cyber infrastructure. The agency’s efforts are rooted in the understanding that cyber threats to surface transportation are not just an immediate concern but an ongoing and evolving risk. Both nation-state actors and criminal cyber groups have increasingly targeted critical infrastructure, seeking to disrupt operations and cause economic damage.

    Conclusion: The Future of Cybersecurity in Transportation

    TSA’s proposed rule underscores the agency’s commitment to a resilient cybersecurity framework for the transportation sector. By mandating incident reporting and CRM program development, TSA aims to address the escalating cyber threats to critical infrastructure, especially those posed by sophisticated nation-state actors like Russia and China. The agency has taken a measured approach to cybersecurity, balancing the need for robust defenses with the realities of diverse transportation networks. As TSA continues to solicit input and refine its approach, the new rule represents a significant step forward in protecting the nation’s critical infrastructure from cyber threats.

     

    Source: TheRecord.media

    LatestNews: CIM