TSA releases proposed cyber rule for pipelines, railroads

TSA's proposed cybersecurity regulation aims to ensure "higher-risk" pipelines and railways are defended from cyber attacks.

The Transportation Security Administration is proposing new regulations that would require high-risk pipeline and railroad operators to establish cybersecurity risk management programs.

The proposed rule builds on cybersecurity requirements TSA has issued via annual security directives in recent years. The agency first moved to establish cybersecurity requirements for parts of the transportation sector in the wake of the 2021 Colonial Pipeline ransomware attack.

“TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure,” TSA Administrator David Pekoske said in a statement. “The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation.”

The requirements would apply to “higher-risk” owners and operators. TSA estimates the rule would impact “just under” 300 surface transportation owners and operators.

That includes 73 freight railroads, 34 public transportation and passenger railroads; 71 over-the-road bus owners and operators; and 115 pipeline facilities and systems regulated by the Pipeline and Hazardous Materials Safety Administration.

The proposed rule would require those “higher risk” owners and operators to establish and maintain cyber risk management programs in line with National Institute of Standards and Technology Cybersecurity Framework.

It would also require them to report cyber incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours of identification. TSA in the rulemaking argues its proposed regulation dovetails with CISA’s proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) regulations, which are slated to be finalized next year. 

Trump’s impact?

The Biden administration has pushed to establish minimum cybersecurity standards for critical infrastructure sectors. But it’s unclear whether President-elect Donald Trump and his administration would carry forward TSA’s proposed rule and similar regulatory efforts.

While Trump’s official platform calls for cutting “costly and burdensome regulations” generally, a section on critical infrastructure also pledges to “both raise the security standards for our critical systems and networks and defend them against bad actors.”

Regulatory harmonization

TSA’s proposed rule also nods to “regulatory harmonization.” That refers to a push backed by both congressional Republicans and the Biden administration to streamline and simplify cybersecurity regulations while reducing burdens on industry and other regulated entities.

“TSA emphasizes its commitment to regulatory harmonization and streamlining, and notes that this proposed rule, which is grounded in NIST’s Framework for Improving Critical Infrastructure Cybersecurity, NIST’s standards and best practices, and the CISA [cyber performance goals], is consistent with such priorities,” the agency’s rulemaking states. “TSA also acknowledges the ongoing rulemakings of other DHS components, including ongoing rulemakings on cybersecurity in maritime transportation and implementation of CIRCIA.”

However, TSA also notes that its “experience” with security requirements to date as well as feedback from owners and operators “indicates that complete harmonization is not possible,” according to the rule.

“Even within the transportation sector, there are modal operational issues, different physical controls by other agencies that support defense-in depth measures, as well as other factors that must be considered,” TSA’s proposed rule states.

For instance, TSA points to “ready access” requirements that can make implementing multifactor authentication on industrial control workstations “inadvisable.”

“While TSA believes differences in cybersecurity requirements may be intentional based on sector-specific distinctions, TSA welcomes comments on opportunities to harmonize and streamline regulations where feasible and appropriate,” the agency adds.

Comments on TSA’s proposed rule are due Feb. 5.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    cyber, EPA, Water Contamination Nitrates Oregon

    EPA fosters IT resilience through cloud, integrated teams, automation tools

    Read more
    Getty Images/iStockphoto/cybrainCloud Computing

    CISA directs agencies to find, fix cloud security misconfigurations

    Read more