TSA makes changes to new cyber requirements after industry feedback

The Transportation Security Administration is softening the deadlines on new cybersecurity requirements for major passenger and freight rail operators, as the agency’s leader said it learned from efforts earlier this year to begin regulating the cybersecurity of the pipeline sector.

TSA is expected to issue the new security directives for major railroad and rail transit entities in the coming weeks. The requirements include the designation of a cybersecurity coordinator, the reporting of cyber incidents to the Cybersecurity and Infrastructure Security Agency, conducting a cyber vulnerability assessment and the development of an incident response plan, according to TSA Administrator David Pekoske

“We’re looking at the entities that transport the largest number of passengers and the largest volume of cargo through the nation’s most populated metropolitan areas,” Pekoske said during a Nov. 18 meeting of the Surface Transportation Security Advisory Committee.

A security directive carries the weight of “essentially a regulation,” Pekoske said.

Additionally, TSA will issue an information circular that provides recommendations, rather than requirements, for the remaining rail, public transportation and bus operators. Pekoske said the recommended actions will be similar to the requirements in the security directives.

After Colonial Pipeline shut down in the aftermath of a ransomware attack in May, TSA issued two emergency security directives to the pipeline industry. The directives required pipeline owners and operators to designate a cybersecurity coordinator, report cyber incidents to CISA within 12 hours, implement basic hygiene measures, develop contingency plans in the event of a cyber attack and subject their systems to vulnerability testing.

The pipeline security directives have received some pushback from companies and GOP lawmakers, who argue TSA developed the requirements without consulting industry. Senate Homeland Security and Governmental Affairs Committee Ranking Member Rob Portman (R-Ohio) and several GOP colleagues have asked the Department of Homeland Security Office of the Inspector General to investigate the development of the pipeline directives.

“We believe that care must be taken to avoid unnecessarily burdensome requirements that shift resources away from responding to cyberattacks to regulatory compliance,” the senators wrote in an Oct. 28 letter to the DHS OIG. “Unfortunately, we have received reports that TSA and CISA failed to give adequate consideration to feedback from stakeholders and subject matter experts who work in these fields and that the requirements are too inflexible.”

For the forthcoming railroad and rail transit directives, Pekoske said TSA incorporated recent industry feedback. For instance, the agency extended the incident reporting requirement from 12 to 24 hours, and the deadline to complete an incident response plan from 60 days to six months.

And unlike the pipeline directives, Pekoske said the rail and railroad directives will be public documents.

“We want it to be publicly known the measures that we intend to take,” he said.

TSA will also give companies some flexibility in implementing the requirements in the new directives after some pipeline companies faced challenges in meeting this summer’s directives, Pekoske said.

He said the agency will allow companies to defer some lower priority requirements past the deadlines, provided the company has an action plan to complete those processes. TSA will also allow companies to submit “alternative measures” to the cybersecurity activities laid out in the requirements, so long as they achieve the same security outcome, he said.

“I appreciate that flexibility, and we will certainly apply that flexibility as we continue to improve the overall cybersecurity of surface transportation,” Pekoske said.

The new rail and rail transit directives are part of a broader “sprint” at DHS to elevate the cybersecurity of the transportation sector. In October, DHS Secretary Alejandro Mayorkas said TSA would also update its aviation security program by requiring critical U.S. airport operators, passenger aircraft operators and all-cargo aircraft operators to designate a cyber coordinator and report events to CISA.

Mayorkas said designating a point of contact, reporting incidents and developing contingency plans “represent the bare minimum of today’s cybersecurity best practices.”

The Biden administration has been considering what authorities it has to regulate cybersecurity practices for various critical infrastructure sectors, and whether it would need to ask for additional legislation from Congress.

“At some point we have to decide, what are those things that are so essential that they’re not discretionary and we therefore have to insist that certain features and certain practices are built in?” National Cyber Director Chris Inglis said during an Oct. 28 event hosted by the Center for Strategic and International Studies. “We’ve done that before. This is not new and novel.”

Related Stories

Comments