A look inside the TSA’s new cybersecurity regime for pipelines and railroads

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Operators of pipelines, freight railroads and passenger transit systems face a parade of cybersecurity deadlines this year. They come from the Transportation Security Administration, partly in reaction to last year’s Colonial Pipeline ransomware attack. For details, the Federal Drive with Tom Temin turned to a former federal prosecutor, now a partner at the law firm McDermott Will & Emery, Scott Ferber.

Interview transcript: 

Tom Temin: Scott, good to have you one.

Scott Ferber: Great to be on, Tom, thank you

Tom Temin: As someone who follows cybersecurity in the private sector pretty carefully, there’s a big lift that companies have under this TSA mandate. Tell us more about it.

Scott Ferber: The TSA directors really are part of a broader effort by the executive branch, both voluntary and mandatory directives, to get the private sector to do more when it comes to the cyber threat landscape, which, you know, everyone agrees is daunting. There’s a mix of undertakings by the government. I mean, you have call to arms, for example. There’s the June 2 open letter to corporate executives and business leaders from Deputy National Security Adviser Anne Neuberger, where she emphasized that the private sector has a critical responsibility to protect against cyber threats and recommends a variety of best practices. And then you have President Biden’s August 25 meeting with corporate leaders from a variety of sectors, discussing the whole nation effort that’s needed to address cyber threats. And then on the mandatory side, there are both industry agnostic and also sector specific, and you hit the nail on the head with the recent TSA directives targeting the transportation sector. And those are just part of a broader sector-specific effort by TSA, by the Department of Justice and federal banking regulators, among others, to address this threat.

Tom Temin: Right. So far, we haven’t seen disruptions of operations, runaway trains or something or signals not working because of cyber attacks that we know of, correct?

Scott Ferber: Right. But I think that’s one of the concerns that the federal government has, is without mandatory breach reporting requirements, you know, companies, whether they’re transit systems or other organizations, are really left to themselves unless they’re required to report. You know, it can be voluntary, and I certainly understand potentially the reluctance to come forward to regulators, to law enforcement, and to reveal that, you know, a particular company has been the victim of a breach. And so the fact that we haven’t read about doesn’t necessarily mean it hasn’t happened.

Tom Temin: Sure, yes. And I guess, well, we probably know if a runaway train happened, but certainly with ransomware, we do what happened in the case of the pipeline. And so on January 6, there was the designation of a cybersecurity coordinator and an alternate. And so that’s happening now. But then there’s March and June deadlines that companies have to do. And what are those?

Scott Ferber: Sure. Well, and actually taking a step back, you know, there are a number of important elements to the TSA’s December 2 security directive, and covered owners and operators of real systems effective December 31. So they’re already on the clock, need to report covered cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency within 24 hours of identifying them. And cybersecurity incidents under the directives are defined broadly, and include an event that is under investigation as a possible cybersecurity incident, without final determination of the event’s root cause or nature. So covered owners and operators need to be vigilant about what’s going on on their networks, I’m sure they already are. But now also with an eye toward very quickly having to report them to CISA. And then as you mentioned, January 6 covered entities are going to have to designate a cybersecurity coordinator and alternate. And it’s not just find someone in the organization and submit their names to CISA. There are certain eligibility requirements under the directives, including, you know, that the individual be a U.S. citizen, and the designated coordinator needs to be available — and I’m quoting from the directives — at all times, all hours, all days to coordinate implementation of cybersecurity practices and manage cybersecurity incidents.

Tom Temin: That’s why they have an alternate, so that someone can cover the clock 24 hours.

Scott Ferber: That’s right. That’s right. And I should also mention, it’s not just U.S. citizens, but it’s someone that can be eligible for a security clearance, right. And so there needs to be someone on call at all times. And then companies, you know, well, hopefully they’re already doing this, but now they’re going to be required to conduct cybersecurity vulnerability assessments to identify potential gaps, and use the form that TSA provides and then submit the completed form to TSA. So in doing that, of course, you know, companies need to be thoughtful about what they’re putting in the form. Of course, they want to be truthful and accurate, but recognize it’s going to a government agency. They need to be very careful about what they’re including on their forms and make sure it complies to the letter of the directives.

Tom Temin: And is this a two-page form, a 25-page form, a 200-page form? Do we know?

Scott Ferber: It’s more targeted, and you can find the form online. It’s not some, you know, encyclopedic form. But it is detailed and, you know, will require some time. It’s not something you can just fill out in an hour and fire off.

Tom Temin: Alright, and that’s March 30, they have to do the form. And then June 28, they have to have a response plan for, I guess, what it is they found out in what they put on the form.

Scott Ferber: Well, they have to develop a cyber security incident response plan. So do the assessment, and then also have a plan in place and submit it by June 28. That enables them to be preparedi, if there is an incident, that they can respond effectively. They have the right governance in place and mechanisms. And, you know, at McDermott, we routinely counsel clients not just in real systems, but you know, across industries on having robust cybersecurity incident response plans. And one of the things that we tell our clients all day every day is, you can have the best on-paper plan, but if it doesn’t work within your organization and it’s not tested, then frankly it’s not worth the paper it’s printed on. So yes, companies should go through the exercise of putting together the plan, but make sure that it’s a practical plan. And to actually take your point, Tom, about some 200-page form, if it’s a 200-page plan and no one’s going to look at it in the heat of an incident, then it really isn’t an effective plan.

Tom Temin: Well, let me ask you this: In the work that you do with transportation companies, railroads or pipelines or whatever, vulnerability assessments and having someone to coordinate, isn’t that something that smart companies that have a smart IT type of leadership would have in place anyway? I mean, this should not be a heavy lift, if you care about cyber.

Scott Ferber: They should have it in place. But I think one of the things that the directives really sharpens focus is that IT and legal compliance need to be lashed up and need to be talking about the problem in that plan. And that comes from not just what the directives are requiring, but also in anticipation of future litigation risk, regulatory investigations. And there needs to be that conversation and coordination.

Tom Temin: Yes, that’s the question. Suppose you fill out the form, you have the coordinator, you have the plan, you’ve tested it. And as far as you know, you are meeting the requirements of all of these directives, and something happens anyway. Then what happens? What can TSA do, what can CISA do, or do they just tell the Federal Trade Commission?

Scott Ferber: Well, there are a variety of levers that can be pulled by the government. You know, there’s the reporting requirement under the security directive, so a company that’s affected by a covered incident needs to report it. You know, transportation systems are covered by a number of different regulators and so have to be mindful of that. And then, you know, taking it a step further, if the information involves personally identifiable information, there’s potential reporting obligations under the patchwork of state data breach notification laws.

Tom Temin: So companies have some work to do.

Scott Ferber: They do. They do. And just to put a fine point on it. You know, in October of last year, the Department of Justice, my former employer, launched its civil cyber fraud initiative, under which it will be pursuing — or intends to pursue — civil actions through the false claims act against government contractors and federal grant recipients who knowingly provide deficient cybersecurity products or services, misrepresent cybersecurity practices or protocols, and violate their obligations to monitor and report cyber incidents and breaches. So if you are a government contractor or a federal grant recipient, this is going to add an additional layer of exposure. And when the Department of Justice announced the initiative, they encouraged whistleblowers to come forward. They expect them to play a significant role in identifying knowing compliance failures. So this is an additional area for that sector to be aware of, and be prepared for.

Tom Temin: Scott Ferber is a partner of the law firm McDermott Will & Emery. Thanks so much for joining me.

Scott Ferber: Thanks so much for the time and inviting me on. It’s great talking about a passion subject that I feel very passionate about.

Related Stories

Comments