The Transportation Security Administration (TSA) has introduced proposed regulations aimed at solidifying temporary cybersecurity measures that currently require pipeline and railroad operators to report cyber incidents and establish comprehensive cyber risk management (CRM) plans. This formalization comes in response to the ongoing threats posed to critical infrastructure and follows a series of directives that were initially prompted by the 2021 ransomware attack on the Colonial Pipeline.
TSA Administrator David Pekoske highlighted the collaborative efforts with industry partners to enhance the cybersecurity resilience of transportation infrastructure. “The proposed requirements build on this collaborative foundation, seeking to further bolster cybersecurity defenses among surface transportation stakeholders,” Pekoske stated.
Outlined in the Federal Register, the proposed rule targets specific pipeline and railroad operators while imposing reduced requirements on certain bus operators. The rule mandates the creation of CRM plans under TSA oversight, encompassing:
- Annual cybersecurity evaluations
- Assessment plans that address vulnerabilities, managed by officials without personal or financial interests in the assessment
- Operational implementation plans that designate cyber-responsible officials, identify critical systems, outline attack detection and protection measures, and describe recovery procedures from cyber incidents
Additionally, the proposed rules would require these organizations to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA). TSA estimates that around 300 surface transportation operators would be impacted, including 73 of the 620 U.S. freight railroads, 34 of the 92 public transportation agencies, 71 bus operators, and 115 pipeline facilities.
With an anticipated cost of $2.1 billion over ten years for compliance and oversight, the TSA clarified that these rules offer a structured, adaptable approach to address the growing cybersecurity threats in the industry. According to a TSA spokesperson, while emergency directives are issued quickly to counter immediate risks, formalized rules undergo a more comprehensive review process. The TSA aims for these new measures to provide scalable defenses suitable for varying network environments.
Feedback from industry players, regulators, and experts since the Colonial Pipeline incident has shaped the framework of this rule. While some stakeholders previously criticized the prescriptive nature of initial TSA cybersecurity directives, this proposal is designed to offer more flexibility, allowing operators to adapt cyber defenses to their specific networks.
The TSA underscored the necessity of these new regulations, citing the rising cyber threats from both nation-states and cybercriminals targeting U.S. infrastructure. The 2021 Colonial Pipeline ransomware attack, which led to a temporary shutdown of vital petroleum supplies along the East Coast, highlighted the potential vulnerabilities within critical transportation systems. The proposed rule also acknowledges recent threats, particularly from Russia and China, and expresses concern about the potential for artificial intelligence to amplify these risks in the future.
The TSA will accept comments from industry stakeholders until February 5, allowing operators to contribute their insights on the proposed requirements. According to the TSA, the continued proliferation of cyber threats requires mandatory reporting and robust CRM programs to protect the surface transportation sector’s cybersecurity and resilience against evolving threats.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
