In light of the critical role that pipelines and rail sectors play in the United State’s economic and national security, as well as the ongoing and growing cyber threats to such sectors, the Transportation Security Administration (TSA) has determined that it is appropriate to issue a regulation for cyber risk management in these sectors.
As a first step, TSA is seeking input regarding ways to strengthen cybersecurity and resiliency in the pipeline and rail (including freight, passenger, and transit rail) sectors.
An advance notice of proposed rulemaking (ANPRM) issued on November 30, offers an opportunity for interested individuals and organizations, particularly owner/operators of higher-risk pipeline and rail operations, to help TSA develop a comprehensive and forward-looking approach to cybersecurity requirements. TSA is also interested in input from the industry associations representing these owners/operators, third-party cybersecurity subject matter experts, and insurers and underwriters for cybersecurity risks for these transportation sectors.
Cyber actors have demonstrated their willingness to engage in cyber intrusions and conduct cyber attacks against critical infrastructure by exploiting the vulnerability of Operational Technology (OT) and Information Technology (IT) systems. Pipeline and rail systems, and associated facilities, are vulnerable to cyber attacks due to legacy equipment that lacks updated security controls and the dispersed nature of pipeline and rail networks spanning urban and outlying areas.
A ransomware attack last year highlighted the potentially devastating impact that increasingly sophisticated cybersecurity events can have on the United State’s critical infrastructure, as well as the direct repercussions felt by U.S. citizens. And TSA says the need to take urgent action to mitigate the threats facing domestic critical infrastructure, which have important implications for national and economic security, including enhancing the pipeline and rail industry’s current cybersecurity risk management posture, is further highlighted by recent warnings about Russian, Chinese, and Iranian state-sponsored cyber espionage campaigns to develop capabilities to disrupt U.S. critical infrastructure to include the transportation sector.
Although TSA will review and consider all comments submitted, the agency is specifically interested in responses to the questions posed in its ANPRM. These include, but are not limited to cybersecurity spending, training, safeguards, oversight and standards. For example, the ANPRM asks “what types of critical cyber systems do you recommend that regulations address and what would be the impact if the scope included systems that directly connect with these critical cyber systems?” and “what minimum cybersecurity practices should pipeline and rail owner/operators require that their third-party service providers meet in order to do business with pipeline and rail owner/operators?”
In October, TSA announced a new cybersecurity security directive regulating designated passenger and freight railroad carriers. The security directive requires that TSA-specified passenger and freight railroad carriers take action to prevent disruption and degradation to their infrastructure.