The Transportation Security Administration on Wednesday said it plans to require the nation’s pipeline and rail sectors to deploy measures to better manage their cybersecurity risks and is seeking input on comprehensive approaches to the forthcoming mandates.
The advanced notice of proposed rulemaking (ANPRM) was published in the Nov. 30 Federal and follows previous TSA requirements for the two sectors to strengthen their cyber postures in the wake of various cyber attacks and threats.
The ANPRM highlights the May 2021 shutdown of operations by pipeline operator Colonial Pipeline due to a ransomware attack, a March 2022 announcement by the Justice Department of indictments of Russian security officials for their involvement in cyber intrusion efforts against U.S. and international energy companies and facilities, and a recent cybersecurity advisory by U.S. and international partners outlining how Russian state-sponsored actors have demonstrated their ability to compromise information technology networks and disrupt industrial control systems.
“These recent incidents demonstrate the potentially devastating impact that increasingly sophisticated cybersecurity events can have on our nation’s critical infrastructure, as well as the direct repercussions felt by U.S. citizens,” the advance notice says. “The consequences and threats discussed above demonstrate the necessity of ensuring that critical infrastructure owner/operators are proactively deploying CRM measures.” CRM refers to cyber risk management.
Core elements of CRM for the pipeline and rail sectors include designating an official responsible for cybersecurity, access controls, vulnerability assessments, measures to gauge the implementation and effectiveness of cybersecurity controls, and conducting drills and exercises, TSA says. Various technical security controls such as multi-factor authentication, patching, and zero trust architecture should also be part of an organization’s CRM as should physical security controls, incident response reporting and plans, employee training, and supply chain risk management, it says.
Mandatory security directives issued by TSA to the two sectors the past 18 months include designation of cybersecurity coordinators, reporting cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency and assess their security postures and identify measures to address vulnerabilities. The agency later required pipeline operators to take specific measures to protect against attacks and subsequently revised this directive to provide more flexibility in implementation so that security measures are performance-based rather than prescriptive.
In October, TSA also imposed similar performance-based cybersecurity requirements on higher risk freight railroads, passenger rail, and rail transit owners and operators.
Comments on the ANPRM are due by Jan. 17, 2023.