TSA issues proposed cyber mandates for pipelines, rail, airlines
The Transportation Security Administration issued long-waited proposed cyber mandates Thursday that would set in stone, harmonize, and add to the emergency security directives first issued following the Colonial Pipeline ransomware attack in 2021.
The notice of proposed rulemaking (NOPR) will serve as one of the last major policy actions the Biden administration will take to protect critical infrastructure from malicious cyberattacks before President-elect Donald Trump takes office.
“TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure,” TSA Administrator David Pekoske said in a Wednesday press release. “The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation.”
The Biden administration’s efforts to secure pipelines began in earnest in May 2021 following the Colonial Pipeline attack. Weeks after the extortion attempt by the ransomware group BlackCat, TSA sent out security directives that issued first-of-its-kind cyber mandates to the pipeline sector, which previously relied on voluntary efforts.
The security directives were considered unwelcome by many trade organizations representing oil and natural gas. However, subsequent directives were issued by TSA that soothed industry concerns. Additionally, TSA’s security directives have to be renewed annually, so the agency moved forward with a more permanent rulemaking process.
TSA’s new proposed rule would impact just under 300 owners and operators that fall under the agency’s authority in freight railroad, passenger railroad, rail transit, and pipeline sectors, the notice states. Additionally, the rule would ensure the aviation sector follows the same mandates.
The mandates would also require covered entities to develop cyber risk management programs and establish a cybersecurity operational plan, including regular audits to assess their effectiveness.
Additionally, the proposal would require covered entities to report incidents to the Cybersecurity and Infrastructure Security Agency in anticipation of the upcoming law.
Marco Ayala, president of InfraGard Houston, said that “after a year-and-a-half of anticipation” the proposal would largely consolidate the security directives that were issued shortly after Colonial Pipeline was forced to take down operational systems following the 2021 ransomware attack.
However, Ayala said the TSA proposal also adds several “key additions,” like adhering to CISA’s secure-by-design and secure-by-default principles, new training, certification, and vetting standards.
The NOPR also calls for extending the cyber risk management program to “large-scale hazardous liquid or carbon dioxide pipelines,” Ayala said. Pipelines that carry large volumes or have high mileage in high-risk areas, or are a large supplier to the Pentagon’s Defense Logistics Agency, would also be required to follow these new rules, Ayala said.
TSA expects the proposal to impact 73 freight railroads, 34 public transportation agencies and passenger railroads, and 115 pipeline facilities and systems. Additionally, 71 over-the-road bus owners will be required to report significant security concerns.
Comments are due by Feb. 5, 2025.
