AAR, ASLRRA to TSA: CRM Regulations ‘Not Necessary’

"TSA should clearly articulate any problem with cyber risk it believes exists prior to resorting to regulation," AAR and ASLRRA wrote to the agency on Feb. 1.

The Association of American Railroads (AAR) and the American Short Line and Regional Railroad Association (ASLRRA) “believe regulation is not required, particularly considering the extensive efforts of the industry to mitigate risk, and the ongoing implementation of Security Directives (SDs) by industry,” the two associations wrote to the Transportation Security Administration (TSA) on Feb. 1 as part of their submitted comments concerning the agency’s advance notice of proposed rulemaking (ANPRM) focused on cyber risk management (CRM) in the pipeline and rail sectors.

These comments follow the ANPRM input request regarding “how the pipeline and rail sectors implement CRM in their operations” and will support the industry in “achieving objectives related to the enhancement of pipeline and rail cybersecurity.”

“Cybersecurity is always evolving, and real-time adaptation is essential to reduce risk,” AAR and ASLRRA stated in the document, adding that “experience and lessons learned with this implementation, as well as inspections and ongoing consultations between agency officials and industry representatives, are likely to offer several lessons for rail operators and TSA that make further rulemaking premature at this time. If TSA does propose a rule, it must consider the necessity of any prescribed requirements and the appropriate scope of implementation through the lens of the recurring risk assessments that railroads already conduct and the effective cybersecurity practices already in effect–long-maintained and continuously evaluated for enhancement.

“For any regulation, performance-based standards begin with a clear articulation of the problem to be solved. Without a clearly identified problem, it is impossible to know how the proposed policies or rules will resolve prevailing and emerging concerns, much less enable establishing a performance standard. Upon identification of the problem, TSA can then evaluate whether and to what extent existing performance standards applied by railroads, as well as other regulatory structures or requirements in effect or pending, address the cybersecurity concerns–with the least disruption to the parties’ expectations and processes. To the extent other regulations cover the concerns, the agency should avoid duplicative requirements.”

According to the document, the Cybersecurity and Infrastructure Security Agency (CISA) initiated the process, with a Request for Information (RFI) to which railroads responded to in November 2022 to “develop the statutorily mandated rulemaking to require reporting by critical infrastructure organizations of cybersecurity incidents not sooner than 72 hours after the affected entity reasonably believes a reportable event occurred.”

According to AAR and ASLRRA, “TSA need not regulate here.” However, the agencies stated in the document, “If risk assessments have identified significant cybersecurity concerns or potential gaps, the agency could then pursue a balanced approach that leverages the strong partnerships maintained with railroads through well-developed coordination and information sharing structures; provides guidance on measures and actions to elevate cybersecurity posture for immediate mitigation of the significant cybersecurity concerns; and, where warranted, pursues narrowly tailored requirements aimed at long-term resolution in a risk-based manner.”

“Once a regulatory decision has been made to solve for a particular problem or fill a specific gap,” AAR and ASLRRA stated in the document, “the agency should do so in a narrowly tailored, performance- and risk-based manner where the benefits exceed the costs.”

According to the document, “the agency also seems to recognize the value of performance-based rulemaking. Many of the questions, however, imply a desire to define and require very specific actions of railroads (e.g., D.7, requiring third-party penetration testing; D.10 requiring monitoring and limiting access to OT and IT systems, D.12 requiring maintenance of certain security controls, D.14 requiring certain levels of architecture; E.2 requiring third-party certifier compliance assessments).”

Such very specific actions, the associations say, “should be avoided.” Instead of requiring actions or technologies, according to the document, TSA should “identify the problem to be solved, in the context of prevailing and emerging cyber threats and significant security concerns. TSA then can set a performance-based standard for a railroad to meet in the most effective way its cybersecurity professionals determine based on risk assessments, network architecture and infrastructure, and critical functions.

“In general, TSA has not identified a need for regulation of CRM, nor has it articulated any specific problem faced by the railroad industry, aside from general statements that rail may be vulnerable to cyber-attacks. The mere possibility of a threat and lack of regulation in this particular space, on their own, do not provide a sound basis for regulating. The successful track record of the industry being proactive with regard to cybersecurity only highlights the concern with creating new regulations.”

As stated in the document, “If TSA makes the determination to regulate further in the cyber risk space, the rules developed should loosely reflect the types of requirements, revised for a more performance and risk-based approach, specified in the SDs. This approach would produce the lowest impact to the regulated entities from a cost, resource, and operations perspective, while acknowledging the extensive efforts on tight timelines dedicated to compliance with the provisions of the directives. Often government regulators properly distinguish between Class I and short line railroads in establishing regulatory requirements. In this case, however, due to the interconnectedness of our physical rail networks, and in some instances computer networks, AAR and ASLRRA urge TSA to maintain similar risk-based approaches for all rail operators. The industry has cooperated to protect our networks to date and needs the freedom to do so in the future.”

“It is absolutely imperative that the agency operate as a true partner with industry,” AAR and ASLRRA stated in closing, and in response to the tools TSA can provide. “TSA’s work to increase and improve outreach to industry during the process of drafting and implementing the SDs should continue to be built upon, particularly with regard to short lines that they are newly engaging with on cybersecurity issues. TSA, with other federal agencies, should work to provide as much feedback on cyber incident reporting as possible. Actionable information, shared in a timely and effective manner, contributes substantially to cyber risk mitigation and, thereby, supports operational resilience.”

AAR and ASLRRA concluded the document by stating that they “appreciate TSA’s focus on managing cyber risks and believe TSA should clearly articulate any problem with cyber risk it believes exists prior to resorting to regulation. Regulation should not be a foregone conclusion.”

DOWNLOAD THE FULL DOCUMENT BELOW: