TSA Eyes Cybersecurity Rulemaking

The Transportation Security Administration (TSA) is seeking input on ways to strengthen cybersecurity and resiliency in the pipeline and rail freight, passenger and transit sectors.

The agency on Nov. 30 issued an Advance Notice of Proposed Rulemaking (ANPRM) that “offers an opportunity for interested individuals and organizations, particularly owner/operators of higher-risk pipeline and rail operations, to help TSA develop a comprehensive and forward-looking approach to cybersecurity requirements,” TSA reported in the Federal Register (download below). “TSA is also interested in input from the industry associations representing these owners/operators, third-party cybersecurity subject matter experts, and insurers and underwriters for cybersecurity risks for these transportation sectors.”

The feedback, due by Jan. 17, 2023, will “allow TSA to better understand how the pipeline and rail sectors are implementing CRM [cyber risk management] in policies, planning, and operations, and [to] assess the need to update existing or develop new regulations to address CRM,” TSA reported. CRM, it explained “involves all activities designed to identify and mitigate risk-exposures to cyber technology, both informational and operational, to ensure safe, sustained operations of vital systems and associated infrastructure.” The agency noted that it is also “interested in understanding cost implications. Such input on costs is critical for understanding the potential impacts of a regulation, and specifically to inform proper accounting of associated costs and benefits.”

TSA is looking for ANPRM respondents to:

• Identify the current baseline of operational resilience and incident response. Among the questions to answer: What cybersecurity measures does your organization currently maintain and what measures has your organization taken in the last 12 months to adapt your cybersecurity program to address the latest technologies and evolving cybersecurity threats? What assessments does your organization conduct to monitor and enhance cybersecurity (such as cybersecurity risk, vulnerability, and/or architecture design assessments, or any other type of assessment to information systems)? How often are they conducted?
• Identify how CRM is implemented. Among the questions to answer: What frameworks, standards or guidelines have informed your implementation of CRM for your pipeline and rail operations? Does your CRM include aspects of system protection, system penetration testing, security monitoring, incident response, incident forensic analysis, and a plan for restoration of operations?
• Address maximizing the ability for owner/operators to meet evolving threats and technologies. Among the questions to answer: In addition to the requirement to report cybersecurity incidents, should pipeline and rail owner/operators be required to make attempts to recover stolen information or restore information systems within a specific timeframe? If so, what would be an appropriate timeframe? From a regulatory perspective, TSA wrote that it is most interested in actions that could be taken to protect pipeline and rail systems by ensuring appropriate safeguards of critical cyber systems within IT and OT systems. Because of this, it asks respondents: What types of critical cyber systems do you recommend that regulations address and what would be the impact if the scope included systems that directly connect with these critical cyber systems? Other questions are: What impacts (positive and negative) to the pipeline and rail sectors workforce do you anticipate regarding the implementation of CRM? Should pipeline and rail owner/operators be required to monitor and limit the access that individuals have to OT and IT systems in order to protect information and restrict access to those who have a demonstrated need for access to information and/or control?
• Identify opportunities for third-party experts to support compliance. “TSA has maximized the capability of third-party certifiers in other contexts and is interested in options for leveraging this capability for cybersecurity,” the agency reported. “In general, the concept would require some level of approval by the federal government that recognizes the qualifications of the third-parties, vetting to identify any potential conflicts of interest or other risks associated with an insider threat, and consistent standards to be applied.” It asks ANPRM respondents to consider such questions as: How would you envision using third-party organizations to improve cyber safety and security in the pipeline and rail sectors? For example, should pipeline and rail owner/operators be able to use third parties to administer their CRM programs, and if so, to what extent and in what manner? Should pipeline and rail owner/operators use third-party certifiers to verify compliance and the adequacy of their CRM programs?
• Address cybersecurity maturity considerations. Among the questions to answer: What special considerations or potential impacts (i.e., risks, costs or practical limitations) would pipeline and rail owner/operators have to consider before implementing CRM in their respective operations? What is your estimate of the percentage of pipeline and rail owner/operators that have already implemented CRM within their organizations?
• Address incentivizing cybersecurity adoption and compliance. TSA wrote that it “is particularly interested in comments on types of incentives, such as liability protection, insurance, commercial contracts, or other private- or public-sector options, that would incentivize adoption of cybersecurity and resilience measures, and whether and how TSA might facilitate the development of such incentives.” Among the questions to answer: If you have implemented CRM, was implementation required or incentivized by insurance companies, existing commercial contracts, or contracts with the federal government? What tools, technical assistance, or other resources could TSA provide to facilitate compliance with any specific federally-imposed cybersecurity requirement?

“TSA believes that cybersecurity regulations should consider current voluntarily-implemented cybersecurity measures and related operational issues that affect implementation of these measures,” the agency summed up. “Having a clear and comprehensive understanding of the current baseline will support TSA’s efforts to provide more flexibility in meeting the desired security outcomes.”

TSA on Oct. 18 issued a new cybersecurity directive for designated passenger and freight railroads. Effective for one year, it was built upon previous directives that include requirements such as reporting significant cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan, and completing a cybersecurity vulnerability assessment.

“Through this security directive, TSA continues to take steps to protect transportation infrastructure in the current threat environment,” the agency said at that time, noting it intended “to begin a rule-making process, which would establish [permanent] regulatory requirements for the rail sector following a public comment period.”