The Transportation Security Administration is proposing new regulations that would require high-risk pipeline and railroad operators to establish cybersecurity risk management programs.

THE proposed rule builds on TSA cybersecurity requirements has issued annual safety guidelines in recent years. The agency first decided to establish cybersecurity requirements for parts of the transportation sector. following the Colonial Pipeline ransomware attack in 2021.

“TSA has worked closely with its industry partners to increase the cybersecurity resiliency of the nation’s critical transportation infrastructure,” TSA Administrator David Pekoske said in a statement. “The requirements of the proposed rule are intended to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders.” We look forward to industry and public comments on these proposed regulations.

The requirements would apply to “higher risk” owners and operators. The TSA estimates the rule would affect “just under” 300 surface transportation owners and operators.

This includes 73 freight railways, 34 public transport and passenger railways; 71 road bus owners and operators; and 115 pipeline facilities and systems regulated by the Pipeline and Hazardous Materials Safety Administration.

The proposed rule would require “higher risk” owners and operators to establish and maintain cyber risk management programs consistent with the National Institute of Standards and Technology Cybersecurity Framework.

It would also require them to report cyber incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours of being identified. TSA, in developing the rulemaking, argues that its proposed rulemaking is consistent with CISA’s proposed Critical Infrastructure Cyber ​​Incident Reporting (CIRCIA) rulemaking, which should be finalized next year.

The impact of Trump?

The Biden administration has pushed to establish minimum cybersecurity standards for critical infrastructure sectors. But it’s unclear whether President-elect Donald Trump and his administration would implement the TSA’s proposed rule and similar regulatory efforts.

While the Trump official platform calls for removing “costly and burdensome regulations” in general, a section on critical infrastructure also pledges to “both raise the security standards of our critical systems and networks and defend them against bad actors.”

Regulatory harmonization

The TSA’s proposed rule also nods to “regulatory harmonization.” This refers to a drive supported by both congressional Republicans and the Biden administration to streamline and simplify cybersecurity regulations while reducing burdens on industry and other regulated entities.

“TSA emphasizes its commitment to regulatory harmonization and streamlining and notes that this proposed rule, which is based on the NIST Framework for Improving Critical Infrastructure Cybersecurity, Standards and Best Practices of NIST and CISA (cyber performance objectives), is consistent with these priorities. ”, state the agency’s rules. “TSA also recognizes ongoing regulations from other components of DHS, including ongoing regulations on cybersecurity in maritime transportation and the implementation of CIRCIA.”

However, the TSA also notes that its “experience” with security requirements to date as well as feedback from owners and operators “indicate that complete harmonization is not possible,” according to the rule.

“Even within the transportation sector, there are modal operational issues, differing physical controls performed by other agencies that support defense-in-depth measures, and other factors that must be considered,” it says. the rule proposed by the TSA.

For example, TSA highlights “easy access” requirements that may make it “inadvisable” to implement multi-factor authentication on industrial control workstations.

“While TSA believes that differences in cybersecurity requirements may be intentional based on industry-specific distinctions, TSA welcomes comments on opportunities to harmonize and streamline regulations where possible and appropriate,” adds the agency.

Comments on the TSA proposed rule are due February 5.

Copyright © 2024 Federal Information Network. All rights reserved. This website is not intended for users located in the European Economic Area.