The Transportation Security Administration (TSA) has released a Notice of Proposed Rulemaking to establish cyber risk management and reporting practices for pipeline, railroad, bus and other public transportation systems. The proposed rules extends existing cybersecurity framework developed by the National Institute of Standards and Technology as well as the cybersecurity performance goals of the Cybersecurity and Infrastructure Security Agency (CISA).
The proposed rules, as laid out in the Federal Register on Thursday, would affect "certain pipeline and rail owner/operators," and impose lesser requirements on some types of bus operators. These organizations would be required to establish and maintain comprehensive cyber risk management programs, to report incidents to the Cybersecurity and Infrastructure Security Agency (CISA), and to designate a physical security coordinator and report significant physical security concerns to TSA. The cyber risk management plans will need to include annual cybersecurity evaluations; assessment plans that identify unaddressed vulnerabilities; and a cybersecurity operational implementation plan describing officials in charge of cyber, critical cyber systems and how they are protected, measures in place to detect cyberattacks, and what will be done to address and recover from cyber incidents.
If approved, the new rules would impact just under 300 surface transportation owners/operators regulated by the TSA across freight railroad, passenger railroad, rail transit and pipeline sectors, and would also require the aviation sector to comply. Specifically, the rules would impact 73 of the approximately 620 freight railroads currently operating in the U.S., 34 of the approximately 92 public transportation agencies and passenger railroads, 71 over-the-road bus owners and operators, and 115 of the more than 2,000 pipeline facilities and systems.
"TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure," said TSA Administrator David Pekoske in a statement. "The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation."
This is one of the Biden administration’s last efforts to shore up the cybersecurity of critical infrastructure in the wake of the ransomware attack that crippled Colonial Pipeline back in 2021. The proposed rule is open for public comment until February 2, 2025.