The Transportation Security Administration recently unveiled a proposed rule that would permanently codify cybersecurity reporting requirements in certain segments of U.S. transportation, including pipelines and railroads. This change is set to be permanent after the agency introduced temporary reporting requirements for certain segments last year after a ransomware attack hit Colonial Pipeline, causing fuel shortages along the U.S. East Coast.
Locked In Securely
Since the Colonial Pipeline incident, the Transportation Security Administration has issued a number of temporary rules regarding cybersecurity risks in critical infrastructure. The new proposed rule would bring these temporary rules into permanence and codify a consistent approach throughout transportation on cybersecurity matters. As Administrator Pekoske pointed out, "TSA has been working extremely closely with industry partners to assist in enhancing the cybersecurity resilience of our nation's critical infrastructure."
Key Components of the Proposed Rule
This new law applies to a large scope of pipeline and railroad operators and places restrictions only on some bus companies. Its main emphasis is put on the implementation of cyber risk management plans that shall encompass:
- Annual Cybersecurity Reviews: These reviews will require assessments and improvements in cyber defences.
- Vulnerability Assessments: Conduct vulnerability assessments of security weaknesses that have not been remediated. Such assessments shall be conducted either by the covered entity's own personnel or a third party, but such personnel shall have no conflict of interest with respect to the covered entity.
- Operational Cybersecurity Plans: They would describe the functions of personnel in a cybersecurity company, what is in place to protect critical systems, and procedures in identifying a threat to and responding to it.
Under these proposed regulations, operators would have to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) to receive faster response to and support of a threat.
Impact and Cost
The TSA estimated that the rulemaking would affect about 300 transportation operators-from pipelines, freight railroads, to public transportation agencies. These include 73 freight railroads, 34 public transportation systems, 71 over-the-road bus companies, and 115 pipeline facilities. Compliance and TSA oversight are estimated to cost the industry $2.1 billion over the next ten years.
The TSA attributed the regulations to the emerging threats of cyber attacks posed by nation-state actors and cybercriminals, who often target U.S. infrastructure in efforts to disrupt it and further inflict economic damage. Countries, according to the TSA, "such as Russia and China" were cited as frequent sources of cyberattacks on American critical infrastructure.
The agency's proposal underlines the need for uniform cybersecurity measures to be taken as soon as possible as cyber threats are becoming more advanced: they are now set to use artificial intelligence to deliver faster, undetectable attacks.
Industry Reaction and Flexibility
The proposal takes place on the grounds that the earlier directions were considered too elaborative by the transporters who had imparted them. The TSA will be more agile and results-driven now, allowing the companies to engage themselves in security solutions pertaining to the specific needs of each one.
The proposed rule will be open to comments from the industry until February 5 while reviewing all the responses the TSA will have before finalising the rule. The agency looks forward to providing enhanced cybersecurity and resilience within U.S. surface transportation systems by defeating the increasing cyber threats.