The Transportation Security Administration (TSA) has made a significant move by unveiling a long-anticipated proposal aimed at enhancing cybersecurity mandates, directing pipeline and railroad owners and operators to implement robust risk management programs and establish comprehensive incident reporting protocols.
Through a notice of proposed rulemaking (NOPR) published in the Federal Register on Nov. 7, TSA intends to build upon cybersecurity requirements set forth in 2021, especially in response to the high-profile Colonial Pipeline ransomware attack orchestrated by the notorious Russian cybercriminal group DarkSide. That disruptive incident prompted an emergency declaration following a week-long shutdown of 5,500 miles of East Coast petroleum pipelines, severely affecting the supply chain of vital petroleum-based products and underscoring the critical need for stringent cybersecurity protocols.
“TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure,” TSA Administrator David Pekoske stated in a statement. “The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation.”
The cybersecurity risk management (CRM) program prescribed by TSA mandates that owners and operators conduct an annual, comprehensive cybersecurity evaluation across their enterprises to align with the rule’s defined security outcomes. The proposal also requires the development of a continuity of operations implementation plan that effectively addresses critical cyber systems in the event of an incident. Furthermore, it calls for a corrective action plan that includes detailed assessment schedules, annual assessment reports, and identification of previously unaddressed vulnerabilities.
“Implementation of a CRM program, as described under the proposed rule, could help enhance the security of the regulated population by improving the owner/operator’s ability to identify, detect, protect against, respond to, and recover from cybersecurity incidents,” the proposal clearly states.
Under the proposed regulations, all cybersecurity incidents must be reported to the Cybersecurity and Infrastructure Security Agency (CISA), while any physical security concerns will be directed to the TSA for assessment.
TSA estimates that the new proposal is likely to impact 73 freight railroads, 34 public transportation agencies, as well as passenger railroads and 115 pipeline facilities and systems. Additionally, around 71 intercity bus operators will be expected to report any significant security concerns to align with the new standards.
The proposal closely follows cybersecurity guidance and standards previously issued by CISA and the National Institute of Standards and Technology (NIST), both of which seek to assist organizations in managing and mitigating cybersecurity risks effectively. However, CISA has faced substantial pushback, as many sectors within the industry have voiced concerns regarding potential overreach in regulatory practices.
As the timeline for implementation draws near, the proposed rule may represent one of the final major initiatives in critical infrastructure cybersecurity from the Biden administration before the anticipated transition to President-elect Donald Trump. The incoming president’s policy outline pledges to “raise the security standards” for critical systems and networks across the nation.
Comments and feedback regarding the TSA proposal are requested by Feb. 5, 2025, encouraging stakeholders to weigh in on these pressing cybersecurity enhancements.
List of TSA Administrator’s
**Interview with David Pekoske, TSA Administrator**
**Interviewer:** Thank you for joining us today, Administrator Pekoske. The TSA recently announced a proposal aimed at enhancing cybersecurity for pipeline and railroad operators. Can you elaborate on what prompted this significant move?
**David Pekoske:** Thank you for having me. The decision to propose these new cybersecurity mandates was largely driven by the increasing prevalence of cyber threats, particularly following high-profile incidents like the Colonial Pipeline ransomware attack in 2021. That event highlighted critical vulnerabilities in our transportation infrastructure and underscored the need for robust cybersecurity measures. We must protect not just the systems themselves but also the national supply chains they support.
**Interviewer:** The proposed rule underlines the importance of a cybersecurity risk management program. What specific requirements will pipeline and railroad operators need to adhere to?
**David Pekoske:** The proposed rule mandates that operators conduct an annual comprehensive cybersecurity evaluation of their systems. This evaluation must align with defined security outcomes. Operators will also need to create a continuity of operations plan to ensure critical cyber systems can function during an incident. Additionally, a corrective action plan that identifies vulnerabilities and outlines remediation steps is also a requirement. It’s about fostering a proactive and resilient cybersecurity environment.
**Interviewer:** Industry collaboration seems to be a key factor in this effort. How has the TSA worked with industry partners to develop these proposals?
**David Pekoske:** We’ve engaged closely with industry stakeholders throughout this process. Continuous dialogue with our partners helps us understand the real-world challenges they face. By working together, we can develop more tailored solutions that enhance overall security. Our goal is to ensure that the proposed regulations are not only effective but also feasible for those in the field.
**Interviewer:** There’s always concern about the balance between security and operational efficiency. How does the TSA intend to ensure that these new requirements do not impose excessive burdens on operators?
**David Pekoske:** That’s an important consideration. We are mindful of the need for operators to maintain their operations while enhancing security. The proposal is designed to be practical and achievable, allowing flexibility for varying sizes and capabilities of operators. The input we receive during the comment period will be critical in refining our approach to ensure we strike the right balance.
**Interviewer:** As we look ahead, what do you envision as the long-term impact of these cybersecurity enhancements on the nation’s transportation infrastructure?
**David Pekoske:** Ultimately, our hope is to create a more resilient transportation infrastructure that can withstand cyber threats. By implementing these regulations, we aim to instill confidence in both industry operators and the public that we are taking significant steps to protect critical systems. A secure transportation network is vital for national security and economic stability, and I believe these enhancements will be instrumental in achieving that goal.
**Interviewer:** Thank you, Administrator Pekoske, for your insights. We look forward to seeing how this proposal develops.
**David Pekoske:** Thank you for having me. I’m excited for the feedback we’ll receive and the collaborative efforts ahead.
