Transportation security administration suggests implementing cybersecurity management programs for surface transportation and pipeline operators

Transportation security administration suggests implementing cybersecurity management programs for surface transportation and pipeline operators

In a move to bolster the cybersecurity of surface transportation and pipeline companies, the Transportation Security Administration (TSA) has proposed new, specific cyber risk management requirements. These measures are a response to high-profile cybersecurity incidents such as the Sunburst attack and the 2021 Colonial Pipeline ransomware attack, which exposed critical vulnerabilities and operational risks in these sectors.

### Key Requirements Proposed by TSA

The TSA's proposed regulations aim to enhance the cybersecurity posture of these critical infrastructure operators. Here are some of the key requirements:

1. **Comprehensive Cyber Risk Management Programs:** Companies are required to develop and implement tailored cyber risk management programs to address the unique threats facing critical infrastructure in the transportation sector.

2. **24/7 Cybersecurity Leadership:** Designating a dedicated cybersecurity officer responsible for ongoing cyber risk oversight ensures continuous monitoring and rapid response capabilities.

3. **Regular Audits and Assessments:** Annual or periodic cybersecurity audits and risk assessments are essential to identify vulnerabilities and verify compliance with cybersecurity standards.

4. **Enhanced Monitoring and Incident Response:** Real-time monitoring and incident response protocols will help detect, isolate, and mitigate cyber incidents quickly.

5. **Stronger Access Controls and Segmentations:** Network segmentation, multi-factor authentication, and strict IT/OT system access controls will reduce the risk of lateral movements and minimize attack surfaces.

6. **Third-Party Risk Management:** Given the heavy reliance on vendors and contractors in transportation operations, companies must enforce rigorous controls and visibility into third-party access.

7. **Alignment With Federal Guidance and Standards:** TSA emphasizes alignment with broader federal cybersecurity directives, including guidance from agencies such as CISA, NSA, and FBI on best practices for securing complex systems, including those involving AI and quantum-resilient cryptography.

### Context of Recent Cybersecurity Incidents

The Sunburst attack, related to the SolarWinds Orion breach, underscored the importance of supply chain security and risk management. The Colonial Pipeline ransomware attack in 2021 demonstrated operational disruption risks when cybercriminals target pipeline IT/OT systems, emphasizing the need for resilience strategies including detection, response, and system segmentation to prevent lateral spread.

### How TSA Requirements Address These Incidents

The TSA's proposed regulations directly address the lessons learned from these high-profile cyber incidents. By focusing on continuous oversight, proactive risk assessment, incident readiness, and securing supply chain and third-party relationships, the TSA aims to strengthen the resilience of critical infrastructure operators.

The proposed rules are based on the cybersecurity framework established by the National Institute of Standards and Technology. Pipeline, rail, and certain bus transportation or transit systems would be required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency. These sectors would also report any physical security risk concerns to the TSA.

In the last three years, the unprecedented threats from nation-state actors to transportation systems have necessitated quick action. The proposed mandates follow years of work to strengthen cybersecurity oversight, which were accelerated after the 2020 Sunburst attacks and the 2021 ransomware attack on Colonial Pipeline.

The TSA is extending requirements to appoint a physical security coordinator to the pipeline industry. Certain pipeline, passenger, and freight rail operators, as well as rail system companies with high-risk profiles, are required to develop comprehensive cyber risk management programs. The TSA will require reports on physical security issues from the pipeline industry.

The public comment period ends on Feb. 5, 2025. TSA officials have met with industry operators to get their input on requirements under consideration. The Transportation Security Administration (TSA) is seeking public comment on proposed requirements for surface transportation and pipeline companies to implement cyber risk management programs.

1. The TSA's proposed regulations for surface transportation and pipeline companies emphasize the importance of comprehensive cyber risk management programs to address unique threats in the transportation sector.
2. In response to high-profile cybersecurity incidents like the Sunburst attack and the Colonial Pipeline ransomware attack, the TSA aims to enhance the cybersecurity posture of critical infrastructure operators with requirements such as 24/7 cybersecurity leadership and annual audits.
3. The cyber risk management requirements proposed by the TSA also focus on incident response, access controls, network segmentation, and third-party risk management to minimize attack surfaces and prevent lateral movements.
4. The TSA regulations aim to establish alignment with broader federal cybersecurity directives and best practices from agencies such as CISA, NSA, and FBI, including guidelines for securing complex systems and supply chain security.
5. Given the operational disruption risks posed by cyberattacks, the TSA's proposed rules emphasize resilience strategies, including system segmentation, detection, response, and physical security risk reporting to the TSA for certain sectors.

Read also: