The Transportation Security Administration (TSA) published an Advance Notice of Proposed Rulemaking (ANPRM) on November 30, 2022, seeking stakeholder comment on ways to strengthen cybersecurity and resiliency for pipeline and rail systems, with an eye toward potential development of cyber regulations for these surface transportation sectors.

The issuance of the ANPRM follows several key actions related to cybersecurity in critical infrastructure sectors by TSA and the Cybersecurity and Infrastructure Security Agency (CISA), both of which are part of the U.S. Department of Homeland Security (DHS). In July 2022, TSA issued a revised Security Directive on cybersecurity for critical pipelines and liquified natural gas facilities (discussed in ourprior blog post), and in October 2022, issued a pair of Security Directives on cybersecurity for passenger and transit rail systems, and for freight rail. Also in October, CISA released its cross-sector cybersecurity performance goals intended to promote cybersecurity best practices by critical infrastructure owners and operators.

TSA, in the November ANPRM, builds upon the momentum of the past several months and seeks feedback—including from industry associations, third-party cybersecurity subject matter experts, and cybersecurity insurers and underwriters—regarding the development of a comprehensive and forward-looking approach to cybersecurity requirements across surface transportation systems.

Pipes, Trains, and Cyber Ideals

Both the pipeline and rail sectors operate vital supply chain infrastructure, the reliable operation of which is critical for national security and commerce. The criticality of this infrastructure makes both sectors an attractive target for cyber-attacks, as such attacks can affect not only the targeted computer systems but also the vital operations those systems support. For example, an attack on computer systems supporting pipeline or rail operations could cause significant supply shortages, cascading supply chain disruptions, and dramatic increases in commodity prices. Adversaries already have shown their willingness to launch major attacks against critical surface transportation infrastructure, as exemplified by the ransomware attack against Colonial Pipeline in May 2021.

The ANPRM highlights several crucial cyber risks to pipeline and rail systems. One such risk is the increased integration of information technology (IT) and operational technology (OT) systems. OT systems, which include industrial control systems (ICS), are responsible for directly interacting with transportation operations—for example, by managing flow through a pipeline or traffic on a railroad. As IT and OT systems become more integrated, attackers may be able to compromise IT systems and then move laterally into OT systems. Of particular concern is attackers' ability to compromise supervisory control and data acquisition (SCADA) systems, process control systems, distributed control systems, safety control systems, measurement systems, and telemetry systems. Another significant cyber risk highlighted by the ANPRM arises from continued reliance on legacy ICS and the inherently geographically dispersed nature of pipeline and rail networks. As noted in the ANPRM, DHS and other federal agencies have recommended that owner/operators and network administrators implement a layered, "defense-in-depth" approach to cybersecurity that includes segregation of OT systems from IT systems to prevent infection of one from spreading to the other.

To address these and other cyber risks to surface transportation systems, the ANPRM sets forth "core elements" of a cybersecurity risk management (CRM) program:

  • Designation of a responsible individual for cybersecurity;
  • Access controls;
  • Vulnerability assessments;
  • Specific measures to gauge the implementation, effectiveness, efficiency, and impact of cybersecurity controls;
  • Drills and exercises;
  • Technical security controls ( e.g., multi-factor authentication, encryption, network segmentation, anti-virus/anti-malware scanning, patching, and transition to "zero trust" architecture);
  • Physical security controls;
  • Incident response plan and operational resilience;
  • Incident reporting and information sharing;
  • Personnel training and awareness;
  • Supply chain/third-party risk management; and
  • Recordkeeping and documentation.

Although not stated in the ANPRM, surface transportation operations should expect these "core elements" to serve as the baseline for TSA's approach to cybersecurity regulations going forward.

Areas for Comment

In issuing the ANPRM, TSA is soliciting input to inform the eventual development of regulations—pursuant to its authority under the 9/11 Commission Act of 2007—to ensure owners and operators of pipeline and rail infrastructure are adequately equipped to protect against and respond to cybersecurity threats. The ANPRM identifies several policy priorities that will be emphasized as part of its regulatory effort, and requests input on specific questions related to each priority. The priorities identified in the ANPRM include:

  • assessing and improving the current baseline of operational resilience and incident response;
  • maximizing the ability of owners and operators to adapt to meet evolving threats and technologies;
  • identifying opportunities for third-party experts to support compliance;
  • accounting for the differentiated cybersecurity maturity across the surface transportation sector and regulated owner and operators;
  • incentivizing cybersecurity adoption and compliance; and
  • bringing about measurable outcomes and regulatory harmonization.

The ANPRM provides some specific examples of the feedback TSA hopes to receive from stakeholders, including ideas for ensuring that regulations are able to evolve at the pace of escalating threats; thoughts on the most effective compliance incentive mechanisms, including incentives and grants; and proposals for how to ensure harmony with extant regulatory regimes. The ANPRM also requests information regarding the costs associated with implementing existing cybersecurity standards and requirements for critical infrastructure, such as the North American Electric Reliability Corporation's Critical Infrastructure Protection reliability standards, in order to inform the TSA's cost-benefit analysis of the impact of potential regulations.

Next Steps

Time is relatively tight for stakeholders to provide comments on the areas identified in the ANPRM: The deadline for interested parties to submit comments in response to the ANPRM is January 17, 2023. DWT will continue to monitor developments related to the ANPRM specifically and cybersecurity issues facing critical infrastructures generally.