The Transportation Security Administration (TSA) has introduced new regulations to strengthen cybersecurity across critical U.S. transportation infrastructure, specifically focusing on pipelines and railroads. These proposed rules aim to formalize earlier security measures implemented following the 2021 ransomware attack on Colonial Pipeline, which exposed vulnerabilities in the nation’s energy infrastructure. The rules would mandate that pipeline and railroad operators develop and maintain cyber risk management (CRM) plans that are closely monitored by the TSA. These plans are designed to help mitigate risks posed by increasingly sophisticated cyber threats.
The proposed rules would require these companies to include several key components in their CRM plans. These include annual cybersecurity evaluations, assessments to identify vulnerabilities, and clear operational protocols for addressing and recovering from cyber incidents. Additionally, organizations would need to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA), ensuring greater transparency and accountability when facing cyber threats. The TSA estimates that these regulations will affect approximately 300 transportation operators, including 115 pipeline facilities, 73 freight railroads, and 34 public transportation agencies.
The need for such regulations is heightened by the increasing cyber threats facing critical infrastructure, particularly from nation-state actors like Russia and China. Cyberattacks on surface transportation systems have surged, with several recent incidents targeting railroads and transit systems. The TSA has emphasized that these new rules are designed to bolster the resilience of the transportation sector and prevent disruptions to national security and the economy. The agency is responding to growing concerns about the potential use of artificial intelligence in cyberattacks and the accelerating pace of cyber incidents.
The proposed rule will undergo a public comment period until February 5, 2025. This allows industry stakeholders and experts to provide feedback on the proposed measures. The TSA has worked closely with operators to ensure flexibility and adaptability in the implementation of the regulations, recognizing that cybersecurity needs vary across different transportation networks. As the cybersecurity landscape continues to evolve, the TSA’s proposed rule aims to ensure that the U.S. surface transportation sector is well-prepared to defend against and recover from future cyberattacks, safeguarding vital infrastructure for years to come.
Reference: