November 14, 2024 at 09:01PM
The TSA has proposed new cybersecurity rules for pipeline, railroad, bus, and public transportation systems, enhancing existing frameworks. Affected operators must implement cyber risk management programs, report incidents, and maintain security measures. This initiative aims to boost cybersecurity resilience, with public comments accepted until February 2, 2025.
### Meeting Takeaways
1. **New Proposed Rules**: The Transportation Security Administration (TSA) has issued a Notice of Proposed Rulemaking aimed at enhancing cyber risk management and reporting for various public transportation systems, including pipelines and railroads.
2. **Framework Adoption**: The proposed regulations will build upon existing cybersecurity frameworks established by the National Institute of Standards and Technology (NIST) and cybersecurity performance goals from the Cybersecurity and Infrastructure Security Agency (CISA).
3. **Scope of Impact**:
– The rules will affect certain pipeline and rail owner/operators, imposing lesser requirements on specific bus operators.
– Approximately 300 surface transportation owners/operators across various sectors will be regulated, including:
– 73 freight railroads
– 34 passenger railroads and public transportation agencies
– 71 over-the-road bus operators
– 115 pipeline facilities and systems
4. **Cyber Risk Management Requirements**:
– Establish and maintain comprehensive cyber risk management programs.
– Report cybersecurity incidents to CISA.
– Designate a physical security coordinator and report significant physical security issues to TSA.
– Conduct annual cybersecurity evaluations and develop assessment plans to identify unaddressed vulnerabilities.
5. **Implementation Plan**: The required plans must detail:
– Assigned officials responsible for cybersecurity and critical systems.
– Measures for detecting cyberattacks.
– Strategies for responding to and recovering from cyber incidents.
6. **Industry Collaboration**: TSA Administrator David Pekoske highlighted ongoing collaboration with industry partners to enhance cybersecurity resilience in public transportation infrastructure.
7. **Public Comment Period**: The proposed rule is open for public comment until February 2, 2025, allowing stakeholders and the public to provide input on the regulation.
8. **Context**: This initiative is part of the Biden administration’s efforts to strengthen the cybersecurity of critical infrastructure, particularly following the ransomware attack on Colonial Pipeline in 2021.