TSA Notice of Proposed Rulemaking Targets Cyber Risk Management for Pipelines and Railways

January 24, 2023

On Nov. 30, 2022, the Transportation Security Administration (TSA) published an advance notice of proposed rulemaking (ANPRM) aimed at enhancing cyber risk management in the pipeline and rail sectors. Indeed, the ANPRM recognizes the critical role pipelines and railroads play in ensuring economic and national security. But the ongoing and growing risk of cyberattacks increases the potential for devastating consequences of short- and long-term disruptions to such sectors. Thus, the ANPRM reflects the government’s interest in ensuring the safety, security and resiliency of pipelines and railways.

The ANPRM identifies several cyber risks to the pipeline and rail sectors. One risk is the threat of ransomware attacks and other cybersecurity incidents targeting information technology (IT) and operational technology (OT) systems, including the connections between these systems. The term “IT systems” generally refers to sets of services, equipment or interconnected systems organized for the automatic acquisition, storage, analysis, evaluation, etc., of data and information. The term “OT systems,” on the other hand, generally encompasses several types of control systems, “including industrial control systems, supervisory control and data acquisition [(SCADA)] systems, distributed control systems, and other control system configurations.” In the pipeline sector, this includes SCADA and distributed control systems.

The pipeline and rail sectors, along with nearly all other industrial businesses, rely on functioning IT and OT systems to conduct operations consistently and reliably. This has resulted in increased integration of IT systems with industrial operations. As a result, there is a growing fear that attackers may migrate from business computer systems to those that control and manipulate industrial operations. For this reason, the Department of Homeland Security, the Department of Energy and the FBI have encouraged a layered, “defense-in-depth” cybersecurity strategy to segregate IT and OT systems to protect against infections across systems.

To address IT system and OT system threats, as well as other cybersecurity threats, the ANPRM describes the “core elements” of a cybersecurity risk management program. Those core elements include, among other things:

  • designation of a responsible individual for cybersecurity;
  • access controls;
  • training, drills and exercises;
  • technical and physical security controls;
  • incident response plan and operational resilience; and
  • record keeping and documentation.

Finally, in issuing the ANPRM, TSA solicits comments from interested individuals and organizations to aid in the development of future regulations. More specifically, TSA seeks comments to address the following policy priorities:

  • assessing and improving the current baseline of operational resilience and incident response;
  • maximizing the ability for owner/operators to be self-adaptive to meet evolving threats and technologies;
  • identifying opportunities for third-party experts to support compliance;
  • accounting for differentiated cybersecurity maturity across the surface sector and regulated owner/operators;
  • incentivizing cybersecurity adoption and compliance;
  • measurable outcomes; and
  • regulatory harmonization.

Stakeholders must provide all comments by Feb. 1, 2023. Meanwhile, pipeline operators, railway companies and other critical infrastructure owners and operators should expect increased regulatory action to combat cybersecurity threats. Indeed, the intelligence community continues to warn that various foreign countries and strategic competitors will continue to use cyber espionage and cyberattacks to harm the United States and its allies. Thus, the ANPRM signals a shift in critical infrastructure sectors from encouraging voluntary and incentivized measures to requiring mandatory action. The ANPRM also may represent a trend other regulators and enforcement agencies will adopt in the future.