The Transportation Security Administration (TSA) is taking significant strides to enhance cybersecurity in critical infrastructure. In line with their commitment to safeguarding pipeline and rail operations, the TSA has announced its intention to issue a notice of proposed rulemaking (NPRM) in September 2023. Building upon the two previously issued security directives in 2022, this NPRM marks a pivotal milestone in the TSA's ongoing cybersecurity efforts.

The NPRM will allow stakeholders and industry experts to contribute their expertise and perspectives. Following a designated period for public comment, the TSA will carefully review the feedback before issuing the final decision. The proposed regulation, subject to approval by OMB's Office of Information and Regulatory Affairs, will establish mandatory cybersecurity requirements for pipeline and rail operators.

Under these requirements, pipeline and rail operators must implement essential cybersecurity measures. These measures include incident reporting, vulnerability assessments, and comprehensive risk management protocols. By adopting these crucial steps, operators will increase their cybersecurity posture against rising cyber threats. These Security Directives, first previewed at the Hack the Railroad conference powered by Cylus and MISI, extended cybersecurity requirements to achieve critical outcomes. 

The requirements open for public comment in September are: 

1. Establish and implement a TSA-approved Cybersecurity Implementation Plan that describes the measures employed to achieve the following within 120 days of the SD effective date.

• Identify critical cyber systems or data that, if compromised or exploited, could result in operational disruption.
• Develop network segmentation policies and controls to ensure that the Operational Technology systems can continue to safely operate in the event that an Information Technology system has been compromised and vice versa.
• Create access control measures to secure and prevent unauthorized access to critical cyber systems.
• Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations.
• Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.

2. Establish a Cybersecurity Assessment Program and submit an annual plan to TSA that describes how the owner/operator will proactively and regularly assess the effectiveness of cybersecurity measures and identify and resolve device, network, and/or system vulnerabilities. This plan is required to be submitted to TSA within 60 days of the TSA’s approval of the owner/operator’s Cybersecurity Implementation Plan.

What can you do?

The TSA encourages stakeholders to participate in the public comment process for the NPRM. By engaging in the public comment process, individuals can contribute to ensuring the safety and security of critical infrastructure and play a role in shaping the future of rail.