TSA Seeks Comments on Strengthening Pipeline and Rail Cybersecurity and Resiliency

Updated on 2022-11-30: TSA Seeks Comments on Strengthening Pipeline and Rail Cybersecurity and Resiliency

The US Transportation Security Administration (TSA) has published an advance notice of proposed rulemaking “regarding ways to strengthen cybersecurity and resiliency in the pipeline and rail (including freight, passenger, and transit rail) sectors.” TSA is accepting public comments through January 17, 2023.

Note

• Are the cybersecurity requirements for both the pipeline and rail sectors really that unique? Each of the critical infrastructure sectors share more in common when it comes to developing cybersecurity best practices. What’s needed is a common and prioritized set of safeguards to achieve a baseline cybersecurity posture. The good news, one exists [CIS Critical Security Controls] and is measurably effective against the top five attack types.
• Note that comments can only be accepted via the Federal eRulemaking Portal, US Mail, or Fax and must be submitted by January 17th, 2023. The eRulemaking portal is going to be your best bet here. The proposed rulemaking includes goals such as common security frameworks, segmentation, patching and access controls; the need is for those with experience in the field to review and make sure they can be accomplished.
• Publishing for comment is good practice for regulators.

Read more in

• Enhancing Surface Cyber Risk Management
• TSA Plans Cyber Risk Regulation for Pipeline and Rail Sector
• TSA Gearing Up to Issue Pipeline, Rail Sector Cyber Requirements

Updated on 2022-10-24: New TSA cybersecurity directive

The Transportation Security Administration (TSA) unveiled new cybersecurity regulations for passenger and freight railroad carriers last week. The new rules take effect on October 24 and will last one year. Railroad companies are now mandated to deploy network segmentation policies that separate OT systems from other IT networks—in case of compromise. In addition, carriers will also have to deploy threat detection systems and timely patches for operating systems, applications, drivers, and firmware. Read more:

• TSA issues new cybersecurity requirements for passenger and freight railroad carriers
• TSA unveils new railroad cybersecurity directive

Overview: US Transportation Security Administration Publishes Rail Cybersecurity Guidance

The US Transportation Security Agency (TSA) has published cybersecurity guidelines for freight and passenger rail systems. The directive was developed to comply with the White House’s effort to strengthen the cybersecurity of the country’s infrastructure. Among the requirements: develop network segmentation policies and controls; create access control measures; build continuous monitoring and detection policies and procedures; and keep operating systems, applications, firmware, and drivers patched in a timely manner.

Note

• This continues the movement to raise the bar across critical sector areas. This guideline extends the earlier 1580-21-01 security directive which went into effect December 31, 2021. Requirements include not only implementing enhanced security measures but also establishes an annual assessment plan as well as regular and proactive assessment activities. Rail System operators are expected to share data with TSA who will likely share it with DHS/CISA to identify vulnerabilities, track trends and cyber security incidents.

Read more in

• Rail Cybersecurity Mitigation Actions and Testing (PDF)
• TSA issues new cybersecurity requirements for passenger and freight railroad carriers (Press Release)
• New TSA Directive Aims to Further Enhance Railway Cybersecurity
• TSA rolls out long-anticipated cyber directive for freight, passenger rail systems