The US Transportation Security Administration (TSA) has proposed new rules aimed at protecting the country’s transport infrastructure from cyber attacks. These measures are intended to build upon temporary directives put in place following the 2021 attack on the Colonial Pipeline. The proposed rules represent one of the final cybersecurity initiatives of the outgoing Biden administration to enhance the security of critical infrastructure before the transfer of power.
The objective of the new rules is to enhance cybersecurity and promote a unified approach to safeguarding key sectors of the US transportation system. TSA has worked closely with industry partners to ensure that the new rules take into account industry preferences for protecting transportation infrastructure facilities.
Following the cyber attack on the Colonial Pipeline in May 2021, TSA initially implemented mandatory cybersecurity measures for pipelines, as previous security measures in this area had been voluntary. However, these initial directives faced criticism from some representatives of the oil and gas industry. TSA subsequently revised the requirements to address industry concerns. With the temporary measures requiring annual extensions, TSA has decided to move towards establishing permanent regulations.
The proposed rules will impact approximately 300 operators in the freight and passenger railways, rail and pipeline transportation, and aviation sectors. Companies will be required to develop cybersecurity management programs and operational cybersecurity plans, conduct regular audits to assess their effectiveness, and promptly report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA). Additionally, the rules will mandate adherence to the principles of CISA Secure-by-Design and Secure-by-Default, as well as the implementation of standards for employee training, certification, and verification.
These requirements will not only apply to existing facilities but will also extend to major pipelines transporting hazardous liquids or carbon dioxide, particularly those of strategic significance to the US Department of Defense.
It is estimated that the new rules will impact 73 freight railways, 34 public transportation systems and passenger railways, and 115 pipeline facilities. Furthermore, 71 vehicles will be required to report significant security incidents as part of the proposed regulations.