The Transportation Security Administration proposed new rules this week that would codify existing temporary directives requiring pipeline and railroad operators to report cyber incidents and create cyber risk management (CRM) plans. 

The rule would formalize several security directives issued by TSA since the ransomware attack on Colonial Pipeline in 2021. 

“TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure,” said TSA Administrator David Pekoske. 

“The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders.”

The proposed rules, as laid out in the Federal Register on Thursday, would affect “certain pipeline and rail owner/operators,” and impose lesser requirements on some types of bus operators. 

The rules would require cyber risk management plans overseen by TSA, which would need to include three elements:

• Annual cybersecurity evaluations; 
• Assessment plans that identify unaddressed vulnerabilities, and which are not run by officials who “have a personal, financial interest in the results of the assessment”;
• A cybersecurity operational implementation plan that identifies officials in charge of cyber, outlines critical cyber systems and how they are protected, details measures in place to detect cyberattacks and describes what will be done to address and recover from cyber incidents

Under the rules, organizations would be required to report cyber incidents to the Cybersecurity and Infrastructure Security Agency.

TSA said it estimates that the proposed rule would impact about 300 surface transportation owners and operators. 

The agency said that 73 of the approximately 620 freight railroads currently operating in the U.S. would be impacted, along with 34 of the approximately 92 public transportation agencies and passenger railroads; 71 over-the-road bus owners and operators; and 115 of the more than 2,000 pipeline facilities and systems.

The agency estimated that the industry's costs associated with implementing the proposed requirements, as well as TSA's costs for overseeing implementation, will reach $2.1 billion over 10 years.

A TSA spokesperson explained to Recorded Future News that security directives are typically issued in response to immediate threats and allow agencies to move quickly, while formal rules like the one unveiled this week go through a lengthier comment and roll-out period. 

“In the proposed rule, TSA has maintained the outcome focused and performance-based approach to cybersecurity and provided what we believe to be adaptable, scalable, and appropriate measures to meet the current and future cyber threats,” the spokesperson said. 

“If this proposal becomes a final rule, TSA would codify and make permanent the requirements imposed by TSA’s cyber security directives that were issued to address an immediate threat to transportation security.” 

The agency will solicit input from regulated industries on the rules until February 5. The spokesperson noted that the agency has met with industry operators already to get their input on the new rules and explained that the “unprecedented threats from nation-state actors to transportation systems have necessitated quick action and TSA acted to ensure that appropriate protections were put in place.” 

In 2022, the industry pushed back against security directives, which experts, trade groups and companies said were too prescriptive. One expert told Recorded Future News at the time that the first directives were “an alphabet soup of buzzwords (zero trust, MFA) and kitchen sink requirements that just didn't apply” to many environments that tend to be customized and specific. 

The TSA spokesperson said the agency has consistently tried to offer flexibility to operators as they craft cyber defenses “that are appropriate for their networks and achieve the outcomes necessary to protect critical systems from interference and disruption.”  

“The requirements included in this proposed rule for cyber risk management reflect the lessons learned from the implementation of security directives and feedback received from industry and informed government partners,” they said. 

The rule explicitly mentions the Colonial Pipeline ransomware attack in May 2021 as the catalyzing event that prompted agencies like TSA to increase their focus on cybersecurity. 

The attack caused a weeklong shutdown of 5,500 miles of petroleum pipelines on the East Coast. In response to that incident, TSA issued emergency cybersecurity requirements but the “cyber threat to the country's critical infrastructure has only increased in the time since TSA initially issued [security directives] to address cybersecurity in surface transportation in 2021.”

“Cyber threats to surface transportation systems continue to proliferate, as both nation-states and criminal cyber groups target critical infrastructure in order to cause operational disruption and economic harm,” the rule says. 

“Cyber attackers have also maliciously targeted other surface transportation modes in the United States, including freight railroads, passenger railroads, and rail transit systems, with multiple cyberattack and cyber espionage campaigns.”

TSA warned that cybersecurity incidents and ransomware attacks are “likely to increase in the near and long term, due in part to vulnerabilities identified by threat actors in U.S. networks.”

The rule mentions both Russia and China as consistent perpetrators of cyberattacks intended to disrupt U.S. critical infrastructure — referencing the recent concern about Volt Typhoon and other operations. 

Concern over nation-state attacks and the potential use of artificial intelligence to propagate faster, more evasive and more devastating attacks has forced the TSA to move beyond voluntary rules, the agency said. 

“The requirements proposed in this rule would strengthen cybersecurity and resiliency for the surface transportation sector by mandating reporting of cybersecurity incidents and development of a robust CRM program,” TSA said.