The Transportation Security Administration (TSA) is seeking input on ways to strengthen cybersecurity and resiliency in the pipeline and rail sectors, according to the agency’s advance notice of proposed rulemaking (ANPRM) published on Nov. 30.
TSA’s request for input follows heightened government interest in improving cybersecurity in critical infrastructure sectors, and in the case of pipelines, the hack of Georgia-based fuel supplier Colonial Pipeline in 2021.
The agency is particularly interested in hearing from owners and operators of high-risk pipeline and rail systems so that that TSA can develop a comprehensive and forward-looking approach to cybersecurity requirements.
The scope of pipeline transportation assets laid out in the ANPRM includes those that transport hazardous liquids, natural gas, and other liquids and gases for energy needs and manufacturing. The scope of rail operations includes freight, passenger, and transit railroads.
“In light of the critical role that pipelines and rail sectors play in our nation’s economic and national security, as well as the ongoing and growing cyber threats to such sectors, TSA has determined that it is appropriate to issue a regulation for [cyber risk management] (CRM) in these sectors,” the 46-page document reads. “This ANPRM is the first step in this process.”
The agency is requesting comments by Jan. 17, 2023, to specific questions about how the pipeline and rail sectors implement CRM in their operations. TSA is asking questions that fall under several categories:
- Identifying current baseline of operational resilience and incident response;
- Identifying how CRM is implemented;
- Maximizing the ability for owners and operators to meet evolving threats and technologies;
- Identifying opportunities for third-party experts to support compliance;
- Cybersecurity maturity considerations; and
- Incentivizing cybersecurity adoption and compliance.
The questions aim at input “to ensure this rulemaking effort adequately addresses” the agency’s policy priorities, TSA said.
The agency is also interested in input from representative associations, third-party cybersecurity subject matter experts, insurers and underwriters for cybersecurity risks, labor unions, state, tribal, and local governments, and the general public who rely on these systems.