Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
The Transportation Security Administration (TSA) published an Advance Notice of Proposed Rulemaking (ANPRM) on November 30, 2022, seeking stakeholder comment on ways to strengthen cybersecurity and resiliency for pipeline and rail systems, with an eye toward potential development of cyber regulations for these surface transportation sectors.
The issuance of the ANPRM follows several key actions related to cybersecurity in critical infrastructure sectors by TSA and the Cybersecurity and Infrastructure Security Agency (CISA), both of which are part of the U.S. Department of Homeland Security (DHS). In July 2022, TSA issued a revised Security Directive on cybersecurity for critical pipelines and liquified natural gas facilities (discussed in ourprior blog post), and in October 2022, issued a pair of Security Directives on cybersecurity for passenger and transit rail systems, and for freight rail. Also in October, CISA released its cross-sector cybersecurity performance goals intended to promote cybersecurity best practices by critical infrastructure owners and operators.
TSA, in the November ANPRM, builds upon the momentum of the past several months and seeks feedback—including from industry associations, third-party cybersecurity subject matter experts, and cybersecurity insurers and underwriters—regarding the development of a comprehensive and forward-looking approach to cybersecurity requirements across surface transportation systems.
Pipes, Trains, and Cyber Ideals
Both the pipeline and rail sectors operate vital supply chain infrastructure, the reliable operation of which is critical for national security and commerce. The criticality of this infrastructure makes both sectors an attractive target for cyber-attacks, as such attacks can affect not only the targeted computer systems but also the vital operations those systems support. For example, an attack on computer systems supporting pipeline or rail operations could cause significant supply shortages, cascading supply chain disruptions, and dramatic increases in commodity prices. Adversaries already have shown their willingness to launch major attacks against critical surface transportation infrastructure, as exemplified by the ransomware attack against Colonial Pipeline in May 2021.
The ANPRM highlights several crucial cyber risks to pipeline and rail systems. One such risk is the increased integration of information technology (IT) and operational technology (OT) systems. OT systems, which include industrial control systems (ICS), are responsible for directly interacting with transportation operations—for example, by managing flow through a pipeline or traffic on a railroad. As IT and OT systems become more integrated, attackers may be able to compromise IT systems and then move laterally into OT systems. Of particular concern is attackers' ability to compromise supervisory control and data acquisition (SCADA) systems, process control systems, distributed control systems, safety control systems, measurement systems, and telemetry systems. Another significant cyber risk highlighted by the ANPRM arises from continued reliance on legacy ICS and the inherently geographically dispersed nature of pipeline and rail networks. As noted in the ANPRM, DHS and other federal agencies have recommended that owner/operators and network administrators implement a layered, "defense-in-depth" approach to cybersecurity that includes segregation of OT systems from IT systems to prevent infection of one from spreading to the other.
To address these and other cyber risks to surface transportation systems, the ANPRM sets forth "core elements" of a cybersecurity risk management (CRM) program:
Although not stated in the ANPRM, surface transportation operations should expect these "core elements" to serve as the baseline for TSA's approach to cybersecurity regulations going forward.
Areas for Comment
In issuing the ANPRM, TSA is soliciting input to inform the eventual development of regulations—pursuant to its authority under the 9/11 Commission Act of 2007—to ensure owners and operators of pipeline and rail infrastructure are adequately equipped to protect against and respond to cybersecurity threats. The ANPRM identifies several policy priorities that will be emphasized as part of its regulatory effort, and requests input on specific questions related to each priority. The priorities identified in the ANPRM include:
The ANPRM provides some specific examples of the feedback TSA hopes to receive from stakeholders, including ideas for ensuring that regulations are able to evolve at the pace of escalating threats; thoughts on the most effective compliance incentive mechanisms, including incentives and grants; and proposals for how to ensure harmony with extant regulatory regimes. The ANPRM also requests information regarding the costs associated with implementing existing cybersecurity standards and requirements for critical infrastructure, such as the North American Electric Reliability Corporation's Critical Infrastructure Protection reliability standards, in order to inform the TSA's cost-benefit analysis of the impact of potential regulations.
Time is relatively tight for stakeholders to provide comments on the areas identified in the ANPRM: The deadline for interested parties to submit comments in response to the ANPRM is January 17, 2023. DWT will continue to monitor developments related to the ANPRM specifically and cybersecurity issues facing critical infrastructures generally.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2022 Law Business Research