The U.S. House Homeland Security Subcommittee on Transportation and Maritime Security held a hearing on Tuesday to examine how the Transportation Security Administration (TSA) manages cybersecurity risks within the transportation sector, particularly following the recent release of a Notice of Proposed Rulemaking (NOPR) affecting cybersecurity practices in rail, pipeline, and bus transportation.
In a subcommittee hearing entitled, ‘Impacts of Emergency Authority Cybersecurity Regulations on the Transportation Sector,’ the House Homeland Security identified that there would be two witness panels at the hearing. The first consisted of Steve Lorincz, deputy executive assistant administrator for security operations at the TSA; Chad Gorman, deputy executive assistant administrator for operations support at the TSA; and Tina Won Sherman, director for Homeland Security and Justice at the Government Accountability Office. The second panel consisted of Ian Jefferies, president and chief executive officer for the Association of American Railroads; and Kimberly Denbow, vice president of security and operations at the American Gas Association.
“I have concerns about the TSA’s current approach. In recent years, TSA has issued numerous Security Directives aimed at addressing cyber risks,” Carlos Gimenez, a Florida Republican and House Homeland Security Subcommittee on Transportation and Maritime Security chairman, said in his opening statement. “However, these directives often seem reactive, hastily implemented, and lacking the necessary consultation with stakeholders. Industry feedback indicates that these directives can be overly prescriptive rather than performance-based, limiting operators’ ability to tailor cybersecurity practices to their specific operational needs.”
Gimenez noted that a Security Directive that lacks clarity and flexibility may do more harm than good. Instead of fostering robust security measures, it can lead to confusion, inefficiency, and a checkbox mentality, where compliance is valued over actual risk reduction. “Moreover, the lack of collaboration with industry experts—the people who understand these systems best—raises concerns about whether these directives are even capable of addressing the most pressing vulnerabilities.”
He added that less than two weeks ago, TSA issued a Notice of Proposed Rulemaking that aims to establish mandatory cyber risk management and reporting requirements for certain surface transportation owners and operators.
“The sheer complexity of these regulations—spanning over 300 pages—is overwhelming, especially considering smaller operators who are already operating with limited resources,” Gimenez highlighted. “These proposed rules raise an important question: will they effectively fulfill their intended purpose by reducing cybersecurity risks within the transportation sector, or will they simply place an undue burden on operators?”
He mentioned that the TSA should empower operators with the flexibility to develop and implement tailored cybersecurity strategies that best address their unique risks and operational needs.
“Cyberattacks are an evolving and persistent threat. Cyber threat actors, including nation states, have demonstrated their intent and ability to conduct malicious cyber activity targeting critical infrastructure by exploiting vulnerabilities present in both Operational Technology (OT) (the hardware and software that controls physical devices, processes, and infrastructure) and Information Technology (IT) systems,” Gorman and Lorincz wrote in their joint statement. “Unlike traditional kinetic threats we confront, cyber threats are not bound by global borders. They can cross vast distances between our adversaries and U.S.-based critical transportation infrastructure in seconds, drastically impacting our ability to respond successfully with our more traditional and time-bound approaches.”
They highlighted that nation-state actors like Russia, China, Iran, and North Korea recognize cyber capabilities bypass geographical limitations and, accordingly have developed and demonstrated capabilities that pose significant cyber threats to the U.S. The Director of National Intelligence has stated that “our adversaries and strategic competitors possess, and in the case of the People’s Republic of China (PRC), have prepositioned cyberattack capabilities that could be used against U.S. critical infrastructure, including transportation, especially during times of increased conflict.”
In response to these evolving threats, they noted that the TSA Administrator has utilized his emergency authorities found in both statute and regulation. The administrator’s ability to leverage these authorities and respond immediately during emergencies has significantly mitigated threats posed by a rapidly evolving, and increasingly volatile, cyber environment.
Addressing the surface transportation security domain, the cybersecurity SDs require higher-risk pipelines, freight railroads, passenger rail, and rail transit operators to take several critical actions, though rail transit operators only require the first three. These include:
- Develop and submit to TSA a Cybersecurity Implementation Plan (CIP) to achieve performance-based security outcomes;
- Develop and maintain an up-to-date Cybersecurity Incident Response Plan (CIRP) to reduce the risk of operational disruption following cybersecurity incidents;
- Develop and submit to TSA a Cybersecurity Assessment Plan (CAP) to ascertain the effectiveness of cybersecurity measures and to identify and resolve device, network and/or system vulnerabilities;
- Develop and submit to TSA an annual report that provides the results of the Cybersecurity Assessment Plan from the previous year.
Gorman and Lorincz said that in promulgating these SDs and security program amendments, TSA engaged with stakeholders to enhance understanding of the threat landscape and gather industry feedback. “Since August 2023, TSA also led several in-person and virtual meetings to discuss the pipeline SDs with pipeline owners and operators from various associations and companies.”
Additionally, TSA hosts a bi-weekly call with the owners and operators subject to the rail SDs to share information and answer questions on the SDs and inspection requirements. Similar calls have begun within the last few months for airports and air carriers. In these engagements, TSA also discusses its cybersecurity policy and strategy, identifies opportunities for improvement, and provides contextual information via the sharing of intelligence and incident information.
The TSA also engages regularly with the TSA’s Surface Transportation Security Advisory Committee (STSAC) and the Aviation Security Advisory Committee (ASAC) to share and discuss security requirements, issues, and challenges. These statutorily created committees include representation from the interagency and industry.
“Concurrently with these efforts, TSA published a Notice of Proposed Rulemaking (NPRM) that would codify the provisions of the SDs for certain surface modes of transportation into a Cybersecurity Risk Management Program,” Gorman and Lorincz detailed in their testimony. “This proposed rule opened for public comment on November 8, 2024. It continues TSA’s commitment to performance-based requirements, builds on TSA’s previously issued cybersecurity requirements from the SDs, and seeks to establish a sustainable and comprehensive cyber risk management program for owners and operators that have higher cybersecurity risk profiles.”
They added that “Our routine engagements with stakeholders, as well as coordination with inter-agency partners such as DOT, USCG, and CISA, have been critical in this process –as with the SDs, their feedback has informed decisions on the proposed rulemaking.”
Within the aviation sector, Gorman and Lorincz pointed out that the TSA continues to partner with aviation entities to elevate their cybersecurity stance. “TSA has partnered and communicated, at the appropriate level based on the maturity of the covered parties, cybersecurity program changes to their cybersecurity programs. As of October 1, 2024, TSA has reviewed and approved over 70 percent of the cybersecurity implementation plans and conducted several inspections of covered parties.”
Within the surface modes, all pipeline CIPs have been approved, and nearly all rail plans have been approved. In preparation for the SD CIP inspections, owners and operators were contacted by their Regional Security Director or inspection point of contact well in advance of the inspection to provide details and to coordinate any documentation in advance to ensure all parties were properly prepared.
“As of May 2024, TSA completed all initial pipeline inspections. By the end of Fiscal Year(FY) 2024, 96 percent of rail inspections have been conducted,” Gorman and Lorincz said. “With the approved CIPs in surface, most owners and operators have developed and submitted their CAPs to test the effectiveness of the measures outlined within their CIPs. As of October 23, 2024, TSA has approved 99 percent of pipeline and 45 percent of rail CAPs.”
“In late 2022, following the extension of the original SDs into a second year, TSA issued an Advanced Notice of Proposed Rulemaking.AGA member utilities supported this action, favoring reasonable pipeline cybersecurity regulations provided they are attainable, sustainable, and auditable by TSA,” the American Gas Association’s Denbow said in her testimony. “As 2023 progressed, pipeline owners/operators urged TSA to proceed with a pipeline cybersecurity rulemaking rather than continuing to regulate by SDs. The Notice of Proposed Rulemaking for this, now multi-modal, rule was not released until November 7, 2024.”
She added that had the TSA moved a pipeline-only cybersecurity rulemaking, the whole process would have likely concluded a year ago. “While we understand TSA’s interest in consolidating three surface modes into a single rulemaking, this has unnecessarily prolonged the SD process for pipelines. Bottom line, we recognize the urgency that drives the issuance of SDs, however, there need to be guardrails to limit the ‘regulating-by-SD’ approach so that government and the affected industry can quickly and appropriately move toward a standard regulatory process.”
Relative to the recently released NPRM, AGA commends TSA for issuing proposed rules that are risk-based, outcome-focused, and for the most part, an extension of the recent iterations of the pipeline SDs.
“That said, two areas within the NPRM, corporate cybersecurity governance responsibilities and supply chain cybersecurity integrity are prescriptive, confusing, and in some cases unachievable and were never covered in TSA’s previous pipeline SDs,” Denbow identified. “A third area, employee cyber training, was introduced in the most recent SD but is fully and unhelpfully prescriptive in the NPRM. These unexpected regulatory roadblocks could have been circumvented had TSA hosted Pipeline Security Technical Roundtables (similar in structure to the Pipeline Security Directive Technical Roundtables) before drafting the proposed regulation. TSA missed opportunities to gain useful owners/operator insight and avoid stakeholder confusion.”
In his testimony, the Association of American Railroads CEO, Jefferies said that while the industry was pleased to see TSA issue this rule through the regulatory process and allow for robust public comment, the NPRM would have greatly benefited from earlier discussions with the industry about potential requirements in a more informal setting like negotiated rulemaking. The industry is still digesting the very lengthy proposal and will provide robust comments. There are a few long-standing concerns for the railroads that the NPRM does not fully address.
For example, Jefferies detailed that the NPRM would require railroads to report an incident within 24 hours of it occurring. “Congress specifically set the timeframe for reporting incidents at 72 hours under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Not only does this lack of harmonization create confusion, the 24-hour window is impractical. Within 24 hours, an attack could still be occurring, the information about the incident would be less complete, if not inaccurate, and railroads would be pulling resources and manpower away from responding to the attack and towards complying with reporting requirements. The railroads would have to then supplement the initial report as their information becomes available or changes.”
Similarly, Jefferies said that the NPRM also requires that a railroad’s security coordinator be a U.S. citizen, which the railroads have flagged with TSA as a major concern for several years. However, he pointed out that two large railroads in the U.S. are headquartered in Canada and employ Canadian citizens in high-level cybersecurity roles. Prohibiting these highly skilled senior-level employees from representing their companies as security coordinators serves no clear security benefit and makes it extremely difficult for these Canadian railroads to comply.
He further observed that the TSA’s decision to issue the recent NPRM and move away from security directives and towards the normal rulemaking process is a welcome one that will make these regulations more effective.
