The Transportation Security Administration (TSA) has proposed new rules requiring those under its jurisdiction to follow specific cyber risk management (CRM) requirements, report cybersecurity incidents in a certain timeframe, and address physical security concerns.
This is positive news for the transportation industry, as hundreds of attacks have been leveled against the sector. These attacks have the potential to impact the supply chain, create chaos, and endanger human lives.
TSA’s notice of proposed rulemaking (NPRM) “continues TSA’s commitment to performance-based requirements and builds on TSA’s previously issued cybersecurity requirements aimed at establishing sustainable and comprehensive cyber risk management programs for owners and operators with high-risk profiles,” explained Chad Gorman, TSA’s deputy executive assistant administrator for operations support.
Threats to Transportation
The transportation sector is often caught in the crosshairs of socioeconomic and political unrest and is particularly vulnerable to DDoS attacks that interrupt services. Cyberattacks aimed at the industry can:
- Shut down railway, bus, or airline services.
- Block or expose access to sensitive data (passenger-related or IP).
- Imperil customer and operator lives.
- Publish leaked transportation industry information online as a penalty for non-compliance with a ransom.
- Disrupt supply chains and negatively impact the timely receipt of shipments (causing reverberating effects in all sectors that rely on material goods: mining, healthcare, agriculture, etc.).
And more. Transportation is a powerful sector with a unique, widespread reach into society’s everyday operations. Threat actors looking for notoriety, recognition, or simply to make a large-scale impact (with the hope of monetary gain) target this sector because disruptions there make news headlines worldwide. How is that for pressure on your victim?
The Development of New TSA Security Requirements
As noted in the official documentation, “The cyber threat to the country’s critical infrastructure has only increased in the time since TSA initially issued SDs to address cybersecurity” as” cyber attackers have…maliciously targeted other surface transportation modes in the United States, including freight railroads, passenger railroads, and rail transit systems, with multiple cyberattack and cyber espionage campaigns.”
Last year, the Intelligence Community noted that China “almost certainly is capable of launching cyber-attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines and rail systems,” showing a level of urgency is shoring up transportation cyber defenses now.
By mandating that the sector report cybersecurity incidents and develop a robust cyber risk management program, TSA seeks to strengthen the cybersecurity and resilience of the surface transportation sector.
What are the newly proposed TSA cybersecurity rules?
TSA’s proposed rules draw from the NIST framework and CISA’s cross-sector cybersecurity performance goals. They apply to:
- Certain pipeline and rail owners/operators
- Certain over-the-road-bus (OTRB) owner/operators
Or, put broadly, the surface transportation sector. If put into effect, they would:
- Owners/operators of designated freight railroads, passenger railroads, rail transit, and pipeline facilities and/or systems are required to have a CRM program approved by TSA.
- Require those owner/operators to develop a COIP (Communications Over Internet Protocol) that includes:
- Individuals responsible for CRM governance.
- The identification of baseline communications, special network architecture challenges, and Critical Cyber Systems.
- Detailed measures to secure said Critical Cyber Systems.
- Thorough methods to detect and monitor incidents within Critical Cyber Systems.
- Incident response and recovery provisions.
- Require those owner/operators to have a CAP (Cybersecurity Assurance Program), which would include:
- A schedule for assessments.
- An annual report of assessment results.
- Identification of unaddressed vulnerabilities.
Additionally, there is an additional focus on separating physical and cyber security concerns. Currently, owners/operators are required to report cybersecurity incidents to the TSA, but under the proposed requirements, only physical security issues will be reported to the TSA. Meanwhile, cybersecurity incidents will be reported directly to CISA.
Desired Outcomes and Considerations
TSA notes in the official document that if followed, these newly proposed rules would give owners/operators within the transportation sector a “blueprint” for bolstering cybersecurity defenses against attack. The recommended measures – maintaining backups, monitoring systems, developing a response plan, and more – would ideally empower US transportation entities to:
- Limit access to sensitive resources via patch management, network segmentation, and firewalls.
- Restore systems, recover data, and promote system operations with the help of regular backups.
- Detect and respond to threats better with continuous network monitoring.
And more. However, before TSA’s new proposals are signed into law, stakeholders want to ensure that the accommodation of these requirements is something US transportation owners/operators are able to do without unforeseen consequences.
Said Kimberly Denbow, the American Gas Association’s vice president of security and operations, “Reasonable cybersecurity regulations have to be attainable. The operators have to be able to achieve them. They have to be sustainable. The operators have to be able to sustain them and keep them going; otherwise, it’s wasted money.”
While the reasonable implantation of these mandates might yet be up for debate (at least until early next year), one thing is certain: given the severity and persistence of today’s threats, TSA is seeking to impose a codified risk management program on the nation’s transportation sector is a step in the right direction.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.
