A new rule proposed by the Transportation Security Administration (TSA) will establish cyber risk management and reporting requirements for pipeline and railroad owners and operators.
In a proposed rule published as a Notice of Proposed Rulemaking, the TSA said Wednesday that it would continue to build on cybersecurity requirements based on its previously issued Security Directives. The new proposed rule will leverage the existing cybersecurity framework developed by the National Institute of Standards and Technology as well as the cybersecurity performance goals of the Cybersecurity and Infrastructure Security Agency (CISA).
The proposed rule will strengthen the cybersecurity on pipelines, freight railroads, passenger railroads and transit rail by requiring that owner/operators with higher cybersecurity risk profiles establish and maintain cyber risk management programs, while requiring bus-only public transportation and over-the-road bus owner/operators to report cybersecurity incidents to the CISA. Pipeline owner/operators will be required to name a physical security coordinator and report any physical security concerns to the TSA.
“TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure,” TSA Administrator David Pekoske said. “The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation.”
The proposed requirements, the agency said, would ensure that effective cybersecurity is maintained and that cybersecurity resilience across the surface transportation system sector would be strengthened.