TSA Publishes Surface Transportation Cybersecurity ANPRM
Today the TSA published an advanced notice of proposed rulemaking (ANRM) in the Federal Register (87 FR 73527-73538) for “Enhancing Surface Cyber Risk Management”. In this rulemaking the TSA “is seeking input regarding ways to strengthen cybersecurity and resiliency in the pipeline and rail (including freight, passenger, and transit rail) sectors.”
Preamble
The preamble to the rule discusses the key aspects of the surface transportation sectors being addressed in this rulemaking:
It goes on to discuss the cybersecurity threats currently facing those transportation sectors and the specific threats facing the nexus between IT and OT systems. It then looks at the Safety Directives that the TSA has issued for those sectors over the last two years. Then, the preamble looks at existing TSA security regulations for the surface transportation sector.
Finally, the preamble outlines existing cybersecurity regulations and guidance available for other critical infrastructure sectors.
Policy Priorities
In planning for this rulemaking, the TSA has identified seven policy priorities that support the TSA’s intent in regulating cyber risk management (CRM) in surface transportation:
Assessing and improving the current baseline of operational resilience and incident response,
Maximizing the ability for owner/operators to be self-adaptive to meet evolving threats and technologies,
Identifying opportunities for third-party experts to support compliance,
Accounting for the differentiated cybersecurity maturity across the surface sector and regulated owner/operators,
Incentivizing cybersecurity adoption and compliance,
Measurable outcomes, and
Regulatory harmonization
Core Elements
TSA has identified the following core elements for surface transportation CRM:
Designation of a responsible individual for cybersecurity,
Access controls,
Vulnerability assessments,
Specific measures to gauge the implementation, effectiveness, efficiency, and impact of cybersecurity controls,
Drills and exercises,
Technical security controls (e.g., multi-factor authentication, encryption, network segmentation, anti-virus/anti-malware scanning, patching, and transition to “zero trust” architecture),
Physical security controls,
Incident response plan and operational resilience,
Incident reporting and information sharing,
Personnel training and awareness,
Supply chain/third-party risk management, and
Recordkeeping and documentation.
ANPRM Questions
TSA has listed a series of specific questions that it is looking for input on from industry and the public in this ANPRM. These questions cover the following topics (number of questions in each topic):
Identifying current baseline of operational resilience and incident response (6),
Identifying how CRM is implemented (6),
Maximizing the ability for owner/operators to meet evolving threats and technologies (25),
Identifying opportunities for third-party experts to support compliance (3),
Cybersecurity maturity considerations (3), and
Incentivizing cybersecurity adoption and compliance (3).
Public Comments Solicited
TSA is soliciting public comments on this ANPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # TSA-2022-0001). Comments should be submitted by January 17th, 2023 (I expect that there will be several requests for an extension of this deadline due to the holidays).