TSA Plans Cyber Risk Regulation for Pipeline and Rail SectorAgency Signals Private Sector on Cybersecurity Risk Management Program
More regulation is likely in the future for the U.S. oil pipeline and rail transport industry now that federal regulators say those sectors need comprehensive cybersecurity risk management.
See Also: Energy Sector Threat Brief
The Transportation Security Administration invoked existing authorities dating back to its post-9/11 creation in an advance notice of proposed rule-making calling for a cyber risk management program for pipeline and rail companies.
The advance notice - typically the first step of federal notice-and-comment rule-making procedures - is part of a broader Biden administration effort to pressure critical infrastructure operators into better cybersecurity, an effort that took flight following a May 2021 interruption to gasoline supplies across America's south and the East Coast after Russia-based hackers conducted a ransomware attack on a main pipeline supplier.
Eschewing a fight in Congress over sweeping regulatory legislation certain to run into Republican opposition, the administration has used a combination of voluntary measures and interpretations of existing law to coax and compel cybersecurity improvements from critical infrastructure operators. "Principle number one is: Use what you've got, because you can move fastest in that way," said Anne Neuberger, the White House deputy national security adviser, before a Washington think tank audience in late October (see: CISA Releases Performance Goals for Critical Infrastructure).
The pipeline and rail industries have already come under stepped-up cybersecurity regulation through TSA directives that mandate measures such as an incident response plan, network segmentation policies and continuous monitoring (see: TSA Issues New Cybersecurity Directive for Oil Pipelines).
The agency says a federal cyber risk management program would go beyond those directives to increase industry focus on operational resilience. "Prevention alone is not sufficient," the notice states. Industry should assume that attackers will disrupt systems, meaning that "the capacity and ability to respond and recover swiftly when a cybersecurity incident occurs is key to mitigating disruption and ensuring resilient operations."
The TSA says it's not interested in imposing "static requirements," stating that a risk management program should encourage continual assessment of the threat environment and the dynamic adoption of security controls.
Public comments about the advanced notice of proposed rule-making are due Jan. 14.