The federal Transportation Security Administration (TSA) yesterday proposed to mandate cyber risk management and reporting requirements for certain surface transportation owners and operators, including those running pipelines and railroads.
The notice of proposed rulemaking suggests a new standard that would require that:
- certain pipeline, freight railroad, passenger railroad, and rail transit owner/operators with higher cybersecurity risk profiles establish and maintain a comprehensive cyber risk management program;
- these owner/operators, and higher-risk bus-only public transportation and over-the-road bus owner/operators, currently required to report significant physical security concerns to TSA to also report cybersecurity incidents to CISA; and
- higher-risk pipeline owner/operators adopt TSA's current requirements for rail and higher-risk bus operations to designate a physical security coordinator and report significant physical security concerns to TSA.
The publication of a “notice of proposed rulemaking” in the Federal Register typically begins a 60-day period for public comment from any interested party, and an additional 30 days for reply comments.
"TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation's critical transportation infrastructure," TSA Administrator David Pekoske said in a release. "The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation."
The notice came a week after a White House representative warned the trucking freight industry that the People’s Republic of China (PRC) has remained the most active and persistent cyber threat to the U.S. government, private sector, and critical infrastructure networks. The briefing came from a member of the administration’s Office of the National Cyber Director, in an address to attendees at the National Motor Freight Traffic Association (NMFTA)’s Cybersecurity Conference.
“In January, the National Cyber Director testified in front of Congress along with colleagues from CISA, NSA, and the FBI about this threat from the PRC, dubbed Volt Typhoon,” speaker Stephen Viña said in his remarks. “Volt Typhoon conducted cyber operations focused not on financial gain, espionage, or state secrets but on developing deep access to our critical infrastructure. This includes the energy sector transportation systems, among many others. A prolonged interruption to these critical services could disrupt our ability to mobilize in the event of a national emergency or conflict and can create panic among our citizens. Ultimately, if trucking stops, America stops.”
