Dive Brief:
- The Transportation Security Administration is seeking public comment on proposed requirements for surface transportation and pipeline companies to implement cyber risk management programs, the agency said Wednesday. The public comment period ends on Feb. 5, 2025.
- The proposed rule calls for certain pipeline, passenger and freight rail operators and rail system companies with high-risk profiles to develop comprehensive cyber risk management programs.
- Pipeline, rail and certain bus transportation or transit systems would be required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency. The sectors would report any physical security risk concerns to TSA.
Dive Insight:
The proposed mandates follow years of work to strengthen cybersecurity oversight, which were accelerated after the 2020 Sunburst attacks and the 2021 ransomware attack on Colonial Pipeline.
TSA officials declined to elaborate on the proposed pipeline requirements, but did provide additional insight on the proposed rules for surface transportation.
“TSA has, to the maximum practicable extent, met with industry operators to get their input on requirements under consideration,” a TSA spokesperson told Cybersecurity Dive via email. “In the last three years, the unprecedented threats from nation-state actors to transportation systems have necessitated quick action and TSA acted to ensure that appropriate protections were put in place.”
TSA is also extending requirements to appoint a physical security coordinator to the pipeline industry and will require reports on physical security issues.
The proposed rules leverage the cybersecurity framework established by the National Institute of Standards and Technology and CISA’s sector-risk management performance goals.
Source link
