TSA Proposes New Cyber Rules and Moves to Formalize Security Directives for US Pipelines

The Transportation Security Administration (TSA) recently proposed the creation of new rules seeking to mitigate cyber risk for certain surface transportation sects such as pipeline and railroad owners and operators. The original Security Directive was published in 2021 following the Colonial Pipeline incident which caused gas shortages across the southeastern United States, then updated and reissued in 2023. The currently proposed new rules would formalize the pipeline security directive and expands the scope of cyber requirements more broadly across surface transportation, including rail.

In the U.S., a security directive is an immediate, legally enforceable action required to address specific threats or vulnerabilities, often issued in response to an urgent situation. Formalizing a directive into a "rule" involves codifying it into regulation through a structured process that includes public notice, comment, and adoption, ensuring its long-term enforceability under administrative law.

TSA’s existing Security Directive requires pipeline owners and operators to:

1. Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa
2. Create access control measures to secure and prevent unauthorized access to critical cyber systems
3. Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations
4. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology
5. Owners and operators are now required to test two Cybersecurity Incident Response Plan (CIRP) objectives annually. The objectives include:
   1. Containment (of Incident)
   2. Segregation of Systems
   3. Integrity of Back-Up Data
   4. Isolation of Information Technology/Operational Technology

Latest Proposal of New Rules for Surface Transportation Security

In the latest development, as of November 7th, 2024, the proposed amendment to the TSA looks to expand on this set of performance-based cybersecurity requirements to maintain and enhance the security for roughly 300 surface transportation owners and operators across the country. Many of these new proposed rules have already been widely informally practiced, however TSA is seeking to codify these directives to emphasize and encourage cyber incident reporting. In addition:

1. The requirement of comprehensive cyber risk management programs for certain pipeline, freight railroad, passenger railroad, and rail transit owner/operators with high cyber risk profiles.
2. To instruct these owner/operators as well as higher-risk bus-transportation owner/operators and certain over-the-road bus (OTRB) owner/operators to report all significant physical security concerns to the Cybersecurity and Infrastructure Security Agency (CISA).
3. The expansion of TSA’s current rail and higher-risk bus operations requirements in order to designate a physical security coordinator as well as report significant physical security concerns to TSA.

As stated by TSA Administrator, David Pekoske, “TSA is committed to keeping the nation’s transportation systems safe from cyberattacks. This revised security directive follows significant collaboration between TSA and the oil and natural gas pipeline industry. The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements…We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes. We will continue working with our partners in the transportation sector to increase cybersecurity resilience throughout the system and acknowledge the significant work over the past year to protect this critical infrastructure.”

Under these new requirements owners and operators will be required to submit their CAP (Cybersecurity Assessment Plan) to TSA for approval. There is flexibility in developing each individual CAP schedule, and TSA is specifically requesting comments from owners/operators on which methods would be most beneficial for them. A complete solution such as Industrial Defender would automatically monitor each asset, as well as discover relevant vulnerabilities, patch data using risk-based prioritization, and work to detect and report on both security and operational events in endpoints and networks

Complying with TSA's OT Cybersecurity Requirements

For pipeline owners and operators to successfully attain these outcomes, they need to have the right people, process and technologies in place. A solid starting point for the industry will be choosing a cybersecurity standard to help operationalize these objectives for achieving cyber resilience. We always recommend using the NIST Cybersecurity Framework  or the CIS Controls because both technical stakeholders and executives can understand them. Appointing the proper security professionals are also mandated by the TSA in the revised Security Directives.

Implementing the right OT cyber risk management foundation will ensure that pipeline owners and operators can identify, monitor and manage everything happening inside their operational technology infrastructure. Any technology investment should be reviewed carefully to confirm that it can enable these specific outcomes. A comprehensive solution will identify and baseline every asset, detect and report on security and operational events in endpoints and networks, and monitor and manage vulnerability and patch data using risk-based prioritization. For the user access control and network segmentation related objectives, pipeline owners and operators should also ensure that any OT monitoring technology they deploy is sophisticated enough to detect events such as successful/failed user login attempts, firewall rule changes, and user privilege changes.

With the expanding anxiety around cyberattacks targeting critical infrastructure over the past two years, it's clear that having strong cyber resilience plans in place has never been more important, and is going to be a non-negotiable objective for pipeline owners and operators in the 21^st century.