An advance notice of proposed rulemaking from the Transportation Security Administration aims to formalize and build on cybersecurity requirements for the pipeline and rail sectors that were implemented through emergency directives, and includes a series of questions intended to deepen its understanding of industry risk management practices.
The TSA ANPRM was published today in the Federal Register, opening a 45-day public comment period.
“TSA has said publicly that the previously issued security directives were designed to address short-term and immediate cybersecurity risks, but that a more permanent regulatory approach was needed to address cybersecurity for both aviation and surface transportation,” commented Norma Krayem, head of the cyber practice at Van Scoyoc Associates and a former senior Transportation Department official.
“What is notable is how thorough the questions are in the ANPRM and focused on a much broader swathe of cybersecurity issues than in the security directives,” Krayem said. “Rather, the ANPRM appears to build on the basics of the SDs and go much farther, more akin to a broad-based cyber enterprise risk management plan.”
Bob Kolasky, a senior vice president at Exiger and former head of CISA’s National Risk Management Center, commented, “I generally think that it is a good sign that TSA seems to be moving past the emergency directives toward a longer term set of solutions and am glad that they have provided a good window for industry comments. The agency clearly has learned lessons via the development of security directives in these industries -- particularly the pipeline ones -- and this process should lead to better rules based on that experience.”
The ANPRM poses questions for stakeholders in six areas, including “identifying current baseline of operational resilience and incident response” and “maximizing the ability for owner/operators to meet evolving threats and technologies.”
It asks for stakeholder feedback throughout the document on risk management and says, “TSA recognizes that the phrase ‘cyber risk management’ may involve a wide range of applications related to cyber safety and security. We request relevant information on all issues and challenges related to CRM development and implementation for pipeline and rail owner/operators in the areas of the standards, regulatory barriers, economic burdens, training and education, and management and oversight.”
According to the notice, “Input received in response to this ANPRM will assist TSA in better understanding how the pipeline and rail sectors implement cyber risk management in their operations and will support us in achieving objectives related to the enhancement of pipeline and rail cybersecurity.”
TSA asks, “Please describe how your organization has implemented or plans to implement CRM. What frameworks, standards, or guidelines have informed your implementation of CRM for your pipeline and rail operations? Would you recommend any other standards or guidelines not mentioned in this ANPRM for application to pipeline or rail CRM programs? If possible, please provide any data available on the overall average cost to initially implement an owner/operator CRM and its annual costs to maintain (even if not a single action).”
The agency asks, “Does your CRM include aspects of system protection, system penetration testing, security monitoring, incident response, incident forensic analysis, and a plan for restoration of operations? If not, which features does your CRM address? What are the challenges for incorporating any missing facets? Are some parts of CRM developed in-house while a third-party develops other pieces? If so, why and what advantages do either of these approaches offer?”
It seeks details on “cybersecurity personnel training and security awareness and skills education,” including on the availability of training courses and costs.
Further, it asks, “How does your company address, respond to, or modify business practices due to the cost impacts of a cybersecurity incident? Does your company maintain estimates of the cost impacts (with respect to your organization and external parties) of various types of cybersecurity incidents, including but not limited to ransomware, data breaches, and attacks on operational technology?”
“If so,” it asks, “what is the range of these costs based on the type or severity of the incident? Does your company insure against these kinds of costs, and, if so, what is the annual cost of insurance, and what kind of coverage is offered? If your company does not have insurance coverage, please explain why.”
In the section on maximizing owner/operators’ ability to meet evolving threats, TSA asks, “What impacts (positive and negative) to the pipeline and rail sectors workforce do you anticipate regarding the implementation of CRM? Will there be a need to hire additional employees? If so, how many and at what level and occupation?”’
It asks, “How could TSA maximize implementation of CRM by providing for innovative, effective, and efficient ways to measure cybersecurity performance? Please provide specific references or resources available for any measurement options discussed, as available.”
And, it asks, “Should pipeline and rail owner/operators designate a single individual (such as a chief information security officer) with overall authority and responsibility for leading and managing implementation of the CRM? Or should they designate a group of individuals as responsible for implementation or parts thereof?”
Related, it asks “what specific requirements should there be for who would implement a pipeline and rail owner/operators’ CRM program? Would implementing this type of requirement necessitate hiring additional staff? If so, how many and at what level and occupation?”
TSA asks, “What CRM security controls should pipeline and rail owner/operators be required to maintain, and in what manner?” It seeks responses on eight specific controls.
“What baseline level of physical security of CRM architecture should pipeline and rail owner/operators be required to maintain, including ensuring that physical access to systems, facilities, equipment, and other infrastructure assets is limited to authorized users and secured against risks associated with the physical environment?” the agency asks.
“How much would it cost to implement the baseline physical security measures you identified in your response? How many of the identified measures are currently maintained (if such information has not already been provided to TSA)?” it asks.
Cyber leaders weigh in
Former CISA official Kolasky said, “In reading the ANPRM, it is comprehensive and poses a number of questions for input which will benefit the eventual rulemaking.”
He said, “I know that my former colleagues [at DHS] are very attuned to trying to enhance security while also being cognizant of industry feedback and balance the urgency of the threat with the need to put in place effective outcome-oriented rules. Whatever they ultimately develop has to be clear, harmonized as much as possible with other regulatory obligations that these communities face, and focused on not creating an undue burden on reporting at the expense of security.”
Krayem noted, “What’s important about this is the level of detail in the ANPRM that TSA lays out, industry has a fuller sense of what TSA is considering and it’s important for owners and operators to participate in this effort. Forty-five days has been provided to comment on it, which is a very quick turn for such an extensive list of questions that will have an important impact on what the next round of rulemaking looks like in 2023.”
She observed that the proposal seeks comment on the relevancy of existing cyber requirements in the energy sector and for federal agencies, and on CISA’s cyber performance goals.
“It’s good to see that it included industry developed standards as well, from [the American Petroleum Institute] and MITRE. But also, quite interesting to see that asks about cyber mandates on the financial services sector from New York Department of Financial Services and even the Bank of England’s CBEST program, which the transportation sector is unlikely to be familiar with,” Krayem said.
“Furthermore,” she said, “it asks about interesting issues like mandating the use of accredited third-party certifiers to conduct audits/assessments. That has been incorporated into varying sectors over time, but complications exist when talking about who certifies the third-party auditors, to what standard, how is that information used, protected etc. as well.” -- Charlie Mitchell (email@example.com)