A sweeping regulatory notice from the Transportation and Security Administration on cybersecurity for the pipeline and rail sectors should trigger a productive engagement between industry and government, according to the American Gas Association, which says it plans to ask for an extension to the 45-day comment period in order to address the lengthy list of questions posed by TSA.
“AGA welcomes TSA kicking off the formal pipeline cybersecurity rulemaking process,” the trade group said in a Wednesday release.
The TSA Advance Notice of Proposed Rulemaking was published Wednesday in the Federal Register, opening a 45-day public comment period.
Kimberly Denbow, Vice President for Security and Operations, American Gas Association
AGA vice president for security and operations Kimberly Denbow said in statement: "Cybersecurity is an exponentially evolving threat, and TSA’s pursuit of a risk-based approach to regulation will enable the operator to morph security strategy accordingly to the changing landscape. The recently reissued pipeline security directives demonstrated a commitment by TSA to not just collect, but to also listen and apply institutional knowledge of the owner/operators who must implement the final product.”
Denbow said, “While AGA and its members look forward to constructively responding to the ANPRM's pointed questions on cybersecurity risk management policy priorities and core elements, we will be seeking an extension to the 45-day comment deadline."
Stakeholders were quick to note the expansive nature of the 46-page ANPRM, which follows up on a series of emergency security directives issued for pipelines and rail, in the aftermath of the Colonial Pipeline ransomware attack. Some industry sources suggested on background that TSA, in its notice, is overstating the level of collaboration that’s been taking place between the private sector and the agency.
TSA “needs to do more to hear the reality of implementation of its directives and take more of the suggestions that are made to them in listening sessions about the scope of their mandates,” one industry source said.
The ANPRM poses questions in six areas including identifying current resilience and incident response baselines; “maximizing the ability for owner/operators to meet evolving threats and technologies”; how organizations approach cyber risk management; opportunities for “third-party experts to support compliance”; cybersecurity maturity; and incentives.
“TSA is to be applauded for seeking substantial feedback early,” said Megan Brown, a partner at the Wiley Rein law firm. “They seek input on the DHS performance goals, and refer to the NIST Framework, but it is unclear how TSA will address them. I wish the ANPRM had recognized that [the Cyber Incident Reporting for Critical Infrastructure Act] is being addressed at CISA, and I expect they will hear a lot about the need to deconflict and harmonize.”
Brown added, “I think it will prove too hard to do joint rules for pipeline and rail, which are different sectors with some different issues. Indeed, rail is so diverse that TSA notes several different categories which are likely to have different impact analyses from various events. Colonial Pipeline was not a rail issue and the agency should not extrapolate too much from it to rail.”
“As for collaboration,” she said, “I do not see much discussion of how to promote collaboration going forward, either on the exchange of best practices or the government sharing actionable information with the private sector. The many questions focus on various new mandates and requirements for operators, including possible third party oversight and several prescriptive mandates. This reflects an approach that does not seem particularly likely to foster collaboration.”
Norma Krayem, a former senior Transportation Department official now leading the cyber practice at Van Scoyoc Associates, commented on the scope of the ANPRM.
“What is notable,” Krayem said, “is how thorough the questions are in the ANPRM and focused on a much broader swathe of cybersecurity issues than in the [earlier TSA] security directives. Rather, the ANPRM appears to build on the basics of the SDs and go much farther, more akin to a broad-based cyber enterprise risk management plan.” – Charlie Mitchell (firstname.lastname@example.org)