TRENDING:

Critical Infrastructure Security , Standards, Regulations & Compliance

TSA Plans Cyber Risk Regulation for Pipeline and Rail Sector

Agency Signals Private Sector on Cybersecurity Risk Management Program David Perera (@daveperera) • November 29, 2022    
TSA Plans Cyber Risk Regulation for Pipeline and Rail Sector
Image: Robson Machado/Pixabay

More regulation is likely in the future for the U.S. oil pipeline and rail transport industry now that federal regulators say those sectors need comprehensive cybersecurity risk management.

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

The Transportation Security Administration invoked existing authorities dating back to its post-9/11 creation in an advance notice of proposed rule-making calling for a cyber risk management program for pipeline and rail companies.

The advance notice - typically the first step of federal notice-and-comment rule-making procedures - is part of a broader Biden administration effort to pressure critical infrastructure operators into better cybersecurity, an effort that took flight following a May 2021 interruption to gasoline supplies across America's south and the East Coast after Russia-based hackers conducted a ransomware attack on a main pipeline supplier.

Eschewing a fight in Congress over sweeping regulatory legislation certain to run into Republican opposition, the administration has used a combination of voluntary measures and interpretations of existing law to coax and compel cybersecurity improvements from critical infrastructure operators. "Principle number one is: Use what you've got, because you can move fastest in that way," said Anne Neuberger, the White House deputy national security adviser, before a Washington think tank audience in late October (see: CISA Releases Performance Goals for Critical Infrastructure).

The pipeline and rail industries have already come under stepped-up cybersecurity regulation through TSA directives that mandate measures such as an incident response plan, network segmentation policies and continuous monitoring (see: TSA Issues New Cybersecurity Directive for Oil Pipelines).

The agency says a federal cyber risk management program would go beyond those directives to increase industry focus on operational resilience. "Prevention alone is not sufficient," the notice states. Industry should assume that attackers will disrupt systems, meaning that "the capacity and ability to respond and recover swiftly when a cybersecurity incident occurs is key to mitigating disruption and ensuring resilient operations."

The TSA says it's not interested in imposing "static requirements," stating that a risk management program should encourage continual assessment of the threat environment and the dynamic adoption of security controls.

Public comments about the advanced notice of proposed rule-making are due Jan. 14.

Previous
Veracode CEO Sam King on Joining AppSec, Container Security
Next
Email as a Threat Vector in 2023

About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.



Around the Network

Checking Out Security Before Using AI Tools in Healthcare
Checking Out Security Before Using AI Tools in Healthcare
Top Privacy Considerations for Website Tracking Tools
Top Privacy Considerations for Website Tracking Tools
Closing Privacy 'Loopholes' in Reproductive Healthcare Data
Closing Privacy 'Loopholes' in Reproductive Healthcare Data
HHS OCR Leader: Agency Is Cracking Down on Website Trackers
HHS OCR Leader: Agency Is Cracking Down on Website Trackers
Integrating Generative AI Into the Threat Detection Process
Integrating Generative AI Into the Threat Detection Process
CyberArk CEO Touts New Browser That Secures Privileged Users
CyberArk CEO Touts New Browser That Secures Privileged Users
Are We Facing a Massive Cybersecurity Threat?
Are We Facing a Massive Cybersecurity Threat?
What's Inside Washington State's New My Health My Data Act
What's Inside Washington State's New My Health My Data Act
Why Legacy Medical Systems Are a Growing Concern
Why Legacy Medical Systems Are a Growing Concern
How to Simplify Data Protection within your Organization
How to Simplify Data Protection within your Organization

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.