The Transportation Security Administration (TSA) is finalizing permanent cybersecurity rules for critical pipeline operators.
TSA also told the Department of Homeland Security (DHS) inspector general that it is working to issue a regulation that will codify critical cybersecurity requirements for pipelines.
On Nov. 30, 2022, TSA published the “Enhancing Surface Cyber Risk Management” Advance Notice of Proposed Rulemaking in the Federal Register. TSA sought input on a rulemaking that would establish cybersecurity standards for surface transportation modes determined to have higher risk profiles, the agency said.
The Policy, Plans, and Engagement Office drafted a Notice of Proposed Rulemaking and has a target of the first quarter of fiscal year 2024 for publication of the Notice of Proposed Rulemaking in the Federal Register.
Following the close of the public comment period on the Notice of Proposed Rulemaking, TSA will draft a final rule. The target for publication of the final rule is the fourth quarter of fiscal year 2024, the agency said.
The department’s inspector general found in a report published last week that TSA did not ensure that all critical pipeline operators were following through on the cybersecurity directives.
The 2021 Colonial Pipeline data breach and ransomware attack illustrated vulnerabilities in private industry and government networks and systems to cyberattacks. The pipeline operator decided to temporarily discontinue operations for several days due to the attack, resulting in fuel shortages and increased fuel prices.
Following the attack on Colonial Pipeline, TSA – in coordination with the Cybersecurity and Infrastructure Security Agency – issued new cybersecurity requirements for pipeline operators.
In the agency’s Advance Notice of Proposed Rulemaking published late last year, TSA asked questions that fell under several categories:
- Identifying current baseline of operational resilience and incident response;
- Identifying how CRM is implemented;
- Maximizing the ability for owners and operators to meet evolving threats and technologies;
- Identifying opportunities for third-party experts to support compliance;
- Cybersecurity maturity considerations; and
- Incentivizing cybersecurity adoption and compliance.
The transportation agency said on Sept. 26 that it plans to publish the draft regulation of cyber requirements for public comment by the end of this calendar year.