[ad_1]
The Transportation Security Administration (TSA) published an advance notice of proposed rulemaking (ANPRM) on November 30, 2022, seeking comments from stakeholders on ways to strengthen cybersecurity and resilience for pipeline and rail systems, with an eye toward potential cyber regulatory developments for these sectors of surface transport.
The issuance of the ANPRM follows several key actions related to cybersecurity in critical infrastructure sectors by TSA and the Cybersecurity and Infrastructure Security Agency (CISA), both part of the US Department of Homeland Security (DHS). In July 2022, TSA issued a revised Cybersecurity Directive for Critical LNG Pipelines and Facilities (discussed in our previous blog post), and in October 2022 issued a pair of Cybersecurity Directives for passenger and transit rail systems, and for freight rail. Also in October, CISA released its cross-sector cybersecurity goals aimed at promoting best cybersecurity practices by owners and operators of critical infrastructure.
TSA, in the November ANPRM, builds on the momentum of the past few months and seeks feedback—including from industry associations, independent cybersecurity subject matter experts, and cybersecurity insurers and insurers—on developing a comprehensive, forward-looking approach . cyber security requirements in surface transport systems.
Pipelines, trains and cyber ideals
Both the pipeline and rail sectors operate vital supply chain infrastructure, the reliable operation of which is critical to national security and commerce. The criticality of this infrastructure makes both sectors an attractive target for cyber attacks, as such attacks can affect not only the targeted computer systems but also the vital operations that those systems support. For example, an attack on computer systems supporting pipeline or railroad operations could cause significant supply shortages, cascading disruptions in the supply chain, and dramatic increases in commodity prices. Adversaries have already demonstrated their willingness to launch large-scale attacks on critical surface transportation infrastructure, as exemplified by the May 2021 Colonial Pipeline ransomware attack.
The ANPRM highlights several key cyber risks to pipeline and rail systems. One such risk is the increased integration of information technology (IT) and operational technology (OT) systems. OT systems, which include industrial control systems (ICS), are responsible for interacting directly with transportation operations—for example, managing pipeline flow or rail traffic. As IT and OT systems become more integrated, attackers may be able to compromise IT systems and then move laterally into OT systems. Of particular concern is the ability of attackers to compromise supervisory control and data acquisition (SCADA) systems, process control systems, distributed control systems, security control systems, measurement systems, and telemetry systems. Another significant cyber risk highlighted by the ANPRM stems from the continued reliance on legacy ICS and the inherently geographically dispersed nature of pipeline and rail networks. As noted in the ANPRM, DHS and other federal agencies recommended that owner/operators and network administrators implement a layered approach to cybersecurity that includes separating OT systems from IT systems to prevent the spread of infection of either. to another.
To address these and other cyber risks to surface transportation systems, the ANPRM lays out the “core elements” of a cybersecurity risk management (CRM) program:
- Designation of a responsible person for cyber security;
- Access controls;
- Vulnerability assessments;
- Specific measures for assessing the application, effectiveness, efficiency and impact of cyber security controls;
- Exercises and exercises;
- Technical security controls ( for example, multi-factor authentication, encryption, network segmentation, anti-virus/anti-malware scanning, patching and transition to a “zero trust” architecture);
- Physical security controls;
- Incident response plan and operational resilience;
- Incident reporting and information sharing;
- Staff training and awareness;
- Supply Chain/Third Party Risk Management; and
- Keeping records and documentation.
Although not specified in the ANPRM, surface transportation operations should expect these “key elements” to serve as the basis for TSA’s approach to cybersecurity regulations going forward.
Comment areas
In issuing the ANPRM, TSA seeks input to inform potential regulatory developments — consistent with its authority under the Commission Act of September 11, 2007 — to ensure that owners and operators of pipeline and rail infrastructure are adequately equipped to protect of and respond to cyber security threats. The ANPRM identifies several policy priorities that will be emphasized as part of its regulatory efforts, and requests input on specific issues related to each priority. Priorities identified in the ANPRM include:
- assessing and improving the current baseline of operational resilience and incident response;
- maximizing the ability of owners and operators to adapt to respond to evolving threats and technologies;
- identifying opportunities for third-party experts to support compliance;
- taking into account the varying maturity of cybersecurity in the surface transportation sector and regulated owners and operators;
- driving cybersecurity adoption and compliance; and
- leading to measurable outcomes and harmonization of regulations.
The ANPRM provides some specific examples of feedback that TSA hopes to receive from stakeholders, including ideas for ensuring that regulations can evolve at the pace of escalating threats; reflections on the most effective mechanisms to encourage compliance, including incentives and grants; and suggestions on how to ensure compliance with existing regulatory regimes. The ANPRM also requests information regarding the costs associated with implementing existing cybersecurity standards and critical infrastructure requirements, such as the North American Electric Reliability Corporation’s Critical Infrastructure Protection Reliability Standards, to inform TSA’s cost-benefit analysis of the impact of potential regulations.
Next steps
The time is relatively short for interested parties to comment on the areas identified in the ANPRM: The deadline for interested parties to submit comments in response to the ANPRM is January 17, 2023. DVT will continue to monitor developments specifically related to the ANPRM and the cybersecurity issues it faces with critical infrastructure in general.
[ad_2]
Source link