Proposed Rule2024-24704
Enhancing Surface Cyber Risk Management
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
November 7, 2024
Issuing agencies
Homeland Security DepartmentTransportation Security Administration
Abstract
The Transportation Security Administration (TSA) is proposing to impose cyber risk management (CRM) requirements on certain pipeline and rail owner/operators and a more limited requirement, on certain over-the-road bus (OTRB) owner/operators, to report cybersecurity incidents. With the proposed addition of requirements applicable to pipeline facilities and systems, TSA is also proposing that a requirement to have a Physical Security Coordinator and report significant physical security concerns be extended to the same facilities and systems. Finally, TSA is proposing clarifications and reorganization of other regulatory requirements necessitated by these changes.
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 216 (Thursday, November 7, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 216 (Thursday, November 7, 2024)]
[Proposed Rules]
[Pages 88488-88592]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-24704]
[[Page 88487]]
Vol. 89
Thursday,
No. 216
November 7, 2024
Part III
Department of Homeland Security
-----------------------------------------------------------------------
Transportation Security Administration
-----------------------------------------------------------------------
49 CFR Parts 1500, 1503, 1520, et al.
Enhancing Surface Cyber Risk Management; Proposed Rule
��Federal Register / Vol. 89 , No. 216 / Thursday, November 7, 2024 /
Proposed Rules��
[[Page 88488]]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Transportation Security Administration
49 CFR Parts 1500, 1503, 1520, 1570, 1580, 1582, 1584, and 1586
[Docket No. TSA-2022-0001]
RIN 1652-AA74
Enhancing Surface Cyber Risk Management
AGENCY: Transportation Security Administration, DHS.
ACTION: Notice of proposed rulemaking (NPRM).
-----------------------------------------------------------------------
SUMMARY: The Transportation Security Administration (TSA) is proposing
to impose cyber risk management (CRM) requirements on certain pipeline
and rail owner/operators and a more limited requirement, on certain
over-the-road bus (OTRB) owner/operators, to report cybersecurity
incidents. With the proposed addition of requirements applicable to
pipeline facilities and systems, TSA is also proposing that a
requirement to have a Physical Security Coordinator and report
significant physical security concerns be extended to the same
facilities and systems. Finally, TSA is proposing clarifications and
reorganization of other regulatory requirements necessitated by these
changes.
DATES: Submit comments by February 5, 2025.
ADDRESSES:
Comments on this NPRM: You may submit comments on this NPRM,
identified by the TSA docket number to this rulemaking, to the Federal
Docket Management System (FDMS), a government-wide, electronic docket
management system. To avoid duplication, please use only one of the
following methods:
<bullet> Electronic Federal eRulemaking Portal: <a href="https://www.regulations.gov">https://www.regulations.gov</a>. Follow the online instructions for submitting
comments.
<bullet> Mail: Docket Management Facility (M-30), U.S. Department
of Transportation, 1200 New Jersey Avenue SE, West Building Ground
Floor, Room W12-140, Washington, DC 20590-0001. The Department of
Transportation (DOT), which maintains and processes TSA's official
regulatory dockets, will scan the submission and post it to FDMS.
<bullet> Fax: (202) 493-2251.
See the SUPPLEMENTARY INFORMATION section for format and other
information about comment submissions on the NPRM.
FOR FURTHER INFORMATION CONTACT:
General Questions: Ashlee Marks, Surface Division, Policy, Plans,
and Engagement, TSA-28, Transportation Security Administration, 6595
Springfield Center Drive, Springfield, VA 20598-6028; telephone (571)
227-1039; email: <a href="/cdn-cgi/l/email-protection#d281a7a0b4b3b1b791abb0b7a082bdbebbb1ab92a6a1b3fcb6baa1fcb5bda4"><span class="__cf_email__" data-cfemail="a4f7d1d6c2c5c7c1e7ddc6c1d6f4cbc8cdc7dde4d0d7c58ac0ccd78ac3cbd2">[email protected]</span></a>.
Legal Questions: Traci Klemm, Regulations and Security Standards,
Office of Chief Counsel, Transportation Security Administration, 6595
Springfield Center Drive, Springfield, VA 20598-6002; telephone (571)
227-3583, or email to <a href="/cdn-cgi/l/email-protection#fcaf898e9a9d9f99bf859e998eac9390959f85bc888f9dd298948fd29b938a"><span class="__cf_email__" data-cfemail="cf9cbabda9aeacaa8cb6adaabd9fa0a3a6acb68fbbbcaee1aba7bce1a8a0b9">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION:
Public Participation
TSA invites interested persons to participate in this NPRM by
submitting written comments, including relevant data. We also invite
comments relating to the economic, environmental, energy, or federalism
impacts that might result from this rulemaking action. See the
ADDRESSES section above for information on where to submit comments.
NPRM-Specific Request for Comments
1. TSA is requesting comments on the impact of regulations and
requirements being imposed by other Federal, State, and Local entities,
including DHS components, and potential options for regulatory
harmonization.
2. TSA is requesting comments on whether proposed requirements for
supply chain risk management should also include requirements to ensure
that any new software purchased for, or to be installed on, Critical
Cyber Systems meets CISA's Secure-by-Design and Secure-by-Default
principles.
3. TSA is requesting comments on existing training and
certification programs that could provide low-cost options to meet
proposed qualification requirements for Cybersecurity Coordinators. If
identified and determined by TSA to be sufficient, TSA could recognize
them as examples for owner/operators that would be subject to these
requirements.
4. TSA is proposing to require owner/operators to have a
Cybersecurity Assessment Plan (CAP) to annually assess and audit the
effectiveness of their TSA-approved Cybersecurity Operational
Implementation Plan (COIP). TSA is requesting comments on methodologies
owner/operators could use to develop a plan that would meet the
required annual minimum for assessments and audits, assessment and
auditing capabilities that could be included in the CAP, and other
options and resources that could ensure a robust auditing and
assessment program that provides frequent and regular reviews of
effectiveness of CRM program implementation.
5. TSA is requesting comments from pipeline owner/operators on
opportunities to streamline compliance and reduce redundancies and
duplication of efforts for pipeline facilities regulated under 33 CFR
105.105(a) or 106.105(a).
6. TSA is requesting comment on whether accountable executives and
Cybersecurity Coordinators, for all covered owner/operators, should be
required to undergo a TSA-conducted Security Threat Assessment (STA),
which would include a terrorism/other analyses check, an immigration
check, and a criminal history records check (CHRC).
7. TSA is requesting comment on whether TSA should require all
frontline workers (``security-sensitive employees'') in the pipeline
industry to also be vetted by TSA. Although TSA is not proposing this
requirement, TSA seeks comments on how the vetting would impact their
operations and costs, and specifically how many employees the entity
has that would likely be considered security-sensitive employees.\1\
---------------------------------------------------------------------------
\1\ Commenters may find it useful to review the functions that
TSA considered for determining security-sensitive employees under
current Appendix B to 49 CFR part 1580, Appendix B to part 1582, and
Appendix B to part 1584.
---------------------------------------------------------------------------
8. TSA is requesting comment on the inputs used in the Regulatory
Impact Analysis (RIA), including those related to the Security
Directives (SDs), their implementation, and associated costs and
benefits. Comments that will provide the most assistance to TSA will
reference a specific portion of this proposed rule, explain the reason
for any suggestions or recommended changes, and include data,
information, or authority that supports such suggestion or recommended
change.
9. TSA invites all interested parties to submit data and
information regarding the potential economic impact on small entities
that would result from the adoption of the requirements in the proposed
rule.
10. TSA invites comments on the proposed collection of information
and estimates of burden.
Submitting Comments on the NPRM
With each comment, please identify the docket number at the
beginning of your comments. You may submit comments and material
electronically, by mail, or fax as provided under
[[Page 88489]]
ADDRESSES, but please submit your comments and material by only one
means. If you submit comments by mail or in person, submit them in an
unbound format, no larger than 8.5 by 11 inches, suitable for copying
and electronic filing.
If you would like TSA to acknowledge receipt of comments submitted
by mail, include with your comments a self-addressed, stamped postcard
or envelope on which the docket number appears, and we will mail it to
you.
All comments, except those that include confidential or SSI \2\
will be posted to <a href="https://www.regulations.gov">https://www.regulations.gov</a> and include any personal
information you have provided. Should you wish your personally
identifiable information redacted prior to filing in the docket, please
clearly indicate this request in your submission. TSA will consider all
comments that are in the docket on or before the closing date for
comments and will consider comments filed late to the extent
practicable. The docket is available for public inspection before and
after the comment closing date.
---------------------------------------------------------------------------
\2\ ``Sensitive Security Information'' or ``SSI'' is information
obtained or developed in the conduct of security activities, the
disclosure of which would constitute an unwarranted invasion of
privacy, reveal trade secrets or privileged or confidential
information, or be detrimental to the security of transportation.
The protection of SSI is governed by 49 CFR part 1520.
---------------------------------------------------------------------------
Submitting Comments on the Proposed Information Collections
Comments on the proposed information collections included in this
NPRM should be submitted both to TSA, as indicated above, and to the
Office of Information and Regulatory Affairs, Office of Management and
Budget (OMB). Comments should be identified by the appropriate OMB
Control Number(s) or the title of this proposed rule, addressed to the
Desk Officer for the Department of Homeland Security, Transportation
Security Administration, and sent via electronic mail to
<a href="/cdn-cgi/l/email-protection#3d59554e59584e56525b5b545e584f7d52505f1358524d135a524b"><span class="__cf_email__" data-cfemail="81e5e9f2e5e4f2eaeee7e7e8e2e4f3c1eeece3afe4eef1afe6eef7">[email protected]</span></a>.
Handling of Confidential or Proprietary Information and SSI Submitted
in Public Comments
Do not submit comments that include trade secrets, confidential
commercial or financial information, or SSI to the public regulatory
docket. Please submit such comments separately from other comments on
the rulemaking. Comments containing this type of information should be
appropriately marked as containing such information and submitted by
mail to the address listed in the FOR FURTHER INFORMATION CONTACT
section. TSA will take the following actions for all submissions
containing SSI:
<bullet> TSA will not place comments containing SSI in the public
docket and will handle them with applicable safeguards and restrictions
on access.
<bullet> TSA will hold documents containing SSI, confidential
business information, or trade secrets in a separate file to which the
public does not have access.
<bullet> TSA will place a note in the public docket explaining that
commenters have submitted such documents.
<bullet> TSA may include a redacted version of the comment in the
public docket.
<bullet> TSA will treat requests to examine or copy information
that is not in the public docket as any other request under the Freedom
of Information Act (5 U.S.C. 552) and the Department of Homeland
Security (DHS) Freedom of Information Act regulation found in 6 CFR
part 5.
Reviewing Comments in the Docket
Please be aware that anyone can search the electronic form of all
comments in any of our dockets by the name of the individual,
association, business entity, labor union, etc., who submitted the
comment. For more about privacy and the docket, review the Privacy and
Security Notice for the FDMS at <a href="https://www.regulations.gov/privacy-notice">https://www.regulations.gov/privacy-notice</a>, as well as the System of Records Notice DOT/ALL 14--Federal
Docket Management System (73 FR 3316, January 17, 2008) and the System
of Records Notice DHS/ALL 044--eRulemaking (85 FR 14226, March 11,
2020).
You may review TSA's electronic public docket at <a href="https://www.regulations.gov">https://www.regulations.gov</a>. In addition, DOT's Docket Management Facility
provides a physical facility, staff, equipment, and assistance to the
public. To obtain assistance or to review comments in TSA's public
docket, you may visit this facility between 9 a.m. and 5 p.m., Monday
through Friday, excluding legal holidays, or call (202) 366-9826. This
DOT facility is in the West Building Ground Floor, Room W12-140 at 1200
New Jersey Avenue SE, Washington, DC 20590.
Availability of Rulemaking Document
You can find an electronic copy of this rulemaking using the
internet by accessing the Government Publishing Office's web page at
<a href="https://www.govinfo.gov/app/collection/FR/">https://www.govinfo.gov/app/collection/FR/</a> to view the daily published
Federal Register edition or accessing the Office of the Federal
Register's web page at <a href="https://www.federalregister.gov">https://www.federalregister.gov</a>. Copies are also
available by contacting the individual identified for ``General
Questions'' in the FOR FURTHER INFORMATION CONTACT section.
Abbreviations and Terms Used in This Document
9/11 Act--Implementing Recommendations of the 9/11 Commission Act of
2007
AAR--Association of American Railroads
Amtrak--National Railroad Passenger Corporation
APTA--American Public Transportation Association
ATSA--Aviation and Transportation Security Act
BOS--Back Office Server
BES--Bulk Electric System
CAP--Cybersecurity Assessment Plan
CEQ--Council on Environmental Quality
CSF--Cybersecurity Framework 2.0
CIRCIA--Cyber Incident Reporting for Critical Infrastructure Act of
2022
CIP--Cybersecurity Implementation Plan
CIRP--Cybersecurity Incident Response Plan
CISA--Cybersecurity and Infrastructure Security Agency
COIP--Cybersecurity Operational Implementation Plan
CPGs--Cross-Sector Cybersecurity Performance Goals
CRM--Cybersecurity risk management
DFAR--Defense Federal Acquisition Regulation Supplement
DHS--Department of Homeland Security
DoD--Department of Defense
DOE--Department of Energy
DOT--Department of Transportation
E.O.--Executive Order
FDMS--Federal Docket Management System
FERC--Federal Energy Regulatory Commission
FISMA--Federal Information Security Modernization Act of 2014
FR--Federal Register
FRA--Federal Railroad Administration
FSB--Russian Federal Security Service
GPS--Global Positioning System
HSIN--Homeland Security Information Network
IC--Information Circular
ICS--Industrial control system
IRFA--Initial Regulatory Flexibility Analysis
IT--Information technology
MFA--Multi-factor authentication
NARA--National Archives and Records Administration
NEPA--National Environmental Policy Act
NERC--National American Electrical Reliability Corporation
NIST--National Institute of Standards and Technology
NPRM--Notice of proposed rulemaking
OMB--Office of Management and Budget
OT--Operational technology
OTRB--Over-the-road bus
PHMSA--Pipeline and Hazardous Materials Safety Administration
POAM--Plan of Action and Milestones
PTC--Positive Train Control
PTPR--Public Transportation and Passenger Railroads
RFA--Regulatory Flexibility Act of 1980
RIA--Regulatory Impact Analysis
SCADA--Supervisory control and data acquisition
[[Page 88490]]
SD--Security Directive
SDDCTEA--US Army Military Surface Deployment and Distribution
Command Transportation Engineering Agency
SOAR--Security orchestration, automation, and response
SP--Special Publication
SRP--Secure Regulatory Portal
SSI--Sensitive security information
STA--Security threat assessment
STRACNET--Strategic Rail Corridor Network
TSA--Transportation Security Administration
UMRA--Unfunded Mandates Reform Act of 1995
VADR--Validated Architecture Design Review
Table of Contents
I. Executive Summary
A. Purpose of the Regulatory Action
B. Summary of the Major Provisions
C. Costs
D. Benefits
II. Background
A. Context
1. Pipeline Transportation
2. Rail Transportation
a. Freight Railroads
b. Passenger Railroads
c. Rail Transit
3. Cybersecurity Threats
4. Threat of Cybersecurity Incidents at the Nexus of IT and OT
Systems
B. Statutory Authorities
1. TSA Surface-Related SDs and Information Circulars
2. TSA's Assessments, Guidelines, and Regulations Applicable to
Pipeline and Rail Systems
a. Pipeline Guidelines, Assessments, and Regulations
b. Regulating Railroads, Public Transportation Systems, and
OTRBs
C. References
1. National Cybersecurity Strategy
2. NIST Cybersecurity Framework
3. CISA Cross-Sector Cybersecurity Performance Goals
4. TSA's Advance Notice of Proposed Rulemaking
a. General Support and Need for Regulatory Harmonization and
Performance-Based Regulation
b. Core Elements
c. Training
d. Supply Chain
e. Third-Party Assessors
5. Regulatory Harmonization
III. Proposed Rule
A. Rule organization
1. Cybersecurity Requirements
2. Physical Security Requirements
3. General Procedures for Security Programs, SDs, and
Information Circulars
4. Relation to Other Rulemakings
B. Terms
1. General Terms
2. TSA Cybersecurity Lexicon
C. Cybersecurity Risk Management Program--General
1. Introduction
2. Applicability
a. Freight Railroads Subject to CRM Program Requirements in
Proposed Subpart D of Part 1580
b. Public Transportation Agencies and Passenger Railroads
Subject to CRM Program Requirements in Proposed Subpart C of Part
1582
c. OTRB Owner/Operators Subject to Cybersecurity Incident
Reporting Requirements in Proposed Sec. 1584.107
d. Pipeline Systems and Facilities Subject to Physical Security
Requirements in Proposed Subpart B of part 1586 and CRM Program
Requirements in Proposed Subpart C of Part 1586
e. Determinations of Applicability for Requirements in the
Proposed Rule
3. Structure of CRM Program Requirements (Proposed Sec. Sec.
1580.303, 1582.203, and 1586.203)
D. Specific CRM Program Requirements
1. Cybersecurity Evaluation (Proposed Sec. Sec. 1580.305,
1582.205, and 1586.205)
2. Cybersecurity Operational Implementation Plan (Proposed
Sec. Sec. 1580.307, 1582.207, and 1586.207)
a. General COIP Requirements
b. Governance of the CRM Program (Proposed Sec. Sec. 1580.309,
1580.311, 1582.209, 1582.211, 1586.209, and 1586.211)
c. Identification of Critical Cyber Systems, Network
Architecture, and Interdependencies
d. Procedures, Policies, and Capabilities To Protect Critical
Cyber Systems
e. Procedures, Policies, and Capabilities To Detect
Cybersecurity Incidents (Proposed Sec. Sec. 1580.321, 1582.221, and
1586.221)
f. Procedures, Policies, and Capabilities To Respond to, and
Recover From, Cybersecurity Incidents
3. Cybersecurity Assessment Plan (Proposed Sec. Sec. 1580.329,
1582.229, and 1586.229)
4. Documentation To Establish Compliance (Proposed Sec. Sec.
1580.331, 1582.231, and 1586.231)
E. Physical Security
F. General Procedures for Security Programs, SDs, and
Information Circulars
1. General Procedures for Security Programs (Proposed Revisions
to Subpart B of Part 1570)
2. SDs and Information Circulars (Proposed Subpart C of Part
1570)
3. Exhaustion of Administrative Remedies (Proposed Sec.
1570.119)
4. Severability
5. Enforcement and Compliance
G. Summary of Applicability and Requirements
H. Compliance Deadlines and Documentation
I. Sensitive Security Information
1. Scope of the Revision to TSA's SSI Regulatory Requirements
2. Disclosure of SSI Upon the ``Need To Know''
IV. Regulatory Analyses
A. Economic Impact Analysis
1. Summary of Regulatory Impact Analysis
2. Assessments Required by E.O.s 12866 and 13563
a. Costs
b. Cost Sensitivity Analysis
c. Benefits
d. Break-Even Analysis
3. OMB A-4 Statement
4. Alternatives Considered
5. Regulatory Flexibility Assessment
6. International Trade Impact Assessment
7. Unfunded Mandates Assessment
B. Paperwork Reduction Act
C. Federalism (E.O. 13132)
D. Energy Impact Analysis (E.O. 13211)
E. Environmental Analysis
F. Tribal Consultation (E.O. 13175)
I. Executive Summary
A. Purpose of the Regulatory Action
On May 8, 2021, a Russian-based cybercriminal group, DarkSide,
conducted a ransomware attack \3\ that forced a major pipeline company
to go offline, resulting in a weeklong shutdown of 5,500 miles of
petroleum pipelines on the East Coast. Actions taken to protect the
Operational Technology (OT) system temporarily disrupted critical
supplies of gasoline and other refined petroleum products throughout
the East Coast, resulting in a regional emergency declaration.\4\ Some
news agencies reported pictures of snaking lines of cars at gas
stations across the eastern seaboard and panicked Americans filling
bags with fuel, fearing not being able to get to work or get their kids
to school. TSA subsequently used its emergency authority under 49
U.S.C. 114(l) to impose cybersecurity requirements on certain surface
transportation entities. See discussion in section II.B.
---------------------------------------------------------------------------
\3\ See definition of ``ransomware'' in 6 U.S.C. 650(22).
\4\ See, e.g., U.S. Department of Transportation, Federal Motor
Carrier Safety Administration, ESC-SSC-WSC--Regional Emergency
Declaration 2021-002--05-09-2021 (May 9, 2021), available at <a href="https://www.fmcsa.dot.gov/emergency/esc-ssc-wsc-regional-emergency-declaration-2021-002-05-09-2021">https://www.fmcsa.dot.gov/emergency/esc-ssc-wsc-regional-emergency-declaration-2021-002-05-09-2021</a> (last accessed Aug. 1, 2024).
---------------------------------------------------------------------------
The cyber threat to the country's critical infrastructure has only
increased in the time since TSA initially issued SDs to address
cybersecurity in surface transportation in 2021. Cyber threats to
surface transportation systems continue to proliferate, as both nation-
states and criminal cyber groups target critical infrastructure in
order to cause operational disruption and economic harm.\5\ Cyber
attackers have also maliciously targeted other surface transportation
modes in the United States, including freight railroads, passenger
railroads, and rail transit systems, with multiple cyberattack and
[[Page 88491]]
cyber espionage campaigns.\6\ Cybersecurity incidents, particularly
ransomware attacks, are likely to increase in the near and long term,
due in part to vulnerabilities identified by threat actors in U.S.
networks.\7\ Especially in light of the ongoing Russia-Ukraine
conflict, these threats remain elevated and pose a risk to the national
and economic security of the United States.
---------------------------------------------------------------------------
\5\ Annual Threat Assessment of the U.S. Intelligence Community,
Office of the Director of National Intelligence (2024 Intelligence
Community Assessment), 11, 16 (Feb. 5, 2024), available at <a href="https://www.dni.gov/files/ODNI/documents/assessments/ATA-2024-Unclassified-Report.pdf">https://www.dni.gov/files/ODNI/documents/assessments/ATA-2024-Unclassified-Report.pdf</a> (last accessed July 23, 2024). Note: Infrastructure
references in this 2024 assessment include pipelines.
\6\ These activities include the January 2023 breach of the
Washington Metropolitan Area Transit Authority; the January 2023
breach of San Francisco's Bay Area Rapid Transit System; and the
April 2021 breach of New York City's Metropolitan Transportation
Authority (the nation's largest mass transit agency) by hackers
linked to the Chinese government. This threat is ongoing: on
February 7, 2024, CISA published an advisory warning of the threat
posed by PRC state-sponsored actors. See Cybersecurity Advisory
(AA24-038A), PRC State-Sponsored Actors Compromise and Maintain
Persistent Access to U.S. Critical Infrastructure, released by CISA
on Feb. 7, 2024.
\7\ Alert (AA22-040A), 2021 Trends Show Increased Globalized
Threat of Ransomware, released by CISA on February 10, 2022 (as
revised).
---------------------------------------------------------------------------
In its 2023 annual assessment, the Intelligence Community noted
that ``China almost certainly is capable of launching cyber-attacks
that could disrupt critical infrastructure services within the United
States, including against oil and gas pipelines, and rail systems.''
\8\ Notably, ``[i]f Beijing believed that a major conflict with the
United States were imminent, it almost certainly would consider
aggressive cyber operations against U.S. homeland critical
infrastructure and military assets worldwide. Such a strike would be
designed to deter U.S. military action by impeding U.S. decision-
making, inducing societal panic, and interfering with the deployment of
U.S. forces.'' \9\ In addition, ``Russia maintains its ability to
target critical infrastructure . . . in the United States as well as in
allied and partner countries'' and ``Tehran's opportunistic approach to
cyber-attacks puts U.S. infrastructure at risk for being targeted.''
\10\ Furthermore, ``malicious cyber actors have begun testing the
capabilities of AI-developed malware and AI-assisted software
development--technologies that have the potential to enable larger
scale, faster, efficient, and more evasive cyber-attacks--against
targets, including pipelines, railways, and other US critical
infrastructure.'' \11\
---------------------------------------------------------------------------
\8\ Annual Threat Assessment of the U.S. Intelligence Community,
Office of the Director of National Intelligence (2023) (2023
Intelligence Community Assessment), 10 (Feb. 6, 2023), available at
<a href="https://www.dni.gov/files/ODNI/documents/assessments/ATA-2023-Unclassified-Report.pdf">https://www.dni.gov/files/ODNI/documents/assessments/ATA-2023-Unclassified-Report.pdf</a> (last accessed July 23, 2024).
\9\ 2023 Intelligence Community Assessment at 10.
\10\ 2024 Intelligence Community Assessment at 11.
\11\ DHS Intelligence and Analysis (I&A), Homeland Threat
Assessment 18 (2024), available at <a href="https://www.dhs.gov/sites/default/files/2023-09/23_0913_ia_23-333-ia_u_homeland-threat-assessment-2024_508C_V6_13Sep23.pdf">https://www.dhs.gov/sites/default/files/2023-09/23_0913_ia_23-333-ia_u_homeland-threat-assessment-2024_508C_V6_13Sep23.pdf</a> (last accessed July 23, 2024).
---------------------------------------------------------------------------
While TSA had issued recommendations to strengthen the
cybersecurity of pipeline facilities and systems, see discussion in
Section II.B.2. of this NPRM, reliance on voluntary actions may not be
sufficient in light of the cyber threat to our national and economic
security. As noted in the National Cybersecurity Strategy, ``While
voluntary approaches to critical infrastructure cybersecurity have
produced meaningful improvements, the lack of mandatory requirements
has resulted in inadequate and inconsistent outcomes. Today's
marketplace insufficiently rewards--and often disadvantages--the owners
and operators of critical infrastructure who invest in proactive
measures to prevent or mitigate the effects of cyber incidents.'' \12\
---------------------------------------------------------------------------
\12\ See National Cybersecurity Strategy at 8 (March 2023),
available at <a href="https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf">https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf</a> (last accessed July 29,
2024).
---------------------------------------------------------------------------
The requirements proposed in this rule would strengthen
cybersecurity and resiliency for the surface transportation sector by
mandating reporting of cybersecurity incidents and development of a
robust CRM program. This rulemaking builds upon TSA's previously issued
requirements and recommendations, the cybersecurity framework (CSF)
developed by the National Institute of Standards and Technology
(NIST),\13\ and the Cross-Sector Cybersecurity Performance Goals (CPGs)
developed by the Cybersecurity and Infrastructure Security Agency
(CISA).\14\
---------------------------------------------------------------------------
\13\ See <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf">https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf</a>
(last accessed May 5, 2024) for more information on the NIST
Cybersecurity Framework (CSF) 2.0.
\14\ See <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals">https://www.cisa.gov/cross-sector-cybersecurity-performance-goals</a> (last accessed Sept. 22, 2023) for more
information on the CPGs. A table that aligns the NIST CSF, CPGs, and
proposed requirements is available in the docket for this
rulemaking.
---------------------------------------------------------------------------
B. Summary of the Major Provisions
This NPRM proposes to require owner/operators \15\ of designated
freight railroads, passenger railroads, rail transit, and pipeline
facilities and/or systems to have a CRM program approved by TSA. The
proposed CRM program includes three primary elements. First, owner/
operators to whom the proposed rule applies would be required to
annually conduct an enterprise-wide cybersecurity evaluation that would
identify the current profile of cybersecurity (including physical and
logical/virtual controls) compared to the target profile. The target
profile must, at a minimum, include the security outcomes identified in
the proposed rule and should also consider recommendations in the NIST
CSF.\16\
---------------------------------------------------------------------------
\15\ See 49 CFR 1500.3 for the definition of ``owner/operators''
as used in this rulemaking.
\16\ See NIST CSF, supra note 13.
---------------------------------------------------------------------------
Second, those owner/operators would be required to develop a COIP
that includes the following information: (a) identification of
individuals/positions responsible for the governance of the owner/
operator's CRM program, including an accountable executive and
Cybersecurity Coordinator(s); (b) identification of Critical Cyber
Systems, specific network architecture issues, and baseline
communications; (c) detailed measures to protect these Critical Cyber
Systems; (d) detailed measures to detect cybersecurity incidents and
monitor these Critical Cyber Systems; and (e) measures to address
response to, and recovery from, a cybersecurity incident. Although many
of these measures for the COIP are limited to Critical Cyber Systems,
all owner/operators within the proposed scope of applicability would be
required to have a Cybersecurity Incident Response Plan (CIRP),
regardless of whether they identify any Critical Cyber Systems.
Third, owner/operators subject to the proposed rule would be
required to have a CAP that includes a schedule for assessments, an
annual report of assessment results, and identification of unaddressed
vulnerabilities. Owner/operators would also be required to ensure any
individuals or companies assigned or hired to evaluate the
effectiveness of the owner/operator's CRM program are independent,
i.e., do not have a personal, financial interest in the results of the
assessment.
As part of this rule, TSA also is proposing to reorganize
requirements in subchapter D of 49 CFR chapter XII related to security
coordinators, reporting significant security concerns, and security
training of security-sensitive employees. TSA would move these
requirements from 49 CFR part 1570 and add them to the specific modal
requirements in parts 1580, 1582, 1584, and a new part 1586, which is
applicable to pipeline systems and facilities.\17\ In general, the
applicability of proposed requirements related to designation of a
cybersecurity coordinator and reporting cybersecurity
[[Page 88492]]
incidents align with the current requirements for designation of a
(physical) security coordinator and reporting of significant (physical)
security concerns under 49 CFR part 1570.201 and 1570.203.
---------------------------------------------------------------------------
\17\ TSA may make related revisions to organization of a
rulemaking that would finalize proposed requirements in the NPRM,
Vetting of Certain Surface Transportation Employees, 88 FR 33472
(May 23, 2023).
---------------------------------------------------------------------------
TSA is also proposing to distinguish between requirements focused
on physical security and those focused on cybersecurity. As part of
this reorganization and proposed imposition of new cybersecurity
requirements, TSA is proposing that all owner/operators currently
required to report significant security concerns to TSA, under current
49 CFR 1570.203,\18\ report significant physical security concerns to
TSA and report cybersecurity incidents to CISA. TSA is proposing that
owner/operators of designated pipeline facilities and systems also
report both physical and cybersecurity incidents.
---------------------------------------------------------------------------
\18\ See also Appendix A to 49 CFR part 1570.
---------------------------------------------------------------------------
Finally, TSA is proposing to incorporate into subchapter D a new
section related to issuance of SDs and Information Circulars (ICs),
mirroring language currently applicable in the aviation industry.
Adding this section would ensure consistent procedures for issuance of
SDs and ICs across all modes of transportation subject to TSA's
authorities.
C. Costs
TSA estimates the proposed rule would impact just under 300 surface
transportation owner/operators. Using the risk-based criteria for
application discussed below, see Section III.C.2., TSA estimates these
proposed requirements would apply to 73 of the approximately 620
freight railroads currently operating in the United States; 34 of the
approximately 92 public transportation agencies and passenger railroads
(PTPR) operating in the United States; 71 OTRB owner/operators who are
currently subject to TSA's regulatory requirements to report
significant security concerns; and 115 of the approximately 2,105
pipeline facilities and systems subject to safety regulations issued by
the Pipeline and Hazardous Materials Safety Administration (PHMSA), as
codified in 49 CFR part 192 and 49 CFR 195.1.\19\
---------------------------------------------------------------------------
\19\ The proposed applicability for pipeline facilities and
systems specifically excludes U.S. facilities specified in 33 CFR
105.105(a) that are regulated under 33 CFR part 105 or facilities
specified in 33 CFR 106.105(a) that are regulated under 33 CFR part
106.
---------------------------------------------------------------------------
Table 1 identifies TSA's estimates for the overall cost of this
proposed rule. This table captures the industry's costs associated with
implementing the proposed requirements as well as TSA's costs for
overseeing implementation, over a 10-year period of analysis. See
Section IV of this NPRM and the related Regulatory Impact Analysis for
a more detailed breakdown of the estimated costs.
Table 1--Cost of Final Rule
----------------------------------------------------------------------------------------------------------------
Estimated costs (over 10 years,
discounted at 7 percent)
----------------------------------------------------------------------------------------------------------------
Freight Railroads....................................................... $685,776,600
Passenger Railroads and Rail Transit.................................... 881,136,800
OTRBs................................................................... 215,900
Pipeline Facilities and Systems......................................... 580,183,200
TSA..................................................................... 14,241,200
---------------------------------------
Total............................................................... 2,161,553,800
---------------------------------------
Annualized.......................................................... 307,756,600
----------------------------------------------------------------------------------------------------------------
D. Benefits
The primary benefit of the proposed rule is a potential reduction
in the risk of a successful attack or cybersecurity incident and the
impact of such incidents as a result of implementing the proposed
requirements. Implementation of a CRM program, as described under the
proposed rule, could help enhance the security of the regulated
population by improving the owner/operator's ability to identify,
detect, protect against, respond to, and recover from cybersecurity
incidents.
The proposed cybersecurity outcomes this rule would require provide
owner/operators with a blueprint for improving defenses against
cybersecurity incidents. Industry experience indicates that having a
defense-in-depth approach to cybersecurity enhances the ability to
prevent and respond to breaches of operational systems and compromises
of sensitive information.\20\ TSA anticipates the proposed rule's
requirements, such as enhancing system security, maintaining backups,
monitoring systems, and developing a response plan, would strengthen
cybersecurity defenses over the long term. For instance, depending on
the individual circumstances of a given cyber-attack or cybersecurity
incident--
---------------------------------------------------------------------------
\20\ Well-designed security systems have been credited for
limiting damages in recent cyber incident cases: See ABC7 New York,
Hackers breached several of MTA's computer systems in April (June 2,
2021), available at <a href="https://abc7ny.com/mta-hack-computer-nyc-new-york-city/10734358/">https://abc7ny.com/mta-hack-computer-nyc-new-york-city/10734358/</a> (last accessed Sept. 28, 2023).
---------------------------------------------------------------------------
<bullet> A commitment to patch management, system segmentation, and
firewalls could limit the resources potential malicious actors would be
able to access during an intrusion; \21\
---------------------------------------------------------------------------
\21\ See, e.g., outcomes associated with the following CISA CPGs
available at <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals">https://www.cisa.gov/cross-sector-cybersecurity-performance-goals</a> (last accessed June 10, 2024): CISA CPG 1.E.
---------------------------------------------------------------------------
<bullet> The presence of backups could allow for system
restoration, data recovery, and unhindered system operations; \22\
---------------------------------------------------------------------------
\22\ See, e.g., id. at CISA CPG 2.R.
---------------------------------------------------------------------------
<bullet> Continuous monitoring of the network could help to detect
and respond to potential threats and limit system degradation \23\ and
---------------------------------------------------------------------------
\23\ See, e.g., id. at CISA CPGs 2.A, 2.F., 2.G. and 3.A.
---------------------------------------------------------------------------
<bullet> Having a response plan in place in case of a successful
cyber-attack or cybersecurity incident would reduce its impact, build
in resiliency, and support rapid resumption of normal operations.\24\
---------------------------------------------------------------------------
\24\ See, e.g., id. at CISA CPGs 2.O, 2.P, 2.R., 2.S., and 2.T.
---------------------------------------------------------------------------
These enhances, in turn, could reduce the chance of negative
consequences and service interruptions from cybersecurity incidents to
the benefit of owners/operators, passengers, and consumers.
[[Page 88493]]
II. Background
A. Context
1. Pipeline Transportation
The national pipeline system consists of more than 2.9 million
miles of networked pipelines transporting hazardous liquids, natural
gas, and other liquids and gases for energy needs and
manufacturing.\25\ Although most pipeline infrastructure is buried
underground, operational elements such as compressors, metering,
regulating, pumping stations, aerial crossings, and breakout tanks are
typically located above ground. Under operating pressure, the pipeline
system is used as a conveyance to deliver resources from one location
to another. In addition to portions of the network that are manually
operated, the pipeline system includes use of automated industrial
control systems (ICS), such as supervisory control and data acquisition
(SCADA) systems to monitor and manage pipeline operations. These
systems use remote sensors, signals, and preprogramed parameters to
activate valves and pumps to maintain product flows within tolerances.
Pipeline systems supply energy commodities and raw materials across the
country to utilities, airports, military sites, and to the nation's
industrial and manufacturing sectors. Protecting the vital supply chain
infrastructure of pipeline operations is critical to national security
and commerce.
---------------------------------------------------------------------------
\25\ Mileage information is available at <a href="https://www.phmsa.dot.gov/data-and-statistics/pipeline/annual-report-mileage-summary-statistics">https://www.phmsa.dot.gov/data-and-statistics/pipeline/annual-report-mileage-summary-statistics</a> (last accessed Nov. 30, 2023).
---------------------------------------------------------------------------
2. Rail Transportation
The rail transportation sector includes freight railroads,
passenger railroads (including inter-city and commuter), and rail
transit.
a. Freight Railroads
The national freight rail network is a complex system that includes
both physical and cyber infrastructure and consists of more than 620
freight railroads operating across nearly 140,000 rail miles. This
sector includes six Class I railroads,\26\ local (also known as Short
Line) railroads, and regional railroads. The Class I railroads had a
calendar year 2021 operating revenues of at least $900 million. These
six railroads also account for approximately 68 percent of freight rail
mileage, 88 percent of employees, and 94 percent of revenue. Regional
railroads and local railroads range in size from operations handling a
few carloads monthly to multi-state operators nearly the size of a
Class I operation.\27\ As stated by the Association of American
Railroads (AAR), the freight rail sector provides ``a safe, efficient,
and cost-effective transportation network that reliably serves
customers and the nation's economy.'' \28\
---------------------------------------------------------------------------
\26\ For purposes of TSA's regulations, ``Class I'' means
``Class I'' as assigned by regulations of the Surface Transportation
Board (STB) (49 CFR part 1201; General Instructions 1-1). See also
infra note 123.
\27\ See <a href="https://www.aar.org/wp-content/uploads/2020/08/AAR-Railroad-101-Freight-Railroads-Fact-Sheet.pdf">https://www.aar.org/wp-content/uploads/2020/08/AAR-Railroad-101-Freight-Railroads-Fact-Sheet.pdf</a> (May 2023 update, last
accessed June 3, 2023).
\28\ Id.
---------------------------------------------------------------------------
Freight railroads are private entities that own and are responsible
for their own infrastructure.\29\ They maintain the locomotives,
rolling stock, and fixed assets involved in the transportation of goods
and materials across the nation's rail system. As required by Congress,
railroads are subject to safety regulations promulgated and enforced by
the Federal Railroad Administration (FRA). TSA administers and enforces
the rail security regulations in 49 CFR part 1580.
---------------------------------------------------------------------------
\29\ Id.
---------------------------------------------------------------------------
b. Passenger Railroads
Passenger rail is divided into two categories: inter-city and
commuter rail service. Inter-city provides long-distance service, while
commuter railroads provide service over shorter distances, usually less
than 100 miles. The National Railroad Passenger Corporation (Amtrak) is
the sole long-distance inter-city passenger railroad in the contiguous
United States. Amtrak, which had a pre-pandemic annual ridership of
approximately 31.7 million, operates a nationwide rail network, serving
more than 500 destinations in 46 states, the District of Columbia, and
three Canadian provinces on more than 21,300 track-miles.\30\ Nearly
half of all Amtrak trains operate at top speeds of 100 mph or greater.
In fiscal year 2023, Amtrak customers took nearly 28.6 million trips,
up 24 percent over the previous year.\31\ In addition to inter-city
service, Amtrak is one of the largest operators of contract commuter
services in North America, providing services and/or infrastructure
access to 13 state and regional authorities.\32\
---------------------------------------------------------------------------
\30\ See <a href="https://www.apta.com/wp-content/uploads/APTA_Fact-Book-2019_FINAL.pdf">https://www.apta.com/wp-content/uploads/APTA_Fact-Book-2019_FINAL.pdf</a> (last accessed Sept. 19, 2022).
\31\ See <a href="https://media.amtrak.com/2023/11/amtrak-fiscal-year-2023-ridership-exceeds-expectations-as-demand-for-passenger-rail-soars/">https://media.amtrak.com/2023/11/amtrak-fiscal-year-2023-ridership-exceeds-expectations-as-demand-for-passenger-rail-soars/</a> (last accessed July 30, 2024).
\32\ See <a href="https://www.amtrak.com/content/dam/projects/dotcom/english/public/documents/corporate/nationalfactsheets/Amtrak-Company-Profile-FY2023-041824.pdf">https://www.amtrak.com/content/dam/projects/dotcom/english/public/documents/corporate/nationalfactsheets/Amtrak-Company-Profile-FY2023-041824.pdf</a>. at 4 (last accessed July 30,
2024).
---------------------------------------------------------------------------
Freight railroads provide the tracks for most passenger rail
operations. For example, 71 percent of the track on which Amtrak
operates is owned by other railroads. These ``host railroads'' include
large, publicly traded freight rail companies in the U.S. or Canada,
State and Local government agencies, and small businesses. Amtrak pays
the host railroads for use of their track and other resources as
needed.\33\
---------------------------------------------------------------------------
\33\ Id. at 2.
---------------------------------------------------------------------------
Amtrak and other passenger rail agencies, however, are not wholly
dependent on freight rail infrastructure and corridors for operational
feasibility; they sometimes control, operate, and maintain tracks,
facilities, construction sites, utilities, and computerized networks
essential to their own operations. For example, the Northeast Corridor
is an electrified railway line in the Northeast megalopolis of the
United States owned primarily by Amtrak. It runs from Boston through
New York City, Philadelphia, and Baltimore, with a terminus in
Washington, DC. The majority of this corridor, 263 of the 457 route-
miles of the main line, are owned and operated by Amtrak.\34\
---------------------------------------------------------------------------
\34\ Id. at 4.
---------------------------------------------------------------------------
Amtrak and other passenger railroads also host freight rail
operations. In fact, the Northeast Corridor is the busiest railroad in
North America, with approximately 2,000 Amtrak, commuter, and freight
trains operating over some portion of the Washington-Boston route each
day.\35\ As with freight railroads, passenger railroads are subject to
safety regulations put forth and enforced by the FRA. TSA administers
and enforces passenger rail security regulations in 49 CFR part 1582.
---------------------------------------------------------------------------
\35\ Id.
---------------------------------------------------------------------------
c. Rail Transit
Public transportation in America is critically important to our way
of life, as evidenced by the number of riders on the nation's public
transportation systems. According to the American Public Transportation
Association (APTA), 2022 Public Transportation Fact Book, there were
over 4.49 billion unlinked passenger trips in 2021.\36\ Nationwide, 5.0
million Americans commute to work on transit, equivalent to
approximately 3.1 percent of workers. In major metropolitan areas, like
New York City, over 27 percent of commuters rely on public
transportation for their
[[Page 88494]]
daily commute.\37\ Rail transit is a critical part of this system.
According to APTA, 87 percent of trips on transit directly benefit the
local economy, including 50 percent of trips to and from work and 37
percent of trips are for shopping and recreational spending.\38\ A
successful cyber-attack would have a profound impact on ridership and a
negative economic impact nationwide. TSA administers and enforces rail
transit security regulations in 49 CFR part 1582.
---------------------------------------------------------------------------
\36\ See APTA, 2023 Public Transportation Fact Book at 3,
available at <a href="https://www.apta.com/wp-content/uploads/APTA-2023-Public-Transportation-Fact-Book.pdf">https://www.apta.com/wp-content/uploads/APTA-2023-Public-Transportation-Fact-Book.pdf</a> (last accessed July 30, 2024).
Unlinked passenger trips are an industry measure of ridership, with
a trip being defined as any time a person boards a transit vehicle,
including transfers.
\37\ Id. at 12.
\38\ Id. at 3. Rail transit includes heavy rail systems, often
referred to as ``subways'' or ``metros'' that do not interact with
traffic; light rail and streetcars, often referred to as ``surface
rail,'' that may operate on streets, with or without their own
dedicated lanes; and commuter rail services that are higher-speed,
higher-capacity trains with less-frequent stops.
---------------------------------------------------------------------------
3. Cybersecurity Threats
Threat actors have demonstrated their willingness to engage in
cyber intrusions and conduct cybersecurity incidents against critical
infrastructure by exploiting vulnerabilities in OT \39\ and Information
Technology (IT) \40\ systems. Pipeline and rail systems, and associated
facilities, may be vulnerable to cybersecurity incidents due to legacy
ICS that lack updated security controls and the dispersed nature of
pipeline and rail networks spanning urban and outlying areas.\41\
---------------------------------------------------------------------------
\39\ For purposes of this NPRM, TSA defines an ``OT system'' as
``a general term that encompasses several types of control systems,
including industrial control systems, supervisory control and data
acquisition systems, distributed control systems, and other control
system configurations, such as programmable logic controllers, fire
control systems, and physical access control systems, often found in
the industrial sector and critical infrastructure. Such systems
consist of combinations of programmable electrical, mechanical,
hydraulic, pneumatic devices or systems that interact with the
physical environment or manage devices that interact with the
physical environment.''
\40\ For purposes of this NPRM, TSA defines an ``IT System'' as
``any services, equipment, or interconnected systems or subsystems
of equipment that are used in the automatic acquisition, storage,
analysis, evaluation, manipulation, management, movement, control,
display, switching, interchange, transmission, or reception of data
or information that fall within the responsibility of owner/operator
to operate and/or maintain.''
\41\ See CISA, Securing Industrial Control Systems: A Unified
Initiative (FY 2019-2023) at 4, available at <a href="https://www.cisa.gov/sites/default/files/publications/Securing_Industrial_Control_Systems_S508C.pdf">https://www.cisa.gov/sites/default/files/publications/Securing_Industrial_Control_Systems_S508C.pdf</a> (last accessed Aug.
30, 2023).
---------------------------------------------------------------------------
As pipeline and rail owner/operators have begun to integrate IT and
OT systems into their operating environment to further improve safety,
enable efficiencies, and/or increase automation, their operations
become increasingly vulnerable to new and evolving cyber threats. A
successful cyber-intrusion could affect the safe operation and
reliability of OT systems, including SCADA systems, process control
systems, distributed control systems, safety control systems,
measurement systems, and telemetry systems.
From a design perspective, some pipeline and rail assets are more
attractive to targets for a cybersecurity incident simply because of
the transported commodity and the impact an incident would have on
national security and commerce. Minor pipeline and rail system
disruptions may result in commodity price increases, while prolonged
pipeline and rail operational disruptions could lead to widespread
energy shortages and disruption of critical supply lines. Short-and
long-term disruptions and delays may affect other domestic critical
infrastructure and industries, such as our national defense system,
that depend on pipeline and rail system commodities, such as our
national defense system.
The May 2021 DarkSide attack on a major pipeline company is just
one of many recent ransomware attacks that have demonstrated the
necessity of ensuring that critical infrastructure owner/operators are
proactively deploying CRM measures. The Multi-State Information Sharing
and Analysis Center observed a 153 percent increase in the number of
ransomware attacks reported by State, Local, Tribal, and Territorial
governments in the one-year period from 2018 to 2019, including both
opportunistic and strategic campaigns.\42\ The need to mitigate the
threats facing domestic critical infrastructure, including by enhancing
the pipeline and rail industry's current cybersecurity risk management
posture, is further highlighted by recent warnings about Russian,\43\
Chinese,\44\ and Iranian \45\ state-sponsored cyber espionage campaigns
to develop capabilities to disrupt U.S. critical infrastructure to
include the transportation sector.\46\ Failure to take action could
have significant implications for national and economic security.
---------------------------------------------------------------------------
\42\ See MS-ISAC Security Primer 2020-0002 (May 2020), available
at <a href="https://www.cisecurity.org/insights/white-papers/security-primer-ransomware">https://www.cisecurity.org/insights/white-papers/security-primer-ransomware</a> (last accessed June 3, 2023).
\43\ See 2023 Intelligence Community Assessment, supra note 9,
at 15.
\44\ See id. at 10.
\45\ See id. at 19.
\46\ In addition to the resources available at the cites
referenced in the preceding notes, additional information is
available on CISA's advisories organized by state-sponsored groups,
i.e., <a href="https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/china">https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/china</a> (China Cyber Threat Overview and
Advisories); <a href="https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/russia">https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/russia</a> (Russian Cyber Threat
Overview and Advisories); and <a href="https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/iran">https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/iran</a> (Iran Cyber
Threat Overview and Advisories). See also FBI Private Industry
Bulletin TRITON Malware Remains Threat to Global Critical
Infrastructure Industrial Control Systems (Mar. 24, 2022), available
at <a href="http://docs.house.gov/meetings/JU/JU00/20220329/114533/HHRG-117-JU00-20220329-SD009.pdf">docs.house.gov/meetings/JU/JU00/20220329/114533/HHRG-117-JU00-20220329-SD009.pdf</a> (last accessed Sept. 22, 2023).
---------------------------------------------------------------------------
On March 24, 2022, the U.S. Department of Justice unsealed
indictments of three Russian Federal Security Service (FSB) officers
and employees of a State Research Center of the Russian Federation
Central Scientific Research Institute of Chemistry and Mechanics for
their involvement in intrusion campaigns against U.S. and international
oil refineries, nuclear facilities, and energy companies. Documents
revealed that the Russian FSB conducted a multi-stage campaign in which
they gained remote access to U.S. and international Energy Sector
networks, deployed ICS-focused malware, and collected and exfiltrated
enterprise and ICS-related data.\47\ A recent multi-national
cybersecurity advisory noted that ``Russian state-sponsored cyber
actors have demonstrated capabilities to compromise IT networks;
develop mechanisms to maintain long-term, persistent access to IT
networks; exfiltrate sensitive data from IT and [OT] networks; and
disrupt critical (ICS)/OT functions by deploying destructive malware.''
\48\
---------------------------------------------------------------------------
\47\ The superseding indictment is available at https://
www.justice.gov/opa/pr/us-citizens-and-russian-intelligence-
officers-charged-conspiring-use-us-citizens-
illegal#:~:text=Among%20other%20illegal%20activities%2C%20the,for%20l
ocal%20office%20in%20St. (Department of Justice Press Release, U.S.
Citizens and Russian Intelligence Officers Charged with Conspiring
to Use U.S. Citizens as Illegal Agents of the Russian Government,
Apr. 18, 2023) (last accessed Sept. 25, 2023); see also Joint
Cybersecurity Advisory, Tactics, Techniques, and Procedures of
Indicted State-Sponsored Russian Cyber Actors Targeting the Energy
Sector, Alert AA22-083A (Mar. 24, 2022), available at <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-083a">https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-083a</a> (last
accessed Dec. 29, 2023).
\48\ See Joint Cybersecurity Advisory, Russian State Sponsored
and Criminal Cyber Threat to Critical Infrastructure, Alert AA22-
110A (Apr. 20, 2022), available at <a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-110a">https://www.cisa.gov/uscert/ncas/alerts/aa22-110a</a> (last accessed Dec. 29, 2023).
---------------------------------------------------------------------------
The nation's adversaries and strategic competitors will continue to
use cyber espionage and cyber-attacks to seek political, economic, and
military advantage over the United States and its allies and partners.
These recent incidents demonstrate the potentially devastating impact
that increasingly sophisticated cybersecurity incidents can have on our
nation's critical infrastructure, as well as the direct repercussions
felt by U.S. citizens. The
[[Page 88495]]
consequences and threats discussed above demonstrate the necessity of
ensuring that critical infrastructure owner/operators are proactively
deploying CRM measures.
4. Threat of Cybersecurity Incidents at the Nexus of IT and OT Systems
Some sectors have taken significant steps to protect either their
IT or OT systems, depending on which is considered most critical for
their business needs (e.g., a commodities sector may focus on OT
systems while a financial sector or other business that focuses on data
may focus on IT systems). Ransomware attacks targeting critical
infrastructure threaten both IT and OT systems and exploit the
connections between these systems. For example, when OT components are
connected to IT networks, this connection provides a path for cyber
actors to pivot from IT to OT systems.\49\ Given the importance of
critical infrastructure to national and economic security, accessible
OT systems and their connected assets and control structures are an
attractive target for malicious cyber actors seeking to disrupt
critical infrastructure for profit or to further other objectives.\50\
As CISA notes, recent cybersecurity incidents demonstrate that
intrusions affecting IT systems can also affect critical operational
processes even if the intrusion does not directly impact an OT
system.\51\ For example, business operations on the IT system sometimes
are used to orchestrate OT system operations. As a result, when there
is a compromise of the IT system, there is a risk of unaffected OT
systems being impacted by the loss of operational directives and
accounting functions.
---------------------------------------------------------------------------
\49\ See CISA Fact Sheet, Rising Ransomware Threat to
Operational Technology Assets (June 2021), available at <a href="https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Rising_Ransomware_Threat_to_OT_Assets_508C.pdf">https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Rising_Ransomware_Threat_to_OT_Assets_508C.pdf</a> (last accessed June
3, 2023).
\50\ Id.
\51\ Id.
---------------------------------------------------------------------------
DHS, the Department of Energy (DOE), the Federal Bureau of
Investigation, and the National Security Agency have all urged the
private sector to implement a layered, ``defense-in-depth''
cybersecurity posture. For example, ensuring that OT and IT systems are
separate and segregated will help protect against intrusions that can
exploit vulnerabilities from one system and move laterally to infect
another. A stand-alone, unconnected (``air-gapped'') OT system is safer
from outside threats than an OT system connected to one or more
enterprise IT systems with external connectivity (no matter how secure
the outside connections are thought to be).\52\ By implementing a
layered approach, owner/operators and their network administrators will
enhance the defensive cybersecurity posture of their OT and IT systems,
reducing the risk of compromise or severe operational degradation if
their system is compromised by malicious cyber actors.\53\
---------------------------------------------------------------------------
\52\ See National Security Agency Cybersecurity Advisory, Stop
Malicious Cyber Activity Against Connected Operational Technology
(PP-21-0601 [verbar] APR 2021 Ver 1.0), available at <a href="https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/1/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF">https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/1/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF</a> (last accessed Sept. 19, 2022).
\53\ See Joint Cybersecurity Advisory, Chinese Gas Pipeline
Intrusion Campaign, 2011 to 2013 (Alert AA21-200A), available at
<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-201a">https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-201a</a>
(last accessed Sept. 19, 2024).
---------------------------------------------------------------------------
The cyber threat to our nation's critical infrastructure has only
increased in the time since TSA's first cybersecurity SD was issued.
The surface transportation sector, including the oil and gas pipeline
industry, is increasingly dependent on automation and use of connected
technology.\54\ Cyber threats to surface transportation systems
continue to proliferate as both nation-state actors and criminal cyber
groups are actively targeting oil and natural gas pipelines with the
potential to cause operational disruption and economic harm. Ransomware
attacks are likely to increase in the near and long term, due in part
to vulnerabilities identified by threat actors in U.S. networks, while
nation-state actors continue to target U.S. infrastructure for
disruptive cyberattack options in a crisis or conflict.\55\ These
threats and their potential consequences to critical transportation
systems and infrastructure demonstrate the need for TSA to ensure
owner/operators continue to proactively deploy cybersecurity risk
management measures.
---------------------------------------------------------------------------
\54\ See written testimony of Eric Goldstein, Executive
Assistant Director for Cybersecurity CISA, Joint Hearing Before the
Subcommittee on Cybersecurity, Infrastructure Protection, and
Innovation, and the Subcommittee on Transportation and Maritime
Security, U.S. House of Representatives Committee on Homeland
Security, Cyber Threats in the Pipeline: Lessons from the Federal
Response to the Colonial Pipeline Ransomware Attack (June 15, 2021).
\55\ See 2023 Intelligence Community Assessment, supra note 8,
for open-source information on the cybersecurity threat. See also
2024 Intelligence Community Assessment, supra note 5.
---------------------------------------------------------------------------
Protecting this critical and interconnected sector, and the
consumers that rely on it, from the impact of cybersecurity impacts,
cannot be accomplished on an ad hoc basis that relies entirely on
voluntary action. The pipeline sector is an interconnected system. As
noted by the Interstate Natural Gas Association of America, ``natural
gas transmission systems have numerous interconnection points and
market hubs. . . . There are no major interstate pipelines that operate
in isolation, i.e., without interconnection with at least one or more
other pipelines.'' \56\ As noted by the PHMSA, ``[p]ipelines play a
vital role in our daily lives. They transport fuels and petrochemical
feedstocks that we use in cooking and cleaning, in our daily commutes
and travel, in heating our homes and businesses, and in manufacturing
hundreds of products we use daily.'' \57\
---------------------------------------------------------------------------
\56\ The Interstate Natural Gas Association of America, The
Interstate Natural Gas Transmission System: Scale, Physical
Complexity, and Business Model, at 1-2 (Aug. 6, 2010).
\57\ PHMSA, Pipeline Basics, available at <a href="https://primis.phmsa.dot.gov/comm/PipelineBasics.htm">https://primis.phmsa.dot.gov/comm/PipelineBasics.htm</a> (last accessed July 29,
2024).
---------------------------------------------------------------------------
Similarly, with the nation's rail system, railroads move over 1.5
billion tons of freight annually,\58\ and a disruption to this movement
would have damaging ripple effects across industries, including on
international trade. In the rail system, the implementation of positive
train control (PTC) systems has resulted in a far more interconnected
rail system than previously existed in the Unites States. The
interoperability of PTC systems occurs when the ``controlling
locomotives and/or cab cars of any host railroad and tenant railroad
operating on the same PTC-equipped main line are able to communicate
with and respond to the PTC system, even when train are moving over
property boundaries.'' \59\ The nation's economic security relies on
freight rail owner/operators to transport critical manufacturing
materials, food product, lumber, coal, and other materials critical to
the supply chain. These railroads also host major passenger and
commuter rail lines.\60\ The nature of these systems requires a
baseline of cybersecurity risk management across the highest-risk
operations to protect these vital resources to national security,
including economic security.
---------------------------------------------------------------------------
\58\ See https://www.aar.org/data-center/railroads-states/
#:~:text=In%20a%20typical%20year%2C%20U.S.,nearly%20140%2C000%20miles
%20of%20track (last accessed July 31, 2024).
\59\ See <a href="https://www.freightwaves.com/news/u-s-class-i-railroads-inch-towards-full-positive-train-control-implementation">https://www.freightwaves.com/news/u-s-class-i-railroads-inch-towards-full-positive-train-control-implementation</a>,
PTC is interoperable on nearly half of the Class I U.S. rail
operations (posted Feb. 28, 2020, by Joanna Marsh) (last accessed
July 29, 2024).
\60\ Id.
---------------------------------------------------------------------------
[[Page 88496]]
B. Statutory Authorities
The security of the nation's transportation systems is vital to the
economic health and security of the United States. Ensuring
transportation security while promoting the movement of legitimate
travelers and commerce is a critical counter-terrorism mission assigned
to TSA.
Following the attacks of September 11, 2001, Congress created TSA
under the Aviation and Transportation Security Act (ATSA) and
established the agency's primary federal role to enhance security for
all modes of transportation.\61\ The scope of TSA's authority includes
assessing security risks,\62\ developing security measures to address
identified risks,\63\ and enforcing compliance with these measures.\64\
TSA has broad regulatory authority to issue, rescind, and revise
regulations as necessary to carry out its transportation security
functions.
---------------------------------------------------------------------------
\61\ Public Law 107-71, 115 Stat. 597 (Nov. 19, 2001). ATSA
created TSA as a component of the DOT. See 49 U.S.C. 114, which
codified section 101 of ATSA. Section 403(2) of the Homeland
Security Act of 2002 (HSA), Public Law 107-296, 116 Stat. 2135 (Nov.
25, 2002), transferred all functions related to transportation
security, including those of the Secretary of Transportation and the
Under Secretary of Transportation for Security, to the Secretary of
Homeland Security. Pursuant to DHS Delegation Number 7060.02.1, the
Secretary delegated to the Administrator, subject to the Secretary's
guidance and control, the authority vested in the Secretary with
respect to TSA, including the authority in sec. 403(2) of the HSA.
See also 49 U.S.C. 114(d), which specifically gives the
Administrator authority over all modes of transportation regulated
by the Department of Transportation at the time TSA was established.
\62\ See, e.g., 49 U.S.C. 114(f)(1)-(3).
\63\ See, e.g., 49 U.S.C. 114(f)(4), (10), and (11).
\64\ See, e.g., 49 U.S.C. 114(f)(7) and (9).
---------------------------------------------------------------------------
1. TSA Surface-Related SDs and Information Circulars
Under 49 U.S.C. 114(l)(2)(A), TSA is authorized to issue emergency
regulations or SDs without providing notice or public comment where
``the Administrator determines that a regulation or security directive
must be issued immediately in order to protect transportation
security.'' \65\ SDs issued pursuant to the procedures in 49 U.S.C.
114(l)(2) ``shall remain effective for a period not to exceed 90 days
unless ratified or disapproved by the [Transportation Security
Oversight] Board [(TSOB)] or rescinded by the Administrator.'' \66\
---------------------------------------------------------------------------
\65\ This provision states: ``Notwithstanding any other
provision of law or executive order (including an executive order
requiring a cost-benefit analysis), if the Administrator [of TSA]
determines that a regulation or security directive must be issued
immediately in order to protect transportation security, the
Administrator shall issue the regulation or security directive
without providing notice or an opportunity for comment and without
prior approval of the Secretary.'' In addition, section 114(d)
provides the Administrator authority for security of all modes of
transportation; section 114(f) provides specific additional duties
and powers to the Administrator; and section 114(m) provides
authority for the Administrator to take actions that support other
agencies.
\66\ 49 U.S.C. 114(l)(2)(B).
---------------------------------------------------------------------------
TSA issued SDs in 2021 and 2022 \67\ in response to the
cybersecurity threat to surface transportation systems and associated
infrastructure to protect against the significant harm to the national
and economic security of the United States that could result from the
``degradation, destruction, or malfunction of systems that control this
infrastructure.'' \68\ The most current and previous versions of these
SDs are available on TSA's website.\69\
---------------------------------------------------------------------------
\67\ See <a href="https://www.tsa.gov/sd-and-ea">https://www.tsa.gov/sd-and-ea</a> (last accessed June 10,
2024). TSA issued these SDs under the specific authority of 49
U.S.C. 114(l)(2)(A).
\68\ National Security Memorandum on Improving Cybersecurity for
Critical Infrastructure Control Systems (July 28, 2021).
\69\ See supra note 67.
---------------------------------------------------------------------------
The first pipeline SD (the SD Pipeline-2021-01 series), issued on
May 27, 2021, requires several actions to enhance the security of
critical pipeline systems \70\ against cybersecurity threats and
provided that owners/operators must: (1) designate a primary and
alternate Cybersecurity Coordinator; (2) report cybersecurity incidents
to CISA within 24 hours of identification of a cybersecurity incident;
\71\ and (3) review TSA's pipeline guidelines,\72\ assess their current
cybersecurity posture, and identify remediation measures to address the
vulnerabilities and cybersecurity gaps.\73\ For purposes of the SDs,
TSA defined a ``cybersecurity incident'' as ``an event that, without
lawful authority, jeopardizes, disrupts or otherwise impacts, or is
reasonably likely to jeopardize, disrupt or otherwise impact, the
integrity, confidentiality, or availability of computers, information
or communications systems or networks, physical or virtual
infrastructure controlled by computers or information systems, or
information resident on the system.'' The reports must (1) identify the
affected systems or facilities; and (2) describe the threat, incident,
and impact or potential impact on IT and OT systems and operations.
---------------------------------------------------------------------------
\70\ ``Critical pipeline systems'' are determined by TSA based
on risk.
\71\ As originally issued, the directive required notification
within 12 hours of identification. In May 2022, TSA revised this
requirement to require notification within 24 hours of
identification.
\72\ See section I.F. for more information on TSA's guidelines
for the pipeline owner/operators.
\73\ TSA may also use the results of assessments to identify the
need to impose additional security measures as appropriate or
necessary. TSA and CISA may use the information submitted for
vulnerability identification, trend analysis, or to generate
anonymized indicators of compromise or other cybersecurity products
to prevent other cybersecurity incidents.
---------------------------------------------------------------------------
The second pipeline SD (the SD Pipeline-2021-02 series), first
issued on July 19, 2021, required owner/operators to implement specific
mitigation measures to protect against ransomware attacks and other
known threats to IT and OT systems and conduct a cybersecurity
architecture design review. This SD also required owner/operators to
develop and adopt a cybersecurity incident response plan to reduce the
risk of operational disruption should their IT and/or OT systems be
affected by a cybersecurity incident.\74\
---------------------------------------------------------------------------
\74\ See <a href="https://www.tsa.gov/sites/default/files/sd_pipeline_2021-02b-non_ssi_06-06-2022.pdf">https://www.tsa.gov/sites/default/files/sd_pipeline_2021-02b-non_ssi_06-06-2022.pdf</a> (last accessed June 10,
2024) for a version of the SD with the prescriptive requirements.
---------------------------------------------------------------------------
In December 2021, TSA issued SDs to higher-risk freight railroads
(the SD 1580-21-01 series) and passenger rail and rail transit owner/
operators (the SD 1582-21-01 series), requiring that they also
implement the following requirements previously imposed on pipeline
systems and facilities: (1) designation of a Cybersecurity Coordinator;
(2) reporting of cybersecurity incidents to CISA within 24 hours; (3)
developing and implementing a cybersecurity incident response plan to
reduce the risk of an operational disruption; and (4) completing a
cybersecurity vulnerability assessment to identify potential gaps or
vulnerabilities in their systems. For owner/operators not specifically
covered under the SD 1580-21-01 or 1582-21-01 series, TSA also issued
an Information Circular (IC-2021-01), which included a non-binding
recommendation for those surface owner/operators not subject to the SDs
to voluntarily implement the same measures.\75\
---------------------------------------------------------------------------
\75\ See <a href="https://www.tsa.gov/sites/default/files/20211201_surface-ic-2021-01.pdf">https://www.tsa.gov/sites/default/files/20211201_surface-ic-2021-01.pdf</a> (last accessed Oct. 16, 2023).
---------------------------------------------------------------------------
In the year following issuance of the second pipeline SD, TSA
determined that its prescriptive requirements limited the ability of
owner/operators to adapt the requirements to their operational
environment and apply innovative alternative measures and new
capabilities. Because of the need to provide greater flexibility, TSA
revised this SD series, effective July 27, 2022 (SD Pipeline-2021-02C),
to maintain the security objectives in the previous versions of the SD
but also provide more flexibility by imposing performance-based, rather
than prescriptive, security measures. As revised, the SD allows covered
owner/operators to choose how
[[Page 88497]]
best to implement security measures for their specific systems and
operations while mandating that they achieve critical security
outcomes. This approach also affords these owner/operators with the
ability to adopt new technologies and security capabilities as they
become available, if TSA's mandated security outcomes continue to be
met.
The current directive, most recently revised in July 2024,
specifically requires the covered owner/operators of critical pipeline
systems and facilities to take the following actions:
<bullet> Establish and implement a TSA-approved CIP that describes
the specific cybersecurity measures employed to protect Critical Cyber
Systems, as defined by the owner/operator, and the schedule for
achieving the security outcomes identified by TSA.
<bullet> Develop and maintain an up-to-date CIRP to reduce the risk
of operational disruption, or the risk of other business disruption, as
defined in the SD, should the IT and/or OT systems of a gas or liquid
pipeline or railroad be affected by a cybersecurity incident. The CIRP
must be exercised each year to test at least two objectives of the plan
and include personnel responsible for actions in the CIRP.
<bullet> Develop a CAP that describes how the owner/operator will
proactively, regularly, and completely assess the effectiveness of
cybersecurity measures in their CIP, and identify and resolve device,
network, and/or system vulnerabilities. This plan must be submitted to
TSA for approval and an annual report provided to TSA and corporate
leadership.
The CIP must identify how the owner/operators meet the following
primary security outcomes:
<bullet> Implement network segmentation policies and controls to
ensure that the OT system can continue to safely operate in the event
that an IT system has been compromised, or vice versa;
<bullet> Implement access control measures to secure and prevent
unauthorized access to critical cyber systems;
<bullet> Implement continuous monitoring and detection policies and
procedures to detect cybersecurity threats and correct anomalies that
affect critical cyber system operations; and
<bullet> Reduce the risk of exploitation of unpatched systems
through the application of security patches and updates for operating
systems, applications, drivers, and firmware on critical cyber systems
in a timely manner using a risk-based methodology.
As noted above, in addition to developing and implementing a TSA-
approved CIP, this directive requires the covered owner/operators to
continually assess their cybersecurity posture. These owner/operators
must develop and update a CAP and submit an annual plan to TSA that
describes their program for the coming year, including details on the
processes and techniques that they would be using to assess the
effectiveness of cybersecurity measures. Techniques such as penetration
testing of IT systems and the use of ``red'' and ``purple'' team
(adversarial perspective) testing are referenced in the SD. At a
minimum, the CAP must include an architectural design review every 2
years. See section III.D.3. of this NPRM for additional discussion
regarding the CAP required by the SD.
The scope of the requirements in this directive apply to Critical
Cyber Systems. TSA defined a Critical Cyber System to include ``any IT
or OT system or data that, if compromised or exploited, could result in
operational disruption. Critical Cyber Systems include business
services that, if compromised or exploited, could result in operational
disruption.'' \76\
---------------------------------------------------------------------------
\76\ For purposes of this directive, ``operational disruption''
is defined as ``a deviation from or interruption of business
critical functions that results from a compromise or loss of data,
system availability, system reliability, or control of a TSA-
designated critical pipeline and rail system or facility.''
``Business critical functions'' is defined as the ``owner/operator's
determination of capacity to support functions necessary to meet
operational needs and supply-chain expectations.
---------------------------------------------------------------------------
On October 18, 2022, TSA issued an SD imposing similar performance-
based cybersecurity requirements on higher-risk freight railroads and
passenger rail owner/operators (SD 1580/82-2022-01).\77\ This SD was
also developed with extensive input from industry stakeholders and
federal partners, including CISA and the FRA, to address issues unique
to the rail industry. This engagement included providing the industry
with a draft to review and comment upon and several meetings, including
technical roundtables with cyber experts within the industry, before
TSA issued the SD.
---------------------------------------------------------------------------
\77\ See <a href="https://www.tsa.gov/sites/default/files/sd-1580-82-2022-01.pdf">https://www.tsa.gov/sites/default/files/sd-1580-82-2022-01.pdf</a> (last accessed Oct. 19, 2022).
---------------------------------------------------------------------------
As TSA issued these directives under the statutory authority in 49
U.S.C. 114(l)(2) and intended the requirements to be in place for more
than 90 days, TSA sought TSOB review and ratification of the use of the
agency's emergency authorities. Table 2 provides the ratification dates
for each SD.
Table 2--TSOB Ratification Dates for TSA's SDs
----------------------------------------------------------------------------------------------------------------
Federal Register
SD series Specific SD Date of ratification citation
----------------------------------------------------------------------------------------------------------------
SD 1580-21-01........................ SD 1580-21-01.......... December 29, 2021...... 87 FR 31093 (May 23,
2022).
SD 1580-21-01A......... November 16, 2022...... 88 FR 36921 TBD (June
6, 2023).
SD 1580-21-01B......... November 22, 2023...... TBD.
SD 1582-21-01........................ SD 1582-21-01.......... December 29, 2021...... 87 FR 31093 (May 23,
2022).
SD 1582-21-01A......... November 16, 2022...... 88 FR 36921 TBD (June
6, 2023).
SD 1582-21-01B......... November 22, 2023...... TBD.
SD 1580/82-2022-01................... SD 1580/82-2022-01..... November 16, 2022...... 88 FR 36921 (June 6,
2023).
SD 1580/82-2022-01A.... November 22, 2023...... TBD.
SD 1580/82-2022-01B.... Superseded \78\........ N/A.
SD 1580/82-2022-1C..... July 29, 2024.......... TBD.
SD Pipeline-2021-01.................. SD Pipeline-2021-01.... July 3, 2021........... 86 FR 38209 (July 20,
2021).
SD Pipeline-2021-01A... December 29, 2021...... 87 FR 31093 (May 23,
2022).
SD Pipeline-2021-01B... June 24, 2022.......... 88 FR 36921 (June 6,
2023).
SD Pipeline-2021-01C... June 21, 2023.......... 89 FR 28570 (April 19,
2024).
SD Pipeline-2021-01D... June 28, 2024.......... TBD.
SD Pipeline-2021-02.................. SD Pipeline-2021-02.... August 17, 2021........ 86 FR 52953 (Sept. 24,
2021).
SD Pipeline-2021-02B... January 13, 2022....... 87 FR 31093 (May 23,
2022).
SD Pipeline-2021-02C... August 19, 2022........ 88 FR 36921 (June 6,
2023).
SD Pipeline-2021-02D... August 24, 2023........ 89 FR 28570 (April 19,
2024).
[[Page 88498]]
SD Pipepilne-2021-02E.. August 23, 2024........ TBD.
----------------------------------------------------------------------------------------------------------------
2. TSA's Assessments, Guidelines, and Regulations Applicable to
Pipeline and Rail Systems
---------------------------------------------------------------------------
\78\ SD 1580/82-2022-01B, issued in May 2024, was superseded by
SD 1580/82-2022-01C before ratification by the TSOB.
---------------------------------------------------------------------------
The Implementing Recommendations of the 9/11 Commission Act of 2007
(9/11 Act) \79\ requires certain actions to enhance surface
transportation security. The following two mandates are specifically
relevant to this rulemaking.
---------------------------------------------------------------------------
\79\ Public Law 110-53, 121 Stat. 266 (Aug. 3, 2007).
---------------------------------------------------------------------------
a. Pipeline Guidelines, Assessments, and Regulations
Section 1557(a) of the 9/11 Act requires a program to review
pipeline operator adoption of guidelines originally issued by the DOT
in 2002.\80\ TSA originally reviewed operators' adoption of the
Pipeline Security Information Circular, issued on September 5, 2002, by
DOT's Office of Pipeline Safety as the primary federal guideline for
industry security. TSA also reviewed operators' adoption of a
complementary document, the DOT-issued Pipeline Security Contingency
Planning Guidance of June 2002.
---------------------------------------------------------------------------
\80\ Id., as codified at 6 U.S.C. 1207(a).
---------------------------------------------------------------------------
Recognizing that the Security Circular required updating, TSA
initiated a process to amend the federal security guidance. These
revised guidelines were first developed in 2010 and 2011 in
collaboration with industry and government members of the Pipeline
Sector and Government Coordinating Councils and other industry
association representatives and included a range of recommended
security measures covering all aspects of pipeline operations.
Consistent with TSA's general authorities under ATSA and the
requirements in section 1557(d) of the 9/11 Act, the advancement of
security practices to meet the ever-changing threat environment in both
the physical and cyber security realms required that the guidelines be
updated again. Using a similar industry and government collaborative
approach, TSA updated the Pipeline Security Guidelines in 2018
(Pipeline Guidelines).\81\ As part of this update, TSA added Section 7,
``Pipeline Cyber Asset Security Measures,'' including pipeline cyber
asset identification; security measures for pipeline cyber assets; and
cybersecurity planning and implementation guidance.
---------------------------------------------------------------------------
\81\ See Pipeline Security Guidelines (Mar. 2018), with Change 1
(Apr. 2021), available at <a href="https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf">https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf</a> (last accessed Sept. 19, 2022).
---------------------------------------------------------------------------
Section 1557(b) also requires reviewing the pipeline security plans
and inspection of the most critical facilities for the 100 most
critical pipeline operators.\82\ The Pipeline Guidelines are used as
the standard for TSA's Pipeline Security Program Corporate Security
Reviews (CSRs) and Critical Facility Security Reviews (CFSRs) of the
most critical pipeline systems. The CSR program has been in effect
since 2003, during which time a total of approximately 260 CSRs have
been completed industry wide. Approximately 800 CFSRs have been
completed since this program's inception in 2009.
---------------------------------------------------------------------------
\82\ See 6 U.S.C. 1207(b).
---------------------------------------------------------------------------
Finally, section 1557(d) specifically authorizes the Secretary of
Homeland Security (Secretary) to issue regulations, as appropriate and
following consultation with the Secretary of Transportation on the
extent of risk and appropriate mitigation measures, and to issue
binding regulations and carry out necessary inspection and enforcement
actions.\83\ Such regulations would incorporate the 2002 guidelines and
contain additional requirements as necessary based upon results of the
inspections performed under section 1557(b). This section specifically
authorizes assessment of penalties against pipeline facilities and
systems for non-compliance.\84\ While TSA has had this authority since
2007, TSA has not determined it was necessary to exercise it until this
current rulemaking, which is intended to address the increasing
cybersecurity threat to pipeline facilities and systems.
---------------------------------------------------------------------------
\83\ See 6 U.S.C. 1207(d).
\84\ Id. TSA also has specific authority to enforce its security
regulations. See 49 U.S.C. 114(f)(7).
---------------------------------------------------------------------------
In addition, while the guidelines are available to all pipeline
facilities and systems, regardless of whether TSA has determined the
system is critical, TSA has not determined it is necessary to impose
cybersecurity requirements through its emergency authorities on the
full scope of pipeline owner/operators to which the guidelines are
issued.
Although this rulemaking would impose cybersecurity requirements on
certain pipeline owners and operators and subject such entities to
inspections for compliance, TSA would continue to conduct voluntary
security assessments in areas where mandatory requirements do not exist
(e.g., the physical security measures recommended in the guidelines) as
part of a ``structured oversight'' approach. This approach assesses and
provides feedback on voluntary implementation of cybersecurity
recommendations for systems not covered by this proposed rule. These
assessments would continue TSA's approach of working with the industry
to determine the industry's voluntary adoption and adherence to non-
regulatory guidelines, including Security Action Items and other
security measures developed jointly with, and agreed to by, industry
stakeholders to meet relevant security needs.\85\ As part of these
assessments, TSA provides recommendations to owner/operators and
identifies resources to support them in voluntarily enhancing their
physical and security baseline.
---------------------------------------------------------------------------
\85\ For additional information on TSA's resources and surface
transportation security initiatives, see TSA's website at: <a href="https://www.tsa.gov/for-industry/resources">https://www.tsa.gov/for-industry/resources</a> (last accessed Aug. 30, 2023).
---------------------------------------------------------------------------
b. Regulating Railroads, Public Transportation Systems, and OTRBs
In 2008, TSA promulgated regulations imposing security requirements
on owner/operators of freight railroads, rail transit systems,
including passenger rail and commuter rail, heavy rail transit, light
rail transit, automated guideway, cable car, inclined plane, funicular,
and monorail systems. This regulation, in pertinent part, covers
appointment of security coordinators and security-related reporting
requirements. For freight railroads, the 2008 rule also imposed
requirements for the secure transport of Rail Security-Sensitive
Materials.\86\
---------------------------------------------------------------------------
\86\ See Rail Transportation Security Final Rule (Rail Security
Rule), 73 FR 72130 (Nov. 26, 2008).
---------------------------------------------------------------------------
In addition to measures to enhance pipeline security, the 9/11 Act
required other regulations to enhance surface transportation security.
On March 23, 2020, consistent with these requirements, TSA published
the final rule, ``Security Training for Surface
[[Page 88499]]
Transportation Employees.'' \87\ This regulation requires owner/
operators of higher-risk freight railroad carriers (as defined in 49
CFR 1580.101), public transportation agencies (including rail mass
transit and bus systems and passenger railroad carriers, as defined in
49 CFR 1582.101), and OTRB companies (as defined in 49 CFR 1584.101),
to provide TSA-approved security training to employees performing
security-sensitive functions. In addition to implementing these
provisions, the final rule also expanded the requirement for security
coordinators and reporting of significant security concerns to apply to
OTRB and bus-only public transportation agencies, and defined
Transportation Security-Sensitive Materials.\88\
---------------------------------------------------------------------------
\87\ 85 FR 16456.
\88\ See secs. 1512 and 1531 of the 9/11 Act, as codified at 6
U.S.C. 1162 and 1181, respectively, for security coordinator
requirements. See sec. 1501(13) of the 9/11 Act, as codified at 6
U.S.C. 1151(13), for requirement to define ``Transportation Security
Sensitive Materials.''
---------------------------------------------------------------------------
The 9/11 Act also requires regulations for higher-risk public
transportation agencies, railroads, and OTRB owner/operators to develop
security plans to address specific security issues and vulnerabilities
identified during an assessment of specific systems, infrastructure,
and capabilities.\89\ TSA published an advance notice of proposed
rulemaking (ANPRM) in December 2016 seeking comment on specific issues
related to the 9/11 Act's requirements for a regulation to address
vulnerability assessments and security plans.\90\ Through this ANPRM,
TSA solicited information on the extent to which owner/operators of
freight railroads, PTPR systems, and OTRBs had taken actions consistent
with those prescribed by the 9/11 Act for vulnerability assessments and
security plans, what resources they used to support these actions, and
information on implementation costs. Given the passage of time and
different scope of this rulemaking, TSA has established a new docket
for this rulemaking and advises commenters on the 2016 ANPRM to submit
comments on this NPRM if they wish for their views to be addressed in a
final rule.
---------------------------------------------------------------------------
\89\ See secs. 1405 and 1512 of the 9/11 Act, as codified at 6
U.S.C. 1134 and 1162, respectively; see also section 1531, as
codified at 6 U.S.C. 1181 (which imposes similar requirements for
OTRBs).
\90\ See 81 FR 91401 (Dec. 16, 2016).
---------------------------------------------------------------------------
While the requirements in this proposed rule would not address all
elements of vulnerability assessments and security plans stipulated in
the 9/11 Act, it would address the 9/11 Act's requirements as they
relate to the IT and OT systems used by high-risk freight railroads and
PTPR systems. For example, the 9/11 Act requires identification and
evaluation of critical systems, including information systems,\91\
plans for providing redundant and backup systems needed to ensure
continued operations in the event of a cybersecurity incident, and
identification of the vulnerabilities to these systems.\92\ The
vulnerability assessment requirements applicable to higher-risk rail
carriers must also identify strengths and weaknesses in (1)
programmable electronic devices, computers, or other automated systems
used in providing transportation; (2) alarms, cameras, and other
protection systems; (3) communications systems and utilities needed for
railroad security purposes, including dispatching and notification
systems; and (4) other matters determined appropriate by the
Secretary.\93\ For security plans, the statute requires regulations
that address, among other things, actions to mitigate identified
vulnerabilities, the protection of passenger communication systems,
emergency response, ensuring redundant and backup systems are in place
to ensure continued operation of critical elements of the system in the
event of a terrorist attack or other incident, and other actions or
procedures as the Secretary determines are appropriate to address the
security of the public transportation system or the security of
railroad carriers, as appropriate.\94\ The provisions proposed in this
NPRM would satisfy such requirements as they relate to cybersecurity in
high-risk public transportation agencies and railroads.
---------------------------------------------------------------------------
\91\ See secs. 1405(a)(3) and 1512(d)(1)(A) of the 9/11 Act, as
codified at 6 U.S.C. 1134(a)(3), 1162(d)(1)(A), respectively.
\92\ See id. at secs. 1405(c)(2), 1512(d)(1)(D), and
1512(e)(1)(G), as codified at 6 U.S.C. 1134(c)(2), 1162(d)(1)(D),
1162(e)(1)(G), respectively.
\93\ See id. at sec. 1512(d), as codified at 6 U.S.C. 1162(d).
\94\ See id. at secs. 1405(c)(2) and 1512(e), as codified at 6
U.S.C. 1134(c)(2), 1162(e), respectively. Only one commenter on the
ANPRM specifically addressed the inclusion of IT and OT systems for
purposes of vulnerability assessments and security planning. See
TSA-2016-0002-0013, available at <a href="https://www.regulations.gov">https://www.regulations.gov</a> under
Docket No. TSA-2016-0002. This commenter indicated that, at the time
of the comment, the Rail Information Security Committee of the
Association of American Railroads focuses on cybersecurity and the
``industry's physical and cyber security committees annually conduct
risk assessments using ``relevant security information'' from a
variety of resources. As part of this effort, they evaluate specific
information technology and communication assets. They also indicated
that the industry emphasizes analysis of cyber incidents and sharing
information with railroads.
---------------------------------------------------------------------------
In short, the 9/11 Act provisions described above contain a
combination of detailed requirements regarding vulnerability
assessments and the content of security plans. Each of these provisions
confirms and supplements TSA's authority to impose such requirements as
are appropriate or necessary to ensure the security of the
transportation system. TSA would issue the proposed rule pursuant to
and consistent with its general authorities and the 9/11 Act's
requirements.
C. References
1. National Cybersecurity Strategy
In March 2023, the Biden-Harris Administration released the
National Cybersecurity Strategy.\95\ This strategy includes the
following five pillars identified as critical for building and
enhancing the collaboration necessary to strengthen the nation's
cybersecurity posture to protect infrastructure critical to national
security and the economy: (a) defend critical infrastructure; (b)
disrupt and dismantle threat actors; (c) shape market forces to drive
security and resilience; (d) invest in a resilient future; and (e)
forge international partnership to pursued shared goals.
---------------------------------------------------------------------------
\95\ See supra note 12.
---------------------------------------------------------------------------
Consistent with this strategy, TSA is proposing a performance-based
regulation for cybersecurity that builds on the NIST CSF and uses the
CISA CPGs as guardrails to ensure prioritization of those measures most
critical for establishing a common baseline to reduce known risks to
national security and the economy.\96\ The following provides a high-
level overview of the NIST CSF and the CISA CPGs. A table that aligns
these two documents with the proposed requirements in this NPRM is
available in the docket for this rulemaking.
---------------------------------------------------------------------------
\96\ Id. at 8-9.
---------------------------------------------------------------------------
2. NIST Cybersecurity Framework
Executive Order (E.O.) 13636 of February 12, 2013 (Improving
Critical Infrastructure Cybersecurity), directed NIST to develop a
voluntary framework to reduce cyber risks to critical
infrastructure.\97\ This framework, created in collaboration between
industry and government, consists of standards, guidelines, and
practices to promote the protection of critical infrastructure. The
recommendations in the framework are intended to provide a prioritized,
flexible, repeatable, and cost-effective approach to manage
cybersecurity-related risks. The framework is not a regulatory document
in that it is written as recommendations
[[Page 88500]]
and is not enforceable. The recommendations are also extensive and may
not be applicable to every business or context. NIST is currently in
the process of reviewing and revising the Cybersecurity Framework. For
purposes of this rulemaking, TSA has relied on Version 1.1 of April 16,
2018.
---------------------------------------------------------------------------
\97\ Published at 78 FR 11737 (Feb. 19, 2013). The Cybersecurity
Enhancement Act of 2014, Public Law 113-274, 128 Stat. 2971, 2972-
73, subsequently formalized the requirements in the E.O. into
statutory requirements for NIST.
---------------------------------------------------------------------------
The NIST CSF is a comprehensive resource for developing a
comprehensive cybersecurity program for any business. The framework
generally includes the following key steps: (a) understanding the
business's current cybersecurity posture by scoping the Organizational
Profile; (b) gathering information needed to prepare the Organizational
Profile, i.e., defining a target state, which should be informed by
standards and applicable regulations; (c) creating an Organizational
Profile that identifies and prioritizes opportunities for improving
within the context of continuous and repeatable processes; (d)
analyzing the gaps between current state and the Target Profile, and
creating an action plan to address any identified gaps, including a
Plan of Action and Milestones; and (e) implementing the action plan and
updating the Organizational Profile as necessary to keep the
organization moving towards the target.\98\ These steps are part of an
iterative cycle that should also consider opportunities for documenting
and communicating the organization's cybersecurity capabilities and
known opportunities for improvement with external stakeholders,
including business partners, prospective customers, suppliers, and
other third parties.\99\
---------------------------------------------------------------------------
\98\ See supra note 13 at 7.
\99\ Id.
---------------------------------------------------------------------------
There are currently six core functions to the framework: govern,
identify, protect, detect, respond, and recover. NIST recommends that
all these functions be addressed concurrently as they all have vital
roles related to cybersecurity.\100\ Within each of these functions,
there are multiple recommendations. Finally, the framework identifies
several framework tiers in ascending order of cybersecurity maturity.
The first and lowest tier, ``Partial,'' recognizes an ad hoc, reactive,
and irregular approach to cybersecurity that is driven by case-by-case
responses in an environment that fails to identify clear roles and
responsibilities for cybersecurity. The next tier, ``Risk Informed,''
has a cybersecurity program that is approved by management but may not
be known organization wide. While there may be an awareness of risk at
certain levels within the organization, the company lacks an
organization-wide process to manage risks and doesn't fully recognize
both dependencies and dependents that could be affected by insufficient
cybersecurity.
---------------------------------------------------------------------------
\100\ Id. at 5.
---------------------------------------------------------------------------
As companies mature in developing and implementing cybersecurity
measures, they should be moving to a ``Repeatable'' tier. In this tier,
processes are formally approved and are known and communicated
organization wide. There is an organization-wide approach to managing
risks, consistent methods are in place for cybersecurity policies,
individuals within the company known their roles and responsibilities
for cybersecurity, and the company is aware of dependencies and
dependents. The top tier, ``Adaptive,'' applies to companies that have
implemented predictive, advanced technologies to address cybersecurity.
In this tier, cybersecurity risks inform corporate decisions, and the
company understands its role in the larger ecosystem and contributes to
a broadening understanding of cybersecurity in its business
environment. As part of this understanding, the company has a strong
supply chain understanding and program to manage cybersecurity risks
within the supply chain based on dependencies and dependents.
3. CISA Cross-Sector Cybersecurity Performance Goals
CISA developed the CPGs as directed by the National Security
Memorandum on Improving Cybersecurity for Critical Infrastructure
Control Systems (signed July 28, 2021). The CISA CPGs can be read as a
prioritized subset of the NIST CSF framework that critical
infrastructure owners and operators can implement to meaningfully
reduce the likelihood and impact of known risks and adversary
techniques. As with the NIST CSF, the CISA CPGs are voluntary. Unlike
the NIST CSF, the CISA CPGs are not intended to be comprehensive.
Aligned with the NIST CSF, the CISA CPGs supplement that framework by
supporting businesses in prioritizing cybersecurity measures critical
for establishing a baseline of cybersecurity across critical
infrastructure that emphasizes measures based on their demonstrated
ability to reduce known risks. The prioritization used in the CISA CPGs
goes beyond consideration of risks to specific entities and considers
the aggregate risk to the nation of cybersecurity incidents on critical
sectors. The recommendations in the CISA CPGs align with the six core
functions of the NIST CSF identified above.
4. TSA Advance Notice of Proposed Rulemaking
On November 30, 2022, TSA published an ANPRM to provide an
opportunity for interested individuals and organizations, particularly
higher-risk pipeline and rail (including freight, passenger, and
transit rail) operations, to help TSA develop a comprehensive and
forward-looking approach to surface cybersecurity requirements. The
ANPRM also solicited input from the industry associations representing
these companies, third-party cybersecurity subject matter experts, and
insurers and underwriters for cybersecurity risks for these
transportation sectors.\101\
---------------------------------------------------------------------------
\101\ See Enhancing Surface Cyber Risk Management, 87 FR 73527
(Nov. 30, 2022). Through a subsequent notice, TSA extended the
comment period from January 17, 2023, to February 1, 2023. See 87 FR
78911 (Dec. 23, 2022).
---------------------------------------------------------------------------
TSA received comments from 35 commenters in response to the ANPRM,
with almost 600 specific issues raised by the commenters, which
included major trade associations and individuals.\102\ Most comments
received fell into a few general categories: (1) general support; (2)
emphasis on the need for regulatory harmonization and performance-based
regulation; and (3) comments on core elements, particularly comments
related to training, supply chain, and third-party assessors. Some
comments opposed potential regulation at this time, suggesting that
voluntary measures are currently sufficient, and that TSA should wait
for other standards (such as the CISA CPGs) to further mature. TSA
considered all comments received. The following provides a high-level
summary of the comments.
---------------------------------------------------------------------------
\102\ Comments may be viewed in the docket for this rulemaking,
TSA-2022-0001, at <a href="https://www.regulations.gov">https://www.regulations.gov</a>. The American Gas
Association, American Fuel and Petrochemical Manufacturers,
Association of American Railroads, American Short Line and Regional
Railroad Association, American Public Transportation Association,
Airlines for America, Liquid Energy Pipeline Association, Interstate
Natural Gas Association, American Petroleum Institute, and AFL-CIO
Transportation Trades Division were among the major trade
associations that submitted comments.
---------------------------------------------------------------------------
a. General Support and Need for Regulatory Harmonization and
Performance-Based Regulation
The industry comments generally supported a regulation that builds
upon the previously issued SDs. Many commenter groups complimented
TSA's current performance-based directives, which provide owner/
operators the flexibility to determine how to implement cybersecurity
protocols to achieve the desired outcomes. Furthermore, they emphasized
how
[[Page 88501]]
adaptive CRM programming would enable regulated parties to--
<bullet> Assess known and potential system and environment
vulnerabilities;
<bullet> Assess the likelihood and potential operational and
financial impacts of a threat actor leveraging vulnerabilities to cause
a cybersecurity incident;
<bullet> Develop a regular cadence of reassessing risk factors and
recalculating risk; and
<bullet> Implement and monitor the effectiveness of appropriate
mitigating controls to reduce the probability or impact of an attack.
A recurring theme in the ANPRM comments focused on encouraging TSA
to use existing standards as a reference (e.g., the NIST CSF, the CISA
CPGs, and the North American Electric Reliability Corporation (NERC)
Critical Infrastructure Protection (CIP) standards \103\) and
collaborate with other Federal agencies to harmonize cybersecurity
requirements. Several respondents recommended that TSA facilitate a
cross-government group composed of State and Federal agencies that
would meet regularly (e.g., monthly stakeholder calls or ongoing TSA-
led briefings to relevant sector coordinating officials) as well as
develop common lexicons between these entities before issuing
requirements.
---------------------------------------------------------------------------
\103\ The NERC CIP standards are reliability standards for
operators of the bulk electric system (BES). A small number of
companies have both pipeline and BES business units. TSA is aware
that when the agency transitioned from prescriptive security
requirements in the first iteration of SD Pipeline-2021-02 to the
performance-based requirements, some owner/operators subject to both
the TSA and NERC requirements incorporated applicable measures into
their implementation plans. TSA would continue to provide that
flexibility with this proposed rule, to the extent that specific
measures meet the performance standards identified in the proposed
rule. TSA welcomes comments on any conflicts or divergences that TSA
should take account of as part of this rulemaking.
---------------------------------------------------------------------------
b. Core Elements
In the ANPRM, TSA sought comment on the following 11 core elements
for a CRM program:
<bullet> Designation of an individual responsible for
cybersecurity;
<bullet> Access controls;
<bullet> Vulnerability assessments;
<bullet> Penetration testing, drills, and exercises;
<bullet> Technical security controls;
<bullet> Physical security controls;
<bullet> Incident response planning & operational resilience;
<bullet> Incident reporting and information sharing;
<bullet> Personnel training & awareness;
<bullet> Supply chain/third-party risk management; and
<bullet> Recordkeeping and documentation.
While TSA reviewed all of the comments received, we also note that
many of the comments reiterated issues raised in discussions with
industry post-issuance of the SDs discussed above. The comments,
however, also included three issues of particular interest to TSA as
they applied to requirements included in this proposed rule that were
not specifically in the SDs: employee cyber training, supply chain/
third-party vendors, and third-party assessors.
c. Training
Many comments referenced or addressed workforce cyber training.
Commenters acknowledged that security training is a critical component
of overall organizational security and compliance. While generally
supportive of the requirement, one of the industry commenters
recommended against establishing ``specific training requirements,''
noting that specific training needs should be based on an
organization's particular operating environment as well as the costs
associated with a cybersecurity incident.
d. Supply Chain
The National Cybersecurity Strategy (March 2023) identifies the
criticality of a secure global supply chain for information,
communications, and OT products and services.\104\ Consistent with this
prioritization, DHS identified supply chain and third-party service
provider risk management as a core element for DHS cybersecurity
regulations. A majority of comments mentioned or addressed supply chain
issues. Many commenters discussed their efforts to establish a common
understanding with vendors and third parties through cybersecurity
contract provisions regarding notifications of product vulnerability,
access to security patches, notifications of cybersecurity incidents,
etc. One association specifically noted that a number of pipeline
operators are working with DHS to develop improved ways to facilitate
conversations on security between vendors and operators.
---------------------------------------------------------------------------
\104\ See National Cybersecurity Strategy, supra note 12, at 32.
---------------------------------------------------------------------------
e. Third-Party Assessors
The concept of third-party assessors was the topic of a significant
number of comments. In general, commenters opposed requiring owners and
operators to conduct assessments using third-party validators.
Commenters considered such a requirement to be shifting costs from the
government to the regulated parties. Companies within the different
surface sub-sectors have varying degrees of capability and capacity to
adopt cybersecurity standards. For example, one association indicated
that they proactively conduct security control assessments of third
parties and include them in response and recovery plans and exercises.
Others, however, indicated they lack the capability and resources to
use third-party assessors.
5. Regulatory Harmonization
As noted by the Office of the National Cyber Director (ONCD) in an
August 2023 Request for Information,\105\ the National Cybersecurity
Strategy \106\ calls for establishing cybersecurity regulations to
secure critical infrastructure where existing measures are
insufficient, harmonizing and streamlining new and existing
regulations, and enabling regulated entities to afford to achieve
security.
---------------------------------------------------------------------------
\105\ See 88 FR 55694 (Aug. 16, 2023).
\106\ See supra note 12.
---------------------------------------------------------------------------
TSA emphasizes its commitment to regulatory harmonization and
streamlining, and notes that this proposed rule, which is grounded in
NIST's Framework for Improving Critical Infrastructure Cybersecurity,
NIST's standards and best practices, and the CISA CPGs, is consistent
with such priorities. TSA also acknowledges the ongoing rulemakings of
other DHS components, including ongoing rulemakings on cybersecurity in
maritime transportation and implementation of CIRCIA. Finally, TSA
notes that this proposed rule follows several years of implementation
of TSA's SDs. As noted in TSA's information collection requests for the
SDs, TSA has not identified any other duplicative requirements for the
cybersecurity mitigation measures required by the SDs and received no
comments regarding duplication in response to notices published in the
Federal Register.\107\
---------------------------------------------------------------------------
\107\ See OMB Approval No. 1652-0074 (Cybersecurity Measures for
Surface Modes), approved through Aug. 31, 2026; and OMB Approval No.
1652-0056 (Pipeline Corporate Security Reviews and Security
Directives), approved through Feb. 28, 2026; and OMB Approval No.
1652-0050 (Critical Facility Information of the Top 100 Most
Critical Pipelines), approved through Mar. 31, 2026). One commenter
noted that TSA's SDs require reporting within 24 hours while the
CIRCIA proposed rule requires reporting within 72 hours. This issue
is discussed infra in section III.D.2.f. of this proposed rule.
---------------------------------------------------------------------------
TSA's experience in imposing cybersecurity requirements to date, as
well as feedback from the owner/operators subject to those
requirements, indicates that complete harmonization
[[Page 88502]]
is not possible. Even within the transportation sector, there are modal
operational issues, different physical controls by other agencies that
support defense-in-depth measures, as well as other factors that must
be considered. For example, SD-Pipeline-2021-02 recognizes that the
need to provide ready access to industrial control workstations in
controls rooms may make a requirement for multi-factor authentication
(MFA) inadvisable. TSA allows owner/operators to rely on compensating
controls use to meet control room requirements issued by the
PHMSA.\108\ Similarly, TSA provides an allowance for alternatives to
encryption for certain systems used by railroads \109\ and recognizes
compliance with FRA's requirements to address access to PTC system
components in locomotives.\110\
---------------------------------------------------------------------------
\108\ See SD-Pipeline-2021-02 at Section III.C.2.
\109\ See SD-1580/82-2022-01 at Section III.B.2.b.
\110\ See id. at III.C.6.
---------------------------------------------------------------------------
While TSA believes differences in cybersecurity requirements may be
intentional based on sector-specific distinctions, TSA welcomes
comments on opportunities to harmonize and streamline regulations where
feasible and appropriate.
III. Proposed Rule
A. Rule Organization
This rule proposes changes to the requirements applicable to owner/
operators of freight railroads, PTPR, and OTRBs in subchapter D of
title 49 CFR, subtitle B, chapter XII. The rule also proposes to add a
new part 1586 to this subchapter, which would impose requirements
applicable to owner/operators of specific pipeline facilities and
systems.
To facilitate implementation of these requirements, TSA is
proposing to significantly revise subchapter D. Some of these revisions
are technical revisions to consolidate previously imposed procedures or
requirements or to align procedures for security programs with TSA's
existing processes for aviation. TSA believes consolidating procedural
and general requirements in part 1570, while providing consolidated
modal-specific requirements in modal-specific parts, would make it
easier for owner/operators to identify and implement the proposed
requirements. TSA is also proposing revisions to terms in part 1500
that have use in multiple provisions in chapter XII of title 49 and of
part 1520 to ensure information required by the revisions to subchapter
XII is protected as SSI, as applicable.
1. Cybersecurity Requirements
The most significant proposed revision to TSA's regulations is the
addition of requirements for higher-risk owner/operators of freight
railroads, PTPR, and pipeline facilities and systems to have a
comprehensive CRM program. These proposed requirements are found in new
subpart D of part 1580 (applicable to freight railroads), subpart C of
part 1582 (applicable to PTPR), and subpart C of part 1586 (applicable
to pipeline facilities and systems). This proposed rule would also add
a requirement in subpart B of part 1584 for higher-risk OTRB owner/
operators to report cybersecurity incidents but would not impose the
comprehensive CRM program requirements on this mode.
2. Physical Security Requirements
Through this rulemaking, TSA is proposing to distinguish between
physical security and cybersecurity. TSA is proposing to move the
requirements currently in subchapter D related to designating a
security coordinator and reporting significant security concerns. TSA
is proposing to move these requirements to revised subparts B within
parts 1580, 1582, and 1584, respectively. These revised subparts B
would contain security program requirements primarily focused on
physical security. TSA also proposes to apply these same requirements
to pipeline facilities and systems through the new part 1586. Appendix
A to part 1570, which identifies types of significant security concerns
to be reported, would be removed from part 1570 and repeated in parts
1580, 1582, 1584, and 1586.
As incorporated into this proposed subpart, TSA is proposing to
clarify that the security coordinator(s) currently required by Sec.
1570.201 must be a U.S. citizen. This requirement is consistent with
the 9/11 Act \111\ and advances TSA's need to ensure that the agency
can rapidly share sensitive information with the owner/operator that
may be critical to ensure appropriate actions are taken to address
emerging threats. As provided in the 9/11 Act, TSA may waive the
citizenship requirement for the security coordinator(s) if the
individual successfully completes a STA.\112\
---------------------------------------------------------------------------
\111\ See secs 1512(e)(2) and 1531(e)(2) of the 9/11 Act, as
codified at 6 U.S.C. 1162(e)(2) and 1181(e)(2), respectively.
\112\ Id.
---------------------------------------------------------------------------
In addition, the value of the security coordinator position is
significantly impeded if there is not an individual in place who can
receive sensitive information. Therefore, TSA is requiring that
security coordinators (primary and alternate) must be a U.S. citizen
who can receive sensitive information unless waived by TSA. At this
time, TSA only anticipates one possible situation where a waiver would
be granted; if one of the Security Coordinators is a U.S. citizen
(primary or alternate), TSA may grant a waiver for the requirement as
applied to the other Security Coordinator. From the agency's
perspective, the purpose of the citizenship requirement is to ensure
each covered owner/operator has a designated point of contact for
receiving critical threat information, including intelligence
information that cannot be shared with foreign citizens. TSA is
assuming that owner/operators would ensure that if the security
coordinator on duty is not cleared to receive certain information, that
individual would promptly notify the security coordinator or other
appropriate individual who has the required clearances. Both the
primary and alternate Security Coordinators would be required to
successfully complete an STA before TSA would consider a waiver.
TSA is also proposing to move any procedures or requirements
applicable to training of security-sensitive employees \113\ currently
in 49 CFR 1570.101-1570.111, and 1570.121 to the applicable modal
sections. Within the modal requirements, TSA is proposing to
consolidate the existing security training requirements into one
section for each mode. None of the requirements would be changed as a
result of this restructuring. Finally, the title of subpart C of part
1580, which includes chain of custody requirements applicable to the
freight rail system, would be changed from ``Operations'' to ``Security
of Rail Security Sensitive Materials'' without any revisions to the
requirements in this subpart.
---------------------------------------------------------------------------
\113\ See Sec. Sec. 1580.3, 1582.3, and 1584.3 for definitions
of ``security-sensitive employees'' as applied to freight railroads,
PTPR, and OTRB, respectively.
---------------------------------------------------------------------------
Physical security encompasses threats to physical infrastructure
that could affect the safety and security of people, cargo, and
infrastructure. The definition for physical security in this NPRM
includes measures that provide for the security of systems and
facilities, as well as the persons in areas in or near to operations
that could have their safety and security threatened by an attack on
physical systems and assets. Examples include rail cars, stations,
pipelines, terminals, buses, etc. Cybersecurity is also critical for
protecting the safety and security of people, cargo, and
infrastructure, but
[[Page 88503]]
the actions taken to prevent cybersecurity incidents are intended to
protect computers, electronic communications systems and services, wire
communications, and electronic communications, including information
contained on these systems, services, and capabilities.\114\
---------------------------------------------------------------------------
\114\ This explanation of cybersecurity is consistent with
common understanding as reflected in the NIST Glossary, available at
<a href="https://csrc.nist.gov/glossary/term/cybersecurity">https://csrc.nist.gov/glossary/term/cybersecurity</a> (last accessed
July 6, 2023).
---------------------------------------------------------------------------
It is important to recognize that there is not a bright line
between physical and cybersecurity. A comprehensive defense-in-depth
plan includes both physical and cybersecurity controls to protect IT
and OT systems. For example, someone could use physical capabilities to
damage an IT or OT system or thwart ineffective physical access
controls to a building or floor in order to gain access to a Critical
Cyber System. Similarly, physical security controls may be used to
augment cybersecurity measures. Although TSA is distinguishing between
Physical Security Coordinators and Cybersecurity Coordinators, we
encourage these individuals to work together and communicate to ensure
a comprehensive approach to both physical and cybersecurity.
3. General Procedures for Security Programs, SDs, and Information
Circulars
Through this rulemaking, TSA is also proposing to revise procedures
in part 1570 related to security programs. When TSA promulgated the
Security Training for Surface Transportation Employees final rule in
2020,\115\ the rule text incorporated specific security program
requirements. This structure reflected the limited scope of the
requirements applicable to multiple modes of transportation. To
accommodate the proposed addition of the cybersecurity requirements,
TSA proposes to separate security training requirements, as discussed
above, into the modal-specific parts and to incorporate general
security program requirements that are consistent with the requirements
applicable to aviation security programs. These changes, discussed in
more detail in section III.F.1. of this preamble, would better ensure
consistency across TSA's regulatory requirements. Table 3 provides a
distribution table for these changes and those discussed above related
to physical security requirements. TSA welcomes comment on the
distribution table and whether any of the proposed changes might have
unintended effects on existing requirements.
---------------------------------------------------------------------------
\115\ See supra note 87.
Table 3--49 CFR Chapter XII, Subchapter D, Distribution Table
------------------------------------------------------------------------
Former section New section
------------------------------------------------------------------------
1570.107..................... 1580.113(k), 1582.113(k), and
1584.113(k).
1570.109(b).................. 1580.113(h); 1582.113(h), and
1582.114(h).
1570.109(c)(1)............... 1570.107(a)(1).
1570.109(c)(2) and (3)....... 1570.107(a)(2)(i) and (ii).
1570.109(g).................. 1570.107(a)(2)(iii).
1570.111(a).................. 1580.113(i); 1582.113(i); and
1584.113(i).
1570.111(b).................. 1580.113(j); 1582.113(j), and 1584.113
(j).
1570.111(c).................. 1570.111.
1570.113(b)(e)............... 1570.107(b).
1570.113(c) and (d).......... 1570.107 (amendment process); and
1580.113(o), 1582.113(o), and
1584.113(o) (physical security training
specific requirements).
1570.113(f).................. 1570.107(b).
1570.113(g).................. 1570.107(f).
1570.115(a)-(b).............. 1570.107(d).
1570.115(c).................. 1570.107(e).
1570.117..................... 1570.109 (narrow alternative process for
seasonal or infrequent operations);
1570.203 (provides alternate measures
for purposes of requirements in Security
Directives).
1570.119..................... 1570.107(f).
1570.121..................... 1570.117 (general requirements); and
1580.113(l) and (m),1582.113(l) and (m),
and 1584.113(l) and (m) (physical
security training specific
requirements).
1570.201..................... 1580.103, 1582.103, and 1584.103.
1570.203..................... 1580.105. 1582.105, and 1584.105.
Part 1570, appendix A........ Part 1580, appendix C; part 1582,
appendix C; and part 1584, appendix C.
1580.101..................... 1580.113(a).
1580.113(b)(1)-(5) and (7-9). 1580.113(d).
1580.113(b)(6)............... 1580.113(e).
1580.113(c).................. 1580.113(g).
1580.115(a).................. 1580.113(b).
1580.115(c).................. 1580.113(c).
1580.115(c)-(f).............. 1580.113(f).
1582.101..................... 1582.113(a).
1582.113(b)(1)-(5) and (7-9). 1582.113(d).
1582.113(b)(6)............... 1582.113(e).
1582.113(c).................. 1582.113(g).
1582.115(a).................. 1582.113(b).
1582.115(c).................. 1582.113(c).
1582.115(c)-(f).............. 1582.113(f).
1584.113(b)(1)-(5) and (7-9). 1584.113(d).
1584.113(b)(6)............... 1584.113(e).
1584.113(c).................. 1584.113(g).
1584.115(a).................. 1584.113(b).
1584.115(c).................. 1584.113(c).
1584.115(c)-(f).............. 1584.113(f).
------------------------------------------------------------------------
[[Page 88504]]
4. Relation to Other Rulemakings
TSA has other rulemakings that may reference subparts or sections
contained in this proposed rule. Specifically, in the Vetting of
Certain Transportation Employees NPRM, TSA has proposed to add vetting
requirements as Subpart D of part 1580, Subpart C of part 1582, and
Subpart C of part 1584.\116\ In this rule, we are proposing to add CRM
requirements in two of the same subparts, and are proposing to revise
other provisions that are cross-referenced in the Vetting of Certain
Surface Transportation Employees NPRM.\117\ Although the substance of
the two proposals do not conflict, the numbering and paragraph
designations conflict in some cases. TSA will ensure all subparts and
sections are deconflicted and consistent before any rules are
finalized.
---------------------------------------------------------------------------
\116\ See supra note 17.
\117\ Id.
---------------------------------------------------------------------------
B. Terms
1. General Terms
Consistent with the proposed rule's organization, TSA includes
proposed definitions for terms relevant to several subchapters of TSA
regulations, beyond the requirements of subchapter D, in part 1500.
Terms relevant to several parts of subchapter D would be added to Sec.
1570.3. Terms uniquely relevant to each mode would be included in the
relevant parts (part 1580 (freight), part 1582 (PTPR), part 1584
(OTRB), and part 1586 (pipeline facilities and systems)).
Most of the definitions are derived from existing federal
regulatory programs, particularly programs administered by DOT. A few
definitions are based on industry sources. TSA's purpose is to use
definitions with which regulated parties are familiar, to the extent
that the definitions are consistent with the purposes of this NPRM.
Where no existing definition is appropriate, TSA's subject matter
experts developed the definition based upon the generally accepted and
known use of terms within each of the modes subject to this proposed
regulation. Table 4 provides additional information on the terms that
would be added to TSA's regulations.
Table 4--Explanation of Proposed Terms and Definitions in Subchapter XII of Title 49
----------------------------------------------------------------------------------------------------------------
Part Summary of change Explanation
----------------------------------------------------------------------------------------------------------------
1500.......................... Propose adding definition This term is used in proposed sections regarding
of ``carbon dioxide''. pipeline applicability in part 1586. Owner/
operators of control rooms within this definition
would, under certain criteria, be subject to the
requirements in proposed part 1586. The proposed
definition has the same meaning as the term is
defined in in 49 CFR 195.2.
1500.......................... Propose adding definition This term is used extensively in proposed part 1586
of ``gas''. and refers to a commodity that, if transported by
pipelines, may require the owner/operator to be
subject to the requirements in part 1586. The term
is also used in the definition of other terms
defined in this proposed rule. The proposed
definition aligns with the definition of this term
in 49 CFR 192.3.
1500.......................... Propose adding definition This term is used extensively in proposed part 1586
of ``hazardous liquid''. and refers to a commodity that, if transported by
pipelines, may require the owner/operator to be
subject to the requirements in part 1586. The term
is also used in the definition of other terms
defined in this proposed rule. The proposed
definition has the same meaning as the term is
defined in in 49 CFR 195.2.
1500.......................... Propose adding definition This term is used extensively in proposed part 1586
of ``liquefied natural gas and refers to a commodity that, if transported by
(LNG)''. pipelines, may require the owner/operator to be
subject to the requirements in part 1586. The
proposed definition has the same meaning as the
term is defined in 49 CFR 193.2007.
1500.......................... Propose adding definition This term is used extensively in proposed part 1586
of ``pipeline or pipeline and specifically refers to the means of transport
system''. of gas and hazardous liquids. Owner/operators of
these systems would, under certain applicability
criteria, be subject to the requirements in part
1586. The proposed definition has the same meaning
as the term is defined in 49 CFR 192.3, 193.2007,
and 195.2.
1500.......................... Propose adding definition This term is used extensively in proposed part 1586
of ``pipeline facility''. and specifically refers to the facilities used in
the transportation of gas and hazardous liquids.
Owner/operators of these systems would, under
certain applicability criteria, be subject to the
requirements in part 1586. The proposed definition
has the same meaning as the term is defined in 49
CFR 192.3, 193.2007, and 195.2.
1500.......................... Propose modifying TSA is proposing to update the definition to
definition of include the addition of pipeline system and
``transportation or facility operations to TSA's regulations through
transport''. proposed part 1586.
1500.......................... Propose modifying This term is used in part 1520 and requirements
definition of (current and proposed) in subchapter D. TSA is
``transportation proposing to update the definition to include
facility''. pipeline system and facility operations in
proposed part 1586.
1500.......................... Propose modifying This term is used in part 1520 and requirements
definition of (current and proposed) in subchapter D of 49 CFR
``transportation security chapter XII. TSA is proposing to update the
equipment and systems''. definition to include IT and OT authentication,
network logging, and to specify that
transportation security equipment and systems
includes security equipment and systems for the
protection and monitoring of both physical and
virtual assets.
1500.......................... Propose adding definition This term would refer to a controlled vocabulary
of ``TSA Cybersecurity used in TSA's cybersecurity requirements. In
Lexicon''. general, the use of a standard lexicon reduces the
possibility of misinterpretations when
communicating cybersecurity definitions and
terminology.
1570.......................... Propose adding definition This term is used in proposed sections regarding
of ``accountable governance of a CRM program. Accountable executive
executive''. means an individual employed by an owner/operator
who is responsible and accountable for the owner/
operator's compliance with the requirements of
subchapter D, including authority over human
resource issues, major financial issues, conduct
of the owner/operator's affairs, all operations
conducted related to the requirements of
subchapter D, and responsibility for all
transportation-related security issues.
1570.......................... Propose adding definition This term is used to describe employees of owner/
of ``cyber security- operators who TSA proposes must receive
sensitive employee''. cybersecurity-related training. The definition
includes any employee who is a privileged user
with access to, or privileges to access, a
Critical Cyber System or any Information or
Operational Technology system that is
interdependent with a Critical Cyber System, as
defined in the TSA Cybersecurity Lexicon.
1580.......................... Propose adding definition This term is used to identify applicability of CRM
of ``defense connector requirements and refers to a railroad that has a
railroad''. line of common carrier obligation designated a
defense connector line by the US Army Military
Surface Deployment and Distribution Command
Transportation Engineering Agency (SDDCTEA) and
the FRA, which connects defense installations or
other activities requiring rail service to
STRACNET.
1580.......................... Propose adding definition This term is used to identify applicability of CRM
of ``switching or terminal requirements and refers to persons primarily
services''. engaged in the furnishing of terminal facilities
for rail passenger or freight traffic for line-
haul service, and in the movement of railroad cars
between terminal yards, industrial sidings and
other local sites. See (<a href="https://www.osha.gov/sic-manual/4013">https://www.osha.gov/sic-manual/4013</a> manual/4013).
[[Page 88505]]
1580.......................... Propose adding definition This term is used to identify applicability of CRM
of ``train miles''. requirements. A Train-mile is the movement of a
train (which can consist of many cars) the
distance of one mile. A Train-mile differs from a
vehicle-mile, which is the movement of one car
(vehicle) the distance of one mile. A 10-car
(vehicle) train traveling one mile would be
measured as one Train-mile and 10 vehicle-miles.
See (<a href="https://www.bts.gov/content/railroad-passenger-safety-data">https://www.bts.gov/content/railroad-passenger-safety-data</a>).
1582.......................... Propose adding definition This term is used in part 1582 and means the number
of ``unlinked passenger of people making one-way trips on a public
trips''. transportation system in a given time period.
1586.......................... Propose adding definition This term is used in proposed sections regarding
of ``control room''. pipeline applicability in part 1586. Owner/
operators of control rooms within this definition
would, under certain criteria, be subject to the
requirements in proposed part 1586. The proposed
definition has the same meaning as the term is
defined in 49 CFR 192.3 and 195.2.
1586.......................... Propose adding definition This term is used in proposed part 1586 relating to
of ``high-consequence the applicability of the requirements in that
area''. part. The proposed definition has the same meaning
as the term is defined in 49 CFR 192.903 and
195.450.
1586.......................... Propose adding definition This term is used in proposed sections regarding
of ``peak shaving pipeline applicability in part 1586. Owner/
facility''. operators of peak shaving facilities would, under
certain applicability criteria, be subject to the
requirements in part 1586. There is no current
federal definition of a ``peak shaving facility,''
but the term has a commonly accepted
interpretation across the industry.
----------------------------------------------------------------------------------------------------------------
2. TSA Cybersecurity Lexicon
TSA has also developed terms specific to cybersecurity requirements
for purposes of its SDs and ICs discussed in section II.B.1. of this
NPRM. Rather than including these terms in the regulation, TSA is
proposing to add ``TSA Cybersecurity Lexicon'' to the terms in 49 CFR
1500.3. This term would refer to a controlled vocabulary used in TSA's
cybersecurity requirements and be available on TSA's public website and
any secure websites used to communicate with regulated entities. In
general, the use of a standard lexicon reduces the possibility of
misinterpretations when communicating cybersecurity definitions and
terminology. The definitions provided below are generally consistent
with those terms and definitions in the SDs and ICs.
As the meaning of cybersecurity terms can change over time based on
emerging technology and capabilities, TSA is proposing to maintain
these definitions separate from the regulatory text. Any changes to the
terms would be interpretive in nature and would be made using the
procedures for amendments to security programs described in proposed
Sec. 1570.107.
This approach also allows flexibility for TSA to align with other
Federal agencies as part of broader effort to harmonize cybersecurity
terminology and requirements without delaying the ability to proceed
with this important rule to establish a strong cybersecurity baseline
to protect critical surface operations. Table 5 includes the list and
definition of terms that TSA proposes to establish for the first
iteration of the TSA Cybersecurity Lexicon.
Table 5--Explanation of Proposed Terms and Definitions in TSA Cybersecurity Lexicon
----------------------------------------------------------------------------------------------------------------
Term Proposed definition Explanation
----------------------------------------------------------------------------------------------------------------
Authorized representative............ TSA is proposing to use a modified This term is used in proposed
definition of an ``authorized sections requiring, as
representative'' from the definition in necessary and appropriate,
49 CFR 1500.3. For TSA's cybersecurity identification of
requirements, an ``authorized individuals of third parties
representative'' is a person who is not a who are responsible for
direct employee of the owner/operator but implementation or oversight
is authorized to act on the owner/ of the CRM program of cyber
operator's behalf to perform measures activities identified or
required by the security program. The critical for implementation
term authorized representative includes of cyber activities
agents, contractors, and subcontractors. described in the owner/
This term does not include Managed operators CRM program.
Security Service Providers. Authorized representatives
may be empowered to act on
behalf of the authorizing
official to coordinate and
conduct the day-to-day
activities associated with
managing risk to information
systems and organizations.
Considering these
responsibilities, authorized
representatives may be
liable for non-compliance
separate or in addition to
the owner/operator. [Source:
NIST.SP.800-37r2].
Business critical functions.......... Owner/operator's determination of capacity This term is used in proposed
or capabilities to support functions sections regarding
necessary to meet operational needs and Cybersecurity Incident
supply chain expectations. Response Plans to determine
key business functions,
resources, infrastructure,
and assets to ensure
continuity of operations and
supply chain expectations.
[Source: Transportation
Security Template and
Assessment Review Toolkit].
Critical Cyber System................ Any Information Technology or Operational This term is used in proposed
Technology system used by the owner/ sections to delineate
operator that, if compromised or criticality of any
exploited, could result in an operational Information Technology or
disruption incurred by the owner/ Operational Technology
operator. Critical Cyber Systems include system to prioritize which
those business support services that, if assets need to be secured
compromised or exploited, could result in first. [Source: NIST IR 8179/
operational disruption. This term SD Pipeline-2021-02 series/
includes systems whose ownership, SD 1580/82-2022-01 series].
operation, maintenance, or control is These systems may include
delegated wholly or in part to any other programmable electronic
party. devices, computers, or other
automated systems which are
used in providing
transportation; alarms,
cameras, and other
protection systems; and
communication systems, and
utilities needed for
security purposes, including
dispatching systems.
[Source: sections
1531(d)(1)(C), 1512(d)(1)(C)
of the Implementing
Recommendations of the 9/11
Commission Act of 2007,
Public Law 110-53 (121 Stat.
266; Aug. 3, 2007)].
CISA................................. The Cybersecurity and Infrastructure This term is used in proposed
Security Agency within the Department of sections related to
Homeland Security. reporting of cybersecurity
incidents and protection of
Critical Cyber Systems.
[[Page 88506]]
Cybersecurity Architecture Design A technical assessment based on government This term is used in proposed
Review. and industry-recognized standards, sections to reflect an
guidelines, and best practices that assessment for owner/
evaluates systems, networks, and security operators in developing
services to determine if they are mitigation strategies to
designed, built, and operated in a combat cyber intrusion and
reliable and resilient manner. These cybersecurity incidents.
reviews must be designed to be applicable CISA offers an assessment
to the owner/operator's Information called a Validated
Technology and Operational Technology Architecture Design Review
systems. (VADR) while other third-
party assessment entities
offer a similar assessment
based on CISA's VADR
methodology or a separate
Architecture Design Review
methodology. [Source: CISA
Cyber Resource Hub/SD
Pipeline-2021-02 series/SD
1580/82-2022-01 series].
Cybersecurity incident............... An occurrence that, without lawful This term is used in proposed
authority, jeopardizes or is reasonably sections to detail the
likely to jeopardize the integrity, elements of a cybersecurity
confidentiality, or availability of incident in order to
computers, information or communications accomplish a harmonization
systems or networks, physical or virtual of definition across the
infrastructure controlled by computers or government. [Source: DHS
information systems, or information Lexicon Ed 17 Rev 2/SD
resident on the system. This definition Pipeline-2021-02 series/SD
includes an event that is under 1580/82-2022-01 series].
investigation or evaluation by the owner/
operator as a possible cybersecurity
incident without final determination of
the event's root cause or nature (such
as, malicious, suspicious, or benign).
Information technology system........ Any services, equipment, or interconnected This term is used in proposed
systems or subsystems of equipment that sections to describe what
are used in the automatic acquisition, Information Technology
storage, analysis, evaluation, system entails and align the
manipulation, management, movement, definition with other
control, display, switching, interchange, Federal agencies. [Source:
transmission, or reception of data or NIST SP 800-12r1/CISA CPG/
information that fall within the DHS Lexicon Ed 17 Rev 2/SD
responsibility of an owner/operator Pipeline-2021-02 series/SD
subject to TSA's Cybersecurity 1580/82-2022-01 series].
Requirements to operate and/or maintain.
Interdependencies.................... Relationships of reliance within and among This term is used in proposed
Information Technology and Operational sections to recognize the
Technology systems that must be vital relationship between
maintained for those systems to operate Information Technology and
and provide services. Operational Technology
systems and used to
determine the policies and
controls that must be in
place to secure critical
cyber systems. [Source: SD
Pipeline-2021-02 series/SD
1580/82-2022-01 series].
Least privilege...................... Persons and programs operate using the This term is used in proposed
minimum level of access, permissions, and sections to emphasize a
system resources necessary to perform the security principle of
function. granting minimum system
resources and authorizations
to accomplished assigned
tasks. [Source: NIST SP 800-
12r1/SD Pipeline-2021-02
series/SD 1580/82-2022-01
series].
Managed Security Service Provider.... For purposes of TSA's cybersecurity This term is used in proposed
requirements, a person who is not a sections to make a
direct employee of the owner/operator, distinction between a
but who provides one or more services or managed security service
capabilities that the owner/operator is provider and an authorized
using to perform measures required by the representative for the
TSA. Managed Security Service Providers purpose of identifying
generally provide a logical service or cybersecurity roles and
capability. Managed Security Service responsibilities. [Source:
Providers are not authorized NIST SP 800-61r2/NIST SP 800-
representatives. 172/Joint EA 23-01
Aviation].
Memorized secret authenticator....... A type of authenticator comprised of a This term is used in proposed
character string intended to be memorized sections to describe the
by, or memorable to, the subscriber, makeup and function of a
permitting the subscriber to demonstrate password and its critical
something they know as part of an role in the authentication
authentication process. process. [Source: NIST SP
800-63-3/SD Pipeline-2021-02
series/SD 1580/82-2022-01
series].
Operational disruption............... A deviation from or interruption of This term is used in two
business critical functions that results contexts. First, it applies
from a compromise or loss of data, system to identify reportable
availability, system reliability, or cybersecurity incidents. It
control of systems. is also used for purposes of
identifying Critical Cyber
Systems. The definition is
intended to cover a wide
range of potential
scenarios. For example,
while the term does not
explicitly reference
unauthorized access,
presence of malicious
software, or a distributed
denial of service incident,
those events are covered by
the scenarios used in the
definition. [Source: NIST SP
800-34r1/SD Pipeline-2021-02
series/SD 1580/82-2022-01
series].
Operational technology system........ A general term that encompasses several This term is used in proposed
types of control systems, including sections to describe what
industrial control systems, supervisory Operational Technology
control and data acquisition systems, system encompasses and align
distributed control systems, and other the definition with other
control system configurations, such as Federal agencies. [Source:
programmable logic controllers, fire NIST SP 800-37r2/CISA CPG/SD
control systems, and physical access Pipeline-2021-02 series/SD
control systems, often found in the 1580/82-2022-01 series].
industrial sector and critical
infrastructure. Such systems consist of
combinations of programmable electrical,
mechanical, hydraulic, pneumatic devices
or systems that interact with the
physical environment or manage devices
that interact with the physical
environment.
Phishing............................. Tricking individuals into disclosing This term is used in proposed
sensitive information through deceptive sections to expound on a
computer-based means such as internet web common cybersecurity
sites or e-mails using social engineering incident that attempts to
or counterfeit identifying information. acquire sensitive data in
which the perpetrator
masquerades as a legitimate
business or reputable
person. [Source: NIST SP 800-
150/SD Pipeline-2021-02
series/SD 1580/82-2022-01
series].
[[Page 88507]]
Reportable cybersecurity incident.... Incidents involving systems that the owner/ This term is used in proposed
operator has responsibility to operate sections to inform the
and/or maintain including: a. criteria for reporting when
Unauthorized access of an Information a cybersecurity incident
Technology or Operational Technology occurs. [Source: TSA Surface
system; b. Discovery of malicious IC/SD Pipeline-2021-02
software that impacts the series/SD 1580/82-2022-01
confidentiality, integrity, or series].
availability of an Information Technology
or Operational Technology system; c.
Activity resulting in a denial of service
to any Information Technology or
Operational Technology system; and/or d.
Any other cybersecurity incident that
results in, or has the potential to
result in, operational disruption
affecting the owner/operator's
Information Technology or Operational
Technology systems; other aspects of the
owner/operator's systems or facilities,
critical infrastructure or core
government functions; or national
security, economic security, or public
health and safety.
Security orchestration, automation, Capabilities that enable owner/operators This term is used in proposed
and response (SOAR). to collect inputs monitored by the sections to highlight
security operations team. For example, capabilities that enable
alerts from the security information and owner/operators to monitor
event management system and other systems and drive
security technologies, where incident standardized incident
analysis and triage can be performed by response. [Source: NIST SP
leveraging a combination of human and 800-25/SD Pipeline-2021-02
machine power, help define, prioritize series/SD 1580/82-2022-01
and drive standardized incident response series].
activities. These capabilities allow an
owner/operator to define incident
analysis and response procedures in a
digital workflow format.
Shared account....................... An account that is used by multiple This term is used to describe
individuals with a common authenticator an account that required
to access systems or data. A shared oversight/restriction due to
account is distinct from a group account, unique requirement. [Source:
which is a collection of user accounts NIST SP 800-53r5 (AC-2)/SD
that allows administrators to group Pipeline-2021-02 series/SD
similar user accounts together in order 1580/82-2022-01 series].
to grant them the same rights and
permissions. Group accounts do not have
common authenticators.
Spam................................. Electronic junk mail or the abuse of This term is used in proposed
electronic messaging systems to sections to describe
indiscriminately send unsolicited bulk unsolicited bulk emailed
messages. messages. [Source: NIST SP
800--12r1].
Tor, also known as The Onion Router.. Software that allows users to browse the This term is used in proposed
web anonymously by encrypting and routing section to describe an open-
requests through multiple relay layers or source software for enabling
nodes. Tor software obfuscates a user's anonymous internet
identity from anyone seeking to monitor communication. [Source: SD
online activity (such as nation states, Pipeline-2021-02 series/SD
surveillance organizations, information 1580/82-2022-01 series].
security tools). This deception is
possible because the online activity of
someone using Tor software appears to
originate from the Internet Protocol
address of a Tor exit node, as opposed to
the address of the user's computer.
Trust relationship................... An agreed upon relationship between two or This term is used in proposed
more system elements that is governed by sections to recognize
criteria for secure interaction, policies that govern how
behavior, and outcomes relative to the entities in differing
protection of assets. This term refers to domains honor each other's
trust relationships between system authorizations. [Source:
elements implemented by hardware, NIST SP 800--160v1r1/SD
firmware, and software. Pipeline-2021-02 series/SD
1580/82-2022-01 series].
Unauthorized access.................. Access from an unknown source; access by a This term is used in proposed
third party or former employee; an sections to describe what
employee accessing systems for which he Unauthorized Access
or she is not authorized. This term may encompasses. [Source: SD
include a non-malicious policy violation Pipeline-2021-02 series/SD
such as the use of shared credential by 1580/82-2022-01 series].
an employee otherwise authorized to
access it.
----------------------------------------------------------------------------------------------------------------
C. Cybersecurity Risk Management Program--General
1. Introduction
The primary purpose of this rulemaking is to mitigate the impacts
of cybersecurity incidents on higher-risk surface modes of
transportation. This purpose will not be met by simply codifying the
requirements in the SDs or assuming that what is currently being done
will be sufficient for the future. Cybersecurity is not static; it is
an ever-evolving capability to address ever-evolving threats. To ensure
critical systems are protected from a cybersecurity incident, this
proposed rule includes requirements to establish a CRM program that
would ensure cybersecurity maturity as an ongoing and adaptive process.
In developing the requirements in this proposed rule, TSA began with
those previously imposed by TSA through SDs issued under the authority
of 49 U.S.C. 114(l), considered the structure and recommendations in
the NIST CSF, and focused on the actions prioritized by CISA in the
CPGs. Through implementation of these requirements, TSA believes the
regulated parties would meet the NIST ``Repeatable'' Tier, which
applies to companies with mature cybersecurity programs that are
formally approved and are known and communicated organization-wide,
reflect an organization-wide approach to managing risks, have
consistent methods in place for cybersecurity policies, ensure
individuals within the company know their roles and responsibilities
for cybersecurity, and maintain an awareness of the company's
dependencies and dependents.
2. Applicability
The applicability for this proposed rule is modified from the
applicability of the current SD requirements. Specifically, the
applicability of those SDs for railroads and rail transit systems
generally aligns with the applicability for security training in 49 CFR
part 1580 and 1582. For pipelines, applicability of the SDs aligns with
TSA's designation of the most critical pipeline systems and facilities
for purposes of the Pipeline Security Program Corporate Security
Reviews and Critical Facility Security Reviews required by section 1557
of the
[[Page 88508]]
9/11 Act.\118\ These applicability determinations were based on the
physical security of transportation systems and risks within that
context.
---------------------------------------------------------------------------
\118\ See supra note 81.
---------------------------------------------------------------------------
Use of TSA's risk-based determinations for applicability is
consistent with the focus of the 9/11 Act's requirements on higher-risk
operations. This risk-based focus is reflected in the statutory
requirement that focuses security training requirements on frontline
employees, not all employees; \119\ requiring risk-based tiers where
only the highest tier would be required to comply with regulations for
vulnerability assessments and security plans; \120\ and focusing the
pipeline security reviews on the most critical systems and
facilities.\121\ To expedite use of TSA's emergency authorities under
49 U.S.C. 114(l)(2), the agency primarily relied on the risk
determinations used for these requirements and reviews to impose the
cybersecurity requirements in the SDs discussed in section II.B.1 of
this NPRM.
---------------------------------------------------------------------------
\119\ See secs. 1408(a), 1517(a), and 1534(a) of the 9/11 Act,
codified at 6 U.S.C. 1137(a), 1167(a), and 1184(a), respectively.
\120\ See secs. 1512(a) and 1181(a) of the 9/11 Act, codified at
6 U.S.C. 1162(a) and 1181(a).
\121\ See supra note 81.
---------------------------------------------------------------------------
Since issuance of these SDs, TSA has determined that with respect
to permanent regulations, different risk criteria apply when the focus
is on cybersecurity. In addition to protecting passengers and the
immediate supply chain, risk considerations also include protecting
national security, including economic security, and recognizing their
dependence on reliable freight rail and pipeline systems. As risk is a
construct of threat, vulnerabilities, and consequences, the change from
physical to virtual risks involves different types of threats related
to motivation and capacity, different vulnerabilities reflecting
reliance on IT and OT systems and dependency, and different
consequences to passenger safety and the supply chain if a Critical
Cyber System is the target of a successful cybersecurity incident.
Where cybersecurity incidents in some sectors are primarily focused on
loss of data or privacy information, in the transportation sector, a
cybersecurity incident has a potential impact on operations affecting
passenger safety, the environment, and the supply chain. In other
words, cybersecurity incidents could have direct physical consequences.
See discussion in section II.A.4. regarding cybersecurity threats. As
noted in the National Cybersecurity Strategy, regulatory agencies are
encouraged to ensure ``cybersecurity regulations for critical
infrastructure . . . prioritize the availability of essential
services.'' \122\ The expanding nature of cyber risks to the
transportation sector also requires an assessment of applicability
specific to these risks. Consistent with these considerations, TSA is
proposing the following applicability criteria for freight railroads,
rail transit and passenger railroads, and pipelines facilities and
systems.
---------------------------------------------------------------------------
\122\ See supra note 12, at 8-9.
---------------------------------------------------------------------------
a. Freight Railroads Subject to CRM Program Requirements in Proposed
Subpart D of Part 1580
TSA proposes that the CRM program requirements apply to the freight
railroads that transport the greatest amount of cargo or are identified
as supporting certain Department of Defense (DoD) operations. TSA
estimates 73 freight railroads would meet the following risk-based
criteria:
<bullet> Is a Class I railroad as defined in current 49 CFR 1580.3;
\123\ or
---------------------------------------------------------------------------
\123\ TSA currently defines a Class I railroad by reference to
the classifications of the Surface Transportation Board. For
regulatory purposes, the Surface Transportation Board categorizes
rail carriers into three classes: Class I, Class II, and Class III.
The classes are based on the carrier's annual operating revenues.
Current thresholds establish Class I carriers as any carrier earning
revenue greater than $943.9 million, Class II carriers as those
earning revenue between $42.4 million and $943.9 million, and Class
III carriers as those earning revenue less than $42.4 million. See
49 CFR part 1201; General Instructions 1-1. TSA is proposing to
revise its definition applicable to class determinations to include
Class I, Class II, and Class III freight railroads.
---------------------------------------------------------------------------
<bullet> Is a Class II or III railroad that:
<bullet> Transports one or more of the categories and quantities of
Rail Security-Sensitive Materials \124\ in a High Threat Urban Area;
\125\
---------------------------------------------------------------------------
\124\ 49 CFR 1580.3.
\125\ Appendix A to 49 CFR part 1580.
---------------------------------------------------------------------------
<bullet> Provides switching or terminal services to two or more
Class I railroads;
<bullet> Operates an average of at least 400,000 train miles in any
of the three years before the effective date of the final rule or in
any calendar year after the effective date; \126\
---------------------------------------------------------------------------
\126\ TSA reviewed historical statistics from the FRA to discern
a threshold of annual train miles. The 400,000 train-miles threshold
provided a clear breakpoint between large, medium, and small
railroad operations. See <a href="https://railroads.dot.gov/accident-and-incident-reporting/overview-reports/train-miles-and-passengers">https://railroads.dot.gov/accident-and-incident-reporting/overview-reports/train-miles-and-passengers</a> (last
accessed Sept. 27, 2023).
---------------------------------------------------------------------------
<bullet> Is designated as a Defense Connector Railroad by DoD, as
defined in proposed 1580.3; or
<bullet> Serves as a host railroad to any of the freight railroad
operations identified above or a higher-risk passenger rail operation
identified in proposed Sec. 1582.201; \127\
---------------------------------------------------------------------------
\127\ 49 CFR 1582.101.
---------------------------------------------------------------------------
This criteria for applicability would capture railroads responsible
for approximately 94 percent of the freight transported by rail in the
United States, railroads that transport the largest volume of cargo,
and railroads that serve as critical connections between Class I
railroads or serve as vital links in the Strategic Rail Corridor
Network (STRACNET).\128\ A cybersecurity incident affecting one of
these railroads would have the most significant impact on rail
transportation, national security, and economic security.
---------------------------------------------------------------------------
\128\ The Strategic Rail Corridor Network is an interconnected
and continuous rail line network consisting of over 36,000 miles of
track serving over 120 defense installations.
---------------------------------------------------------------------------
The proposed applicability criteria for CRM program requirements
would expand the applicability of the requirements set forth in the SDs
to include an additional nine railroads, all of which operate more than
an average 400,000 train miles \129\ per year. TSA is proposing this
expansion because these railroads represent a population that, were
they to experience a degradation of service due to a cybersecurity
incident, the effects of that service-degradation would ripple across
the nation's rail network and cause significant disruption to the
industry's service capacity.
---------------------------------------------------------------------------
\129\ A train-mile is a unit in railroad accounting and refers
to the distance of one mile covered by a single train, which may
have several cars.
---------------------------------------------------------------------------
TSA is not proposing to apply the CRM program requirements to most
short line and regional railroads. Although TSA's current regulations
in 49 CFR part 1580 apply some requirements to the majority of the
Short Line and regional railroads, these are not generally high-cost
requirements. Applying the CRM program requirements to these smaller
railroads would, however, impose costs with limited corresponding
benefits to minimize the consequences that the proposed rule is
intended to address as there would not be a significant impact on
national security, including economic security, if one of these
railroads had operational disruption due to a cybersecurity incident.
An expanded scope of applicability could also be beyond TSA's current
resources to effectively monitor for compliance. For those operators
not determined to be at higher-risk, TSA believes it is more benefi
[…truncated; see source link]Indexed from Federal Register on November 7, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.