TSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management

By Andrew Ginter, VP Industrial Security, Waterfall Security Solutions

The TSA Notice of Proposed Rulemaking for Enhancing Surface Cyber Risk Management is out. This is the long-awaited regulation that replaces the temporary security directives issued after the Colonial Pipeline incident. Those directives had to be re-issued annually. The new regulation will be permanent – at least until it’s changed or revoked.

So I’m trying to read through the proposed rule, and the document is daunting – 105 pages of technical language intermixed with very legal language, riddled with cross-references, only some of which I understand. That said, at a high level, the new rule, if passed as-is looks to apply to some:

• 73 of 620 freight railroads in the USA,
• 34 of 92 public transportation & passenger railroads,
• 115 of 2,105 of the nation's pipelines, and
• 71 bus owner/operators,

Though the bussing rules seem focused on incident reporting rather than full-blown cybersecurity programs.

Some of the most confusing legal language seems focused on rationalizing how the TSA issues security directives, since before this it seems there were different procedures for security directives applicable to different forms of transportation. Another bunch of confusing language seems to be rationalizing physical security requirements and separating them from cybersecurity requirements. And then it gets a little bit more readable:

• 49 CFR Part 1580 – Freight Rail Transportation Security – starts on pp 71
• 49 CFR Part 1582 – Public Transportation and Passenger Rail Security – starts on pp 82
• 49 CFR Part 1584 – Highway and Motor Carrier Cybersecurity – starts on pp 92, and
• 49 CFR Part 1586 – Pipeline Facilities and Systems Security – starts on pp 96

The freight rail, passenger rail & pipeline sections have a lot of familiar language. I haven't gone through them line by line comparing them to the previous security directives – eg: TSA SD 2021-02E the current directive that applies to pipelines – but just reading through the requirements rings a lot of bells in terms of language I've read before.

At a high level, in-scope owners and operators will need to:

1. Carry out annual enterprise-wide evaluations documenting the current state of cybersecurity and comparing that state to a 'target profile,
2. Document a ‘target profile’ that includes at least the measures and outcomes described in the new law / rule, and ideally includes all of the applicable parts of the NIST Cybersecurity Framework (NIST CSF),
3. Develop an implementation plan and identify people responsible for carrying out the plan, and
4. Identify critical cyber systems and detailed measures to protect those systems, as well as detailed measures to detect cyber incidents, respond to them and recover from them.

At a higher level, as you've probably guessed by now, I'm struggling to understand the legalese. I would welcome a call from someone who can explain how to make sense of the complicated cross-references. I promise to take detailed notes on the process and publish them as an article so other interested people can figure out how to do the same - with copious thanks to my generous instructor.

BTW – one of the reasons I'm trying to understand this new rule is because I'm hoping to include insights into the rule in a webinar that's coming up: Evolving Global OT Cyber Guidelines, Recent Developments and What is Driving Them.

If you're interested in seeing what's common, what's different, and what's changing in this space, please do join us on Wednesday Nov 27.

And if you are interested in more of my writing, Waterfall Security Solutions continues to give a way free copies of my book Engineering-Grade OT Security: A manager's guide