Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

TSA Proposes Cyber-Risk Mandates for Pipelines, Transportation Systems

The proposed rules codify existing temporary directives requiring pipeline and railroad operators to report cyber incidents and create cyber-risk management plans.

Jennifer Lawinski, Contributing Writer

November 15, 2024

2 Min Read
the underside of several pipelines
Source: Martin Muransky via Alamy Stock Photo

The Transportation Security Administration (TSA) has released a Notice of Proposed Rulemaking to establish cyber-risk management and reporting practices for pipeline, railroad, bus, and other public transportation systems. The proposed rules extend existing cybersecurity frameworks developed by the National Institute of Standards and Technology, as well as the cybersecurity performance goals of the Cybersecurity and Infrastructure Security Agency (CISA).

The proposed rules, as laid out in the Federal Register on Thursday, would affect "certain pipeline and rail owner/operators" and impose lesser requirements on some types of bus operators. These organizations would be required to establish and maintain comprehensive cyber-risk management programs, report incidents to CISA, designate a physical security coordinator, and report significant physical security concerns to TSA. The cyber-risk management plans will need to include annual cybersecurity evaluations, assessment plans that identify unaddressed vulnerabilities, and a cybersecurity operational implementation plan describing officials in charge of cyber, critical cyber systems and how they are protected, measures in place to detect cyberattacks, and what will be done to address and recover from cyber incidents.

If approved, the new rules would impact close to 300 surface transportation owners/operators regulated by the TSA across freight railroad, passenger railroad, rail transit, and pipeline sectors, and would also require the aviation sector to comply. Specifically, the rules would impact 73 of the approximately 620 freight railroads currently operating in the U.S., 34 of the approximately 92 public transportation agencies and passenger railroads, 71 over-the-road bus owners and operators, and 115 of the more than 2,000 pipeline facilities and systems.

"TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure," said TSA Administrator David Pekoske in a statement. "The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation."

This is one of the Biden administration's last efforts to shore up the cybersecurity of critical infrastructure in the wake of the ransomware attack that crippled Colonial Pipeline back in 2021. The proposed rule is open for public comment until Feb. 2, 2025.

About the Author

Jennifer Lawinski

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights