OPINION — The Transportation Security Administration (TSA) published a proposed cybersecurity rule on November 6 that would “require the establishment of pipeline and railroad cyber risk management programs,” solidifying prior security directives. The rule is a positive step, but implementing it within the rail subsector will require continued collaboration between the federal government and private companies.
Large and Small Railroads Need Cyber Risk Management
The proposed rule consolidates separate directives the TSA had issued for mass transit, freight rail, and pipelines over the past three years into a single set of cybersecurity requirements. Under the new rule, Washington requires companies to establish and maintain a cyber risk management program; complete annual cybersecurity self-assessments; have a cyber incident response plan; and report physical and cyber incidents to the TSA and the Cybersecurity and Infrastructure Security Agency, respectively.
Of the more than 600 freight rail companies in the United States, only about 70 are covered under the new rule. The six largest freight rail companies, which account for more than 90 percent of industry revenue, are all subject to this rule. The remaining railroads are much smaller but provide critical ligature between the larger railroads, including serving as essential movers of military equipment, troops, and supplies. A cybersecurity incident at these smaller railroads would have a “significant impact on rail transportation, national security, and economic security,” the TSA noted.
Industry Input Improves Cybersecurity Requirements
The TSA’s notice of proposed rulemaking comes on the heels of years-long regulatory efforts following a 2021 cyberattack on Colonial Pipeline, a company responsible for transporting almost half of the East Coast’s fuel. Due to a longstanding lack of collaboration between the public and private sectors, the TSA originally waffled between overly prescriptive and overly vague instructions, as it attempted to impose cybersecurity requirements on private entities. Over the next three years, the TSA focused on incorporating industry input, leading to more coherent security directives.
The new rule from the TSA builds on a wide range of industry feedback, with a TSA official reporting that during the crafting of the cybersecurity requirements, the agency gathered input from industry operators to “the maximum extent practicable.” As part of the formal rulemaking process, the TSA is now seeking additional public comments, particularly on supply chain risk management and implementation costs.
The TSA estimates it will cost rail companies less than $1 million per year to implement the requirements. That’s not a lot of money in the world of cybersecurity. However, the agency acknowledges that it may have an incomplete picture of feasibility and cost for some of the private entities who fall under the new rule.
Cybersecurity Funding Needed for Small Rail Companies
Despite their criticality to the military mobility mission and to national security, some of the smaller rail companies may struggle with even the modest cybersecurity investment necessary to implement the proposed requirements. To help these companies improve their cybersecurity posture, Congress should create a grant program for small freight railroads to pay for both capital improvements and the workforce necessary to implement cybersecurity risk management. With the TSA seeking to create reasonable minimum cybersecurity requirements, Congress now has a role to play by helping small companies make the necessary financial commitments for critical infrastructure cybersecurity.
Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
