Enhancing Surface Cyber Risk Management, 73527-73538 [2022-25941]

Agencies

• DEPARTMENT OF HOMELAND SECURITY
• Transportation Security Administration

[Federal Register Volume 87, Number 229 (Wednesday, November 30, 2022)]
[Proposed Rules]
[Pages 73527-73538]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-25941]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

49 CFR Chapter XII

[Docket No. TSA-2022-0001]
RIN 1652-AA74


Enhancing Surface Cyber Risk Management

AGENCY: Transportation Security Administration, DHS.

ACTION: Advance notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Transportation Security Administration (TSA) is seeking 
input regarding ways to strengthen cybersecurity and resiliency in the 
pipeline and rail (including freight, passenger, and transit rail) 
sectors. This advance notice of proposed rulemaking (ANPRM) offers an 
opportunity for interested individuals and organizations, particularly 
owner/operators of higher-risk pipeline and rail operations, to help 
TSA develop a comprehensive and forward-looking approach to 
cybersecurity requirements. TSA is also interested in input from the 
industry associations representing these owners/operators, third-party 
cybersecurity subject matter experts, and insurers and underwriters for 
cybersecurity risks for these transportation sectors. Although TSA will 
review and consider all comments submitted, we are specifically 
interested in responses to the questions posed in this ANPRM. Input 
received in response to this ANPRM will assist TSA in better 
understanding how the pipeline and rail sectors implement cyber risk 
management (CRM) in their operations and will support us in achieving 
objectives related to the enhancement of pipeline and rail 
cybersecurity.

DATES: Submit comments by January 17, 2023.

ADDRESSES: You may submit comments, identified by the TSA docket number 
to this rulemaking, to the Federal Docket Management System (FDMS), a 
government-wide, electronic docket management system. To avoid 
duplication, please use only one of the following methods:
     Electronic Federal eRulemaking Portal: https://www.regulations.gov. Follow the online instructions for submitting 
comments.
     Mail: Docket Management Facility (M-30), U.S. Department 
of Transportation, 1200 New Jersey Avenue SE, West Building Ground 
Floor, Room W12-140, Washington, DC 20590-0001. The Department of 
Transportation (DOT), which maintains and processes TSA's official 
regulatory dockets, will scan the submission and post it to FDMS. 
Comments must be postmarked by the date indicated above.
     Fax: (202) 493-2251.
    See the SUPPLEMENTARY INFORMATION section for format and other 
information about comment submissions.

FOR FURTHER INFORMATION CONTACT: 
    For program questions: Victor Parker, Surface Division, Policy, 
Plans, and Engagement, TSA-28, Transportation Security Administration, 
6595 Springfield Center Drive, Springfield, VA 20598-6002; telephone 
(571) 227-1039; email: [email protected].
    For legal questions: David Kasminoff (TSA, Senior Counsel, 
Regulations and Security Standards) at telephone (571) 227-3583, or 
email to [email protected].

SUPPLEMENTARY INFORMATION: 

Comments Invited

    TSA invites interested persons to participate in this ANPRM by 
submitting written comments, including relevant data. We also invite 
comments

[[Page 73528]]

relating to the economic, environmental, energy, or federalism impacts 
that might result from a rulemaking action. See ADDRESSES section above 
for information on where to submit comments.
    With each comment, please identify the docket number at the 
beginning of your comments. You may submit comments and material 
electronically, in person, by mail, or fax as provided under ADDRESSES, 
but please submit your comments and material by only one means. If you 
submit comments by mail or in person, submit them in an unbound format, 
no larger than 8.5 by 11 inches, suitable for copying and electronic 
filing.
    If you would like TSA to acknowledge receipt of comments submitted 
by mail, include with your comments a self-addressed, stamped postcard 
on which the docket number appears. TSA will stamp the date on the 
postcard and mail it to you.
    All comments, except those that include confidential or sensitive 
security information (SSI) \1\ will be posted to https://www.regulations.gov, and will include any personal information you have 
provided. Should you wish your personally identifiable information 
redacted prior to filing in the docket, please clearly indicate this 
request in your submission to TSA. TSA will consider all comments that 
are in the docket on or before the closing date for comments and will 
consider comments filed late to the extent practicable. The docket is 
available for public inspection before and after the comment closing 
date.
---------------------------------------------------------------------------

    \1\ ``Sensitive Security Information'' or ``SSI'' is information 
obtained or developed in the conduct of security activities, the 
disclosure of which would constitute an unwarranted invasion of 
privacy, reveal trade secrets or privileged or confidential 
information, or be detrimental to the security of transportation. 
The protection of SSI is governed by 49 CFR part 1520.
---------------------------------------------------------------------------

Handling of Certain Sensitive Information Submitted in Public Comments

    Do not submit comments that include trade secrets, confidential 
commercial or financial information, SSI, or protected critical 
infrastructure information to the public regulatory docket. Comments 
containing this type of information should be submitted separately from 
other comments, appropriately marked as containing such information, 
and submitted by mail to the address listed in FOR FURTHER INFORMATION 
CONTACT section. TSA will take the following actions for all 
submissions containing SSI:
     TSA will not place comments containing SSI in the public 
docket and will handle them in accordance with applicable safeguards 
and restrictions on access.
     TSA will hold documents containing SSI, confidential 
business information, or trade secrets in a separate file to which the 
public does not have access, and place a note in the public docket 
explaining that commenters have submitted such documents.
     TSA may include a redacted version of the comment in the 
public docket.
     TSA will treat requests to examine or copy information 
that is not in the public docket as any other request under the Freedom 
of Information Act (5 U.S.C. 552) and the Department of Homeland 
Security (DHS) Freedom of Information Act regulation found in 6 CFR 
part 5.

Reviewing Comments in the Docket

    Please be aware that anyone is able to search the electronic form 
of all comments in any of our dockets by the name of the individual, 
association, business entity, labor union, etc., who submitted the 
comment. For more about privacy and the docket, review the Privacy and 
Security Notice for the FDMS at https://www.regulations.gov/privacy-notice, as well as the System of Records Notice DOT/ALL 14--Federal 
Docket Management System (73 FR 3316, January 17, 2008) and the System 
of Records Notice DHS/ALL 044--eRulemaking (85 FR 14226, March 11, 
2020).
    You may review TSA's electronic public docket at https://www.regulations.gov. In addition, DOT's Docket Management Facility 
provides a physical facility, staff, equipment, and assistance to the 
public. To obtain assistance or to review comments in TSA's public 
docket, you may visit this facility between 9 a.m. and 5 p.m., Monday 
through Friday, excluding legal holidays, or call (202) 366-9826. This 
DOT facility is located in the West Building Ground Floor, Room W12-140 
at 1200 New Jersey Avenue SE, Washington, DC 20590.

Availability of Rulemaking Document

    You can find an electronic copy of rulemaking documents relevant to 
this action by searching the electronic FDMS web page at https://www.regulations.gov or at https://www.federalregister.gov.
    In addition, copies are available by writing or calling the 
individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to 
identify the docket number of this ANPRM.

Abbreviations and Terms Used in This Document

ANPRM--Advance notice of proposed rulemaking
AAR--Association of American Railroads
APTA--Association of Public Transportation Agencies
ATSA--Aviation and Transportation Security Act
C2M2--Cybersecurity Capabilities Maturity Model
CFATS--Chemical Facility Anti-Terrorism Standards
CFSR--Critical facility security reviews
CIP--Critical Infrastructure Protection
CISA--Cybersecurity and Infrastructure Security Agency
CRM--Cyber risk management
CSR--Corporate Security Reviews
DFARS--Defense Federal Acquisition Regulation Supplement
FERC--Federal Energy Regulatory Commission
FRA--Federal Railroad Administration
FSB--Russian Federal Security Service
DHS--Department of Homeland Security
DOE--Department of Energy
DOT--Department of Transportation
ICS--Industrial Control System
IT--Information technology
NERC--North American Electric Reliability Corporation
NIST--National Institute of Standards and Technology
NPRM--Notice of proposed rulemaking
OT--Operational technology
RBPS--Risk-Based Performance Standard
SCADA--Supervisory control and data acquisition
SSI--Sensitive security information
TSA--Transportation Security Administration

I. Introduction

A. Pipeline Transportation

    The national pipeline system consists of more than 3.3 million 
miles of networked pipelines transporting hazardous liquids, natural 
gas, and other liquids and gases for energy needs and manufacturing. 
Although most pipeline infrastructure is buried underground, 
operational elements such as compressors, metering, regulating, pumping 
stations, aerial crossings, and storage tanks are typically located 
above ground. Under operating pressure, the pipeline system is used as 
a conveyance to deliver resources from source location to destination. 
In addition to portions of the network that are manually operated, the 
pipeline system includes use of automated industrial control systems 
(ICS), such as supervisory control and data acquisition (SCADA) systems 
to monitor and manage the system. These systems use remote sensors, 
signals, and preprogramed parameters to activate valves and pumps to 
maintain flows within tolerances. Pipeline systems supply energy 
commodities and raw

[[Page 73529]]

materials across the country to utility entities, airports, military 
sites, and to the Nation's industrial and manufacturing sectors. 
Protecting vital supply chain infrastructure of pipeline operations is 
critical to national security and commerce.

B. Rail Transportation

    The rail transportation sector includes freight railroads, 
passenger railroads (including inter-city and commuter), and rail 
transit.
1. Freight Railroads
    The national freight rail network is a complex system that includes 
both physical and cyber infrastructure and consists of nearly 140,000 
rail miles operated by seven Class I railroads and 580 local (also 
known as Short Line) railroads and 21 regional railroads. The Class I 
railroads had 2021 operating revenues of at least $900 million. These 
seven railroads also account for approximately 68 percent of freight 
rail mileage, 88 percent of employees, and 94 percent of revenue. 
Regional railroads and local railroads range in size from operations 
handling a few carloads monthly to multi-state operators nearly the 
size of a Class I operation.\2\ As stated by the American Association 
of Railroads (AAR), the freight rail sector provides ``a safe, 
efficient, and cost-effective transportation network that reliably 
serves customers and the nation's economy.'' \3\
---------------------------------------------------------------------------

    \2\ See https://www.aar.org/wp-content/uploads/2020/08/AAR-Railroad-101-Freight-Railroads-Fact-Sheet.pdf (last visited Sep. 19, 
2022).
    \3\ Id.
---------------------------------------------------------------------------

    Freight railroads are private entities which own and are 
responsible for their own infrastructure. They maintain the 
locomotives, rolling stock, and fixed assets involved in the 
transportation of goods and materials across the Nation's rail system. 
As required by Congress, railroads are subject to safety regulations 
promulgated and enforced by the Federal Railroad Administration (FRA). 
TSA administers and enforces rail security regulations contained in 49 
CFR part 1580.
2. Passenger Railroads
    Passenger rail is divided into two categories: inter-city and 
commuter rail service. Inter-city provides long-distance service, while 
commuter railroads provide service over shorter distances, usually less 
than 100 miles. The sole long-distance inter-city passenger railroad in 
the contiguous United States is Amtrak, which has a pre-pandemic annual 
ridership of approximately 31.7 million.\4\ Amtrak operates a 
nationwide rail network, serving more than 500 destinations in 46 
states, the District of Columbia, and three Canadian provinces on more 
than 21,300 track-miles.\5\ Nearly half of all Amtrak trains operate at 
top speeds of 100 mph or greater. In fiscal year 2021, Amtrak customers 
took nearly 12.2 million trips.\6\
---------------------------------------------------------------------------

    \4\ See https://www.apta.com/wp-content/uploads/APTA_Fact-Book-2019_FINAL.pdf (last visited Sep. 19, 2022).
    \5\ Id.
    \6\ See https://www.amtrak.com/content/dam/projects/dotcom/english/public/documents/corporate/nationalfactsheets/Amtrak-Company-Profile-FY2021-030922.pdf at 1 (last visited Sep. 19, 2022).
---------------------------------------------------------------------------

    Freight railroads provide the tracks for most passenger rail 
operations. For example, seventy-two percent of the track on which 
Amtrak operates is owned by other railroads. These ``host railroads'' 
include large, publicly traded freight rail companies in the U.S. or 
Canada, state and local government agencies, and small businesses. 
Amtrak pays the host railroads for use of their track and other 
resources as needed.\7\
---------------------------------------------------------------------------

    \7\ Id. at 3.
---------------------------------------------------------------------------

    Amtrak and other passenger rail agencies, however, are not wholly 
dependent on freight rail infrastructure and corridors for operational 
feasibility; they sometimes control, operate, and maintain tracks, 
facilities, construction sites, utilities, and computerized networks 
essential to their own operations. For example, the Northeast Corridor 
is an electrified railway line in the Northeast megalopolis of the 
United States owned primarily by Amtrak. It runs from Boston through 
New York City, Philadelphia, and Baltimore, with a terminus in 
Washington, DC.
    Amtrak and other passenger railroads also host freight rail 
operations. In fact, the Northeast Corridor is the busiest railroad in 
North America, with approximately 2,200 Amtrak, commuter, and freight 
trains operating over some portion of the Washington-Boston route each 
day.\8\ As with freight railroads, passenger railroads are subject to 
safety regulations put forth and enforced by the FRA. TSA administers 
and enforces passenger rail security regulations contained in 49 CFR 
part 1582.
---------------------------------------------------------------------------

    \8\ Id. at 4.
---------------------------------------------------------------------------

3. Rail Transit
    Public transportation in America is critically important to our way 
of life, as evidenced by the number of riders on the Nation's public 
transportation systems. According to the American Public Transportation 
Association (APTA), 2019 Public Transportation Fact Book, there were 
over 9.97 million unlinked passenger trips in 2019.\9\ Nationwide, 7.8 
million Americans commute to work on transit, equivalent to 
approximately five percent of workers. In major metropolitan areas, 
like New York City, over 31 percent of commuters rely on public 
transportation for their daily commute.\10\ Rail transit is a critical 
part of this system, representing about 48 percent of trips.\11\ A 
successful cyber-attack would have a profound impact on ridership and a 
negative economic impact nationwide.
---------------------------------------------------------------------------

    \9\ Id. at 10.
    \10\ See APTA, 2021 Public Transportation Fact Book at 12, 
available at https://www.apta.com/wp-content/uploads/APTA-2021-Fact-Book.pdf (last visited Sep. 19, 2022).
    \11\ Rail transit includes heavy rail systems, often referred to 
as ``subways'' or ``metros'' that do not interact with traffic; 
light rail and streetcars, often referred to as ``surface rail,'' 
that may operate on streets, with or without their own dedicated 
lanes; and commuter rail services that are higher-speed, higher-
capacity trains with less-frequent stops. See id. at 8.
---------------------------------------------------------------------------

C. Cybersecurity Threats

    Cyber actors have demonstrated their willingness to engage in cyber 
intrusions and conduct cyber-attacks \12\ against critical 
infrastructure by exploiting the vulnerability of Operational 
Technology (OT) \13\ and Information Technology (IT) \14\ systems. 
Pipeline and rail systems, and associated facilities, are vulnerable to 
cyber-attacks due to legacy ICS that lack updated security controls and 
the dispersed nature of pipeline and rail

[[Page 73530]]

networks spanning urban and outlying areas.
---------------------------------------------------------------------------

    \12\ For purposes of this ANPRM, TSA uses the National Institute 
of Standards and Technology (NIST) definition of a cyber-attack: An 
attack, via cyberspace, targeting an enterprise's use of cyberspace 
for the purpose of disrupting, disabling, destroying, or maliciously 
controlling a computing environment/infrastructure; or destroying 
the integrity of the data or stealing controlled information. See 
https://csrc.nist.gov/glossary/term/cyber_attack (last visited on 
Sept. 19, 2022).
    \13\ For purposes of this ANPRM, TSA defines an ``OT system'' as 
``a general term that encompasses several types of control systems, 
including industrial control systems, supervisory control and data 
acquisition systems, distributed control systems, and other control 
system configurations, such as programmable logic controllers, fire 
control systems, and physical access control systems, often found in 
the industrial sector and critical infrastructure. Such systems 
consist of combinations of programmable electrical, mechanical, 
hydraulic, pneumatic devices or systems that interact with the 
physical environment or manage devices that interact with the 
physical environment.''
    \14\ For purposes of this ANPRM, TSA defines an ``IT System'' as 
``any services, equipment, or interconnected systems or subsystems 
of equipment that are used in the automatic acquisition, storage, 
analysis, evaluation, manipulation, management, movement, control, 
display, switching, interchange, transmission, or reception of data 
or information that fall within the responsibility of owner/operator 
to operate and/or maintain.''
---------------------------------------------------------------------------

    As pipeline and rail owner/operators \15\ begin integrating IT and 
OT systems into their ICS environment to further improve safety, enable 
efficiencies, and/or increase automation, the ICS environment 
increasingly becomes more vulnerable to new and evolving cyber threats. 
A successful cyber-intrusion could affect the safe operation and 
reliability of OT systems, including SCADA systems, process control 
systems, distributed control systems, safety control systems, 
measurement systems, and telemetry systems.
---------------------------------------------------------------------------

    \15\ See definition of ``owner/operator'' in 49 CFR 1500.3.
---------------------------------------------------------------------------

    From a design perspective, some pipeline and rail assets are more 
attractive to cyber-attack simply because of the transported commodity 
and the impact an attack would have on national security and commerce. 
Minor pipeline and rail system disruptions may result in commodity 
price increases, while prolonged pipeline and rail disruptions could 
lead to widespread energy shortages and disruption of critical supply 
lines. Short- and long-term disruptions and delays may affect other 
domestic critical infrastructure and industries that depend on pipeline 
and rail system commodities, such as our national defense system.
    On May 8, 2021, a major pipeline operator announced that it had 
halted its pipeline operations due to a ransomware attack,\16\ 
temporarily disrupting supplies of gasoline and other refined petroleum 
products throughout the East Coast of the United States. This 
ransomware attack highlighted the potentially devastating impact that 
increasingly sophisticated cybersecurity events can have on our 
nation's critical infrastructure, as well as the direct repercussions 
felt by U.S. citizens.
---------------------------------------------------------------------------

    \16\ Ransomware is a malicious type of cyber-attack where 
attackers encrypt an organization's data and demand payment to 
restore access. See NIST Guidance on Ransomware at its Small 
Business Cybersecurity Corner, accessible at https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/ransomware (last visited Sept. 
19, 2022).
---------------------------------------------------------------------------

    This May 2021 event is just one of many recent ransomware attacks 
that have demonstrated the necessity of ensuring that critical 
infrastructure owner/operators are proactively deploying CRM measures. 
The need to take urgent action to mitigate the threats facing domestic 
critical infrastructure, which have important implications for national 
and economic security, including enhancing the pipeline and rail 
industry's current cybersecurity risk management posture, is further 
highlighted by recent warnings about Russian, Chinese, and Iranian 
state-sponsored cyber espionage campaigns to develop capabilities to 
disrupt U.S. critical infrastructure to include the transportation 
sector.\17\
---------------------------------------------------------------------------

    \17\ See, e.g., the following recent Joint Cybersecurity 
Advisories available at https://www.cisa.gov/uscert/ncas/alerts: 
Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft 
Exchange and Fortinet Vulnerabilities in Furtherance of Malicious 
Activities, Alert AA21-321A (Nov. 17, 2021); Sophisticated 
Spearphishing Campaign Targets Government Organizations, IGOs, and 
NGOs, Alert AA21-148A (May 28, 2021); Tactics, Techniques, and 
Procedures of Indicted APT40 Actors Associated with China's MSS 
Hainan State Security Department, Alert AA21-200A (July 19, 2021); 
and Understanding and Mitigating Russian State-Sponsored Cyber 
Threats to U.S. Critical Infrastructure, Alert AA22-011A (Jan. 11, 
2022).
---------------------------------------------------------------------------

    On March 24, 2022, the U.S. Department of Justice unsealed 
indictments of three Russian Federal Security Service (FSB) officers 
and employees of a State Research Center of the Russian Federation 
(FGUP) Central Scientific Research Institute of Chemistry and Mechanics 
(also known as ``TsNIIKhM'') for their involvement in intrusion 
campaigns against U.S. and international oil refineries, nuclear 
facilities, and energy companies. Documents revealed that the FSB 
conducted a multi-stage campaign in which they gained remote access to 
U.S. and international Energy Sector networks, deployed ICS-focused 
malware, and collected and exfiltrated enterprise and ICS-related 
data.\18\ A recent multi-national cybersecurity advisory noted that 
``Russian state-sponsored cyber actors have demonstrated capabilities 
to compromise IT networks; develop mechanisms to maintain long-term, 
persistent access to IT networks; exfiltrate sensitive data from IT and 
[OT] networks; and disrupt critical [ICS/OT] functions by deploying 
destructive malware.'' \19\
---------------------------------------------------------------------------

    \18\ See Joint Cybersecurity Advisory, Tactics, Techniques, and 
Procedures of Indicted State-Sponsored Russian Cyber Actors 
Targeting the Energy Sector, Alert AA22-083A (Mar. 25, 2022), 
available at: https://www.cisa.gov/uscert/ncas/alerts/aa22-083a 
(last visited Sep. 19, 2022).
    \19\ See Joint Cybersecurity Advisory, Russian State Sponsored 
and Criminal Cyber Threat to Critical Infrastructure, Alert AA22-
110A (Apr. 20, 2022), available at: https://www.cisa.gov/uscert/ncas/alerts/aa22-110a (last visited Sep. 19, 2022).
---------------------------------------------------------------------------

    The Nation's adversaries and strategic competitors will continue to 
use cyber espionage and cyber-attacks to seek political, economic, and 
military advantage over the United States and its allies and partners. 
These recent incidents demonstrate the potentially devastating impact 
that increasingly sophisticated cybersecurity events can have on our 
nation's critical infrastructure, as well as the direct repercussions 
felt by U.S. citizens. The consequences and threats discussed above 
demonstrate the necessity of ensuring that critical infrastructure 
owner/operators are proactively deploying CRM measures.

D. Threat of Cybersecurity Incidents at the Nexus of IT and OT Systems

    Some sectors have taken significant steps to protect either their 
IT or OT systems, depending on which is considered most critical for 
their business needs (e.g., a commodities sector may focus on OT 
systems while a financial sector or other business that focuses on data 
may focus on IT systems). Ransomware attacks targeting critical 
infrastructure threaten both IT and OT systems and exploit the 
connections between these systems. For example, when OT components are 
connected to IT networks, this connection provides a path for cyber 
actors to pivot from IT to OT systems.\20\ Given the importance of 
critical infrastructure to national and economic security and America's 
way of life, accessible OT systems and their connected assets and 
control structures are an attractive target for malicious cyber actors 
seeking to disrupt critical infrastructure for profit or to further 
other objectives. As the Cybersecurity and Infrastructure Security 
Agency (CISA) recently noted, recent cybersecurity incidents 
demonstrate that intrusions affecting IT systems can also affect 
critical operational processes even if the intrusion does not directly 
impact an OT system.\21\ For example, business operations on the IT 
system sometimes are used to orchestrate OT system operations. As a 
result, when there is a compromise of the IT system, there is a risk of 
unaffected OT systems being impacted by the loss of operational 
directives and accounting functions.
---------------------------------------------------------------------------

    \20\ See CISA Fact Sheet, Rising Ransomware Threat to 
Operational Technology Assets (June 2021), available at https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Rising_Ransomware_Threat_to_OT_Assets_508C.pdf (last visited Sep. 
19, 2022).
    \21\ Id.
---------------------------------------------------------------------------

    DHS, the Department of Energy (DOE), the Federal Bureau of 
Investigation, and the National Security Agency have all urged the 
private sector to implement a layered, ``defense-in-depth'' 
cybersecurity posture. For example, ensuring that OT and IT systems are 
separate and segregated will help protect against intrusions that can 
exploit vulnerabilities from one system

[[Page 73531]]

to infect another. A stand-alone, unconnected (``air-gapped'') OT 
system is safer from outside threats than an OT system connected to one 
or more enterprise IT systems with external connectivity (no matter how 
secure the outside connections are thought to be).\22\ By implementing 
a layered approach, owner/operators and their network administrators 
will enhance the defensive cybersecurity posture of their OT and IT 
systems, reducing the risk of compromise or severe operational 
degradation if their system is compromised by malicious cyber 
actors.\23\
---------------------------------------------------------------------------

    \22\ See National Security Agency Cybersecurity Advisory, Stop 
Malicious Cyber Activity Against Connected Operational Technology 
(PP-21-0601 [verbar] APR 2021 Ver 1.0), available at: https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/1/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF (last visited Sep. 19 2022).
    \23\ See Joint Cybersecurity Advisory, Alert AA21-200A, supra n. 
17.
---------------------------------------------------------------------------

E. TSA Surface-Related Security Directives and Information Circulars

    TSA issued security directives in 2021 and 2022 \24\ in response to 
the cybersecurity threat to surface transportation systems and 
associated infrastructure to protect against the significant harm to 
the national and economic security of the United States that could 
result from the ``degradation, destruction, or malfunction of systems 
that control this infrastructure.'' \25\ The first pipeline security 
directive (SD) (the SD Pipeline-2021-01 series) requires several 
actions to enhance the security of critical pipeline systems \26\ 
against cyber-attacks and provided that owners/operators must: (1) 
designate a primary and alternate Cybersecurity Coordinator; (2) report 
cybersecurity incidents to CISA within 24 hours of identification of a 
cybersecurity incident; \27\ and (3) review TSA's pipeline 
guidelines,\28\ assess their current cybersecurity posture, and 
identify remediation measures to address the vulnerabilities and 
cybersecurity gaps.\29\ For purposes of this requirement, a 
``cybersecurity incident'' is defined as ``an event that, without 
lawful authority, jeopardizes, disrupts or otherwise impacts, or is 
reasonably likely to jeopardize, disrupt or otherwise impact, the 
integrity, confidentiality, or availability of computers, information 
or communications systems or networks, physical or virtual 
infrastructure controlled by computers or information systems, or 
information residents on the system.'' The reports must (1) identify 
the affected systems or facilities; and (2) describe the threat, 
incident, and impact or potential impact on IT and OT systems and 
operations.
---------------------------------------------------------------------------

    \24\ See https://www.tsa.gov/for-industry/surface-transportation-cybersecurity-toolkit for links to the security 
directives. TSA issued these security directives under the specific 
authority of 49 U.S.C. 114(l)(2)(A). This provision states: 
``Notwithstanding any other provision of law or executive order 
(including an executive order requiring a cost-benefit analysis), if 
the Administrator [of TSA] determines that a regulation or security 
directive must be issued immediately in order to protect 
transportation security, the Administrator shall issue the 
regulation or security directive without providing notice or an 
opportunity for comment and without prior approval of the 
Secretary.'' In addition, section 114(d) provides the Administrator 
authority for security of all modes of transportation; section 
114(f) provides specific additional duties and powers to the 
Administrator; and section 114(m) provides authority for the 
Administrator to take actions that support other agencies.
    \25\ See National Security Memorandum on Improving Cybersecurity 
for Critical Infrastructure Control Systems (July 28, 2021).
    \26\ ``Critical pipeline systems'' are determined by TSA based 
on risk.
    \27\ As originally issued, the directive required notification 
within 12 hours of identification. In May 2022, TSA revised this 
requirement to require notifications within 24 hours of 
identification.
    \28\ See section I.F. for more information on TSA's guidelines 
for the pipeline owner/operators.
    \29\ TSA may also use the results of assessments to identify the 
need to impose additional security measures as appropriate or 
necessary. TSA and CISA may use the information submitted for 
vulnerability identification, trend analysis, or to generate 
anonymized indicators of compromise or other cybersecurity products 
to prevent other cybersecurity incidents.
---------------------------------------------------------------------------

    The second pipeline security directive (the SD Pipeline 2021-02 
series), issued on July 26, 2021, required owner/operators to implement 
specific mitigation measures to protect against ransomware attacks and 
other known threats to IT and OT systems and conduct a cybersecurity 
architecture design review. This security directive also required 
owner/operators to develop and adopt a cybersecurity incident response 
plan to reduce the risk of operational disruption should their IT and/
or OT systems be affected by a cybersecurity incident.\30\
---------------------------------------------------------------------------

    \30\ See https://www.tsa.gov/sites/default/files/sd_pipeline-2021-01b_05-29-2022.pdf (last visited Oct. 19, 2022) for a version 
of the SD with the prescriptive requirements initially imposed.
---------------------------------------------------------------------------

    In December 2021, TSA issued security directives to higher-risk 
freight railroads (the SD 1580-21-01 series) \31\ and passenger rail 
and rail transit owner/operators (the SD 1582-21-01 series),\32\ 
requiring that they also implement the following requirements 
previously imposed on pipeline systems and facilities: (1) designation 
of a cybersecurity coordinator; (2) reporting of cybersecurity 
incidents to CISA within 24 hours; (3) developing and implementing a 
cybersecurity incident response plan to reduce the risk of an 
operational disruption; and (4) completing a cybersecurity 
vulnerability assessment to identify potential gaps or vulnerabilities 
in their systems. For owner/operators not specifically covered under 
the SD 1580-21-01 or 1582-2021-02 series, TSA also issued an 
``information circular'' (IC-2021-01), which included a non-binding 
recommendation for those surface owner/operators not subject to the 
security directives to voluntarily implement the same measures.\33\
---------------------------------------------------------------------------

    \31\ See https://www.tsa.gov/sites/default/files/sd-1580-21-01a.pdf (last visited Oct. 19, 2022) for the most current version of 
this SD series.
    \32\ See https://www.tsa.gov/sites/default/files/sd-1582-21-01a.pdf (last visited Oct. 19, 2022) for the most current version of 
this SD series.
    \33\ See https://www.tsa.gov/sites/default/files/20211201_surface-ic-2021-01.pdf (last visited Oct. 19, 2022).
---------------------------------------------------------------------------

    In the year following issuance of the second pipeline SD, TSA 
determined that its prescriptive requirements limited the ability of 
owner/operators to adapt the requirements to their operational 
environment and apply innovative alternative measures and new 
capabilities. Because of this, TSA revised this security directive 
series, effective July 27, 2022 (SD Pipeline 2021-02C), to maintain the 
security objectives in the previous versions of the security directive 
but also provide more flexibility by imposing performance-based, rather 
than prescriptive, security measures. The revised directive allows 
covered owner/operators to choose how best to implement security 
measures for their specific systems and operations while mandating that 
they achieve critical security outcomes. This approach also affords 
these owner/operators with the ability to adopt new technologies and 
security capabilities as they become available, provided that TSA's 
mandated security outcomes are met.
    The revised directive specifically requires the covered owner/
operators of critical pipeline systems and facilities to take the 
following actions:
     Establish and implement a TSA-approved Cybersecurity 
Implementation Plan that describes the specific cybersecurity measures 
employed and the schedule for achieving the security outcomes 
identified by TSA.
     Develop and maintain an up-to-date Cybersecurity Incident 
Response Plan to reduce the risk of operational disruption, or the risk 
of other significant impacts on necessary capacity, as defined in the 
security directive, should the IT and/or OT systems of a gas or liquid 
pipeline and rail be affected by a cybersecurity incident.

[[Page 73532]]

     Establish a Cybersecurity Assessment Program and submit an 
annual plan that describes how the owner/operator will proactively and 
regularly assess the effectiveness of cybersecurity measures and 
identify and resolve device, network, and/or system vulnerabilities.
    The Cybersecurity Implementation Plans must identify how the owner/
operators will meet the following primary security outcomes:
     Implement network segmentation policies and controls to 
ensure that the OT system can continue to safely operate in the event 
that an IT system has been compromised, or vice versa;
     Implement access control measures to secure and prevent 
unauthorized access to critical cyber systems;
     Implement continuous monitoring and detection policies and 
procedures to detect cybersecurity threats and correct anomalies that 
affect critical cyber system operations; and
     Reduce the risk of exploitation of unpatched systems 
through the application of security patches and updates for operating 
systems, applications, drivers, and firmware on critical cyber systems 
in a timely manner using a risk-based methodology.
    As noted above, in addition to developing and implementing a TSA-
approved Cybersecurity Implementation Plan, this directive requires the 
covered owner/operators to continually assess their cybersecurity 
posture. These owner/operators must develop and update a Cybersecurity 
Assessment Program and submit an annual plan to TSA that describes 
their program for the coming year, including details on the processes 
and techniques that they would be using to assess the effectiveness of 
cybersecurity measures. Techniques such as penetration testing of IT 
systems and the use of ``red'' and ``purple'' team (adversarial 
perspective) testing are referenced in the SD. At a minimum, the plan 
must include an architectural design review every two years.
    The scope of the requirements in this directive apply to Critical 
Cyber Systems. TSA defined a Critical Cyber System to include ``any IT 
or OT system or data that, if compromised or exploited, could result in 
operational disruption. Critical Cyber Systems include business 
services that, if compromised or exploited, could result in operational 
disruption.'' \34\
---------------------------------------------------------------------------

    \34\ For purposes of this directive, ``operational disruption'' 
means a deviation from or interruption of necessary capacity that 
results from a compromise or loss of data, system availability, 
system reliability, or control of a TSA-designated critical pipeline 
and rail system or facility.'' Necessary capacity is determined by 
the owner/operator based on a ``determination of capacity to support 
its business-critical functions required for pipeline and rail 
operations and market expectations.''
---------------------------------------------------------------------------

    On October 18, 2022, TSA issued a security directive imposing 
similar performance-based cybersecurity requirements on higher-risk 
freight railroads, passenger rail, and rail transit owner/operators (SD 
1580/82-2022-01).\35\ This security directive was also developed with 
extensive input from industry stakeholders and federal partners, 
including CISA and the FRA, to address issues unique to the rail 
industry.
---------------------------------------------------------------------------

    \35\ See https://www.tsa.gov/sites/default/files/sd-1580-82-2022-01.pdf (last visited Oct. 19, 2022).
---------------------------------------------------------------------------

F. TSA's Assessments, Guidelines, and Regulations Applicable to 
Pipeline and Rail Systems

    Before issuance of the requirements discussed above, TSA primarily 
assessed the security posture of pipeline owner/operators by 
encouraging their voluntary implementation of security recommendations 
in TSA's Pipeline Security Guidelines. These guidelines were first 
developed in 2010 and 2011 in collaboration with industry and 
government members of the Pipeline Sector and Government Coordinating 
Councils and industry association representatives and included a range 
of recommended security measures covering all aspects of pipeline 
operations. The guidelines are used as the standard for TSA's Pipeline 
Security Program Corporate Security Reviews (CSRs) and Critical 
Facility Security Reviews (CFSRs) of the most critical pipeline 
systems. The CSR program has been in effect since 2003, during which 
time a total of approximately 260 CSRs have been completed industry-
wide. Approximately 800 CFSRs have been completed since this program's 
inception in 2009.
    In 2018, TSA published updated Pipeline Security Guidelines.\36\ As 
part of this update, TSA added Section 7, ``Pipeline Cyber Asset 
Security Measures'', including pipeline cyber asset identification; 
security measures for pipeline cyber assets; and cybersecurity planning 
and implementation guidance.
---------------------------------------------------------------------------

    \36\ See Pipeline Security Guidelines (March 2018), with Change 
1 (April 2021), available at: https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf (last visited Sep. 19, 2022).
---------------------------------------------------------------------------

    While the 2018 guidelines are neither mandatory nor enforceable, 
the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/
11 Act) required the Secretary of Homeland Security (Secretary) to 
issue and update security recommendations for pipeline security; assess 
voluntary compliance; and, determine, after consultation with the 
Secretary of Transportation, whether regulations are appropriate based 
on the ``extent of risk and appropriate mitigation measures.'' \37\ TSA 
also has general authorities, including its authority to issue 
regulations and security directives in order to protect transportation 
security.\38\
---------------------------------------------------------------------------

    \37\ See section 1557 of Public Law 110-53 (121 Stat. 266; Aug. 
3, 2007), as codified at 6 U.S.C. 1207.
    \38\ See 49 U.S.C. 114(l).
---------------------------------------------------------------------------

    Consistent with theses authorities, TSA has issued cybersecurity 
SDs applicable to critical pipeline owner/operators, but has not issued 
regulations under the 9/11 Act's pipeline security provision or under 
TSA's general authorities, and has not imposed cybersecurity 
requirements on the full scope of pipeline owner/operators to which the 
guidelines apply. Although this rulemaking effort is focused 
specifically on cybersecurity measures, TSA intends to continue to 
conduct voluntary security assessments in areas where mandatory 
requirements do not exist (e.g., the physical security measures 
recommended in the guidelines) as part of a ``structured oversight'' 
approach. As part of this approach, TSA assesses industry's voluntary 
adoption and adherence to non-regulatory guidelines, including Security 
Action Items and other security measures developed jointly with, and 
agreed to by, industry stakeholders to meet relevant security needs.
    In 2008, TSA promulgated regulations imposing security requirements 
on owner/operators of rail transit systems, including passenger rail 
and commuter rail, heavy rail transit, light rail transit, automated 
guideway, cable car, inclined plane, funicular, and monorail systems. 
The rule, in pertinent part, covers appointment of security 
coordinators and security-related reporting requirements. For freight 
railroads, the 2008 rule also imposed requirements for the secure 
transport of Rail Security-Sensitive Materials.\39\
---------------------------------------------------------------------------

    \39\ See Rail Transportation Security Final Rule (Rail Security 
Rule), 73 FR 72130 (Nov. 26, 2008).
---------------------------------------------------------------------------

    In addition to measures to enhance pipeline security, the 9/11 Act 
required TSA to issue regulations to enhance surface transportation 
security through security training of frontline employees. The 9/11 Act 
mandate includes prescriptive requirements for who must be trained, 
what the training must encompass, and how to submit and obtain approval 
for a training

[[Page 73533]]

program.\40\ The 9/11 Act also mandates regulations requiring higher-
risk railroads and over-the-road buses (OTRBs) to appoint security 
coordinators.\41\
---------------------------------------------------------------------------

    \40\ See secs. 1408, 1517, and 1534 of the 9/11 Act, as codified 
at 6 U.S.C. 1137, 1167, and 1184, respectively.
    \41\ See secs. 1512 and 1531 of the 9/11 Act, codified at 6 
U.S.C. 1162 and 1181, respectively.
---------------------------------------------------------------------------

    On March 23, 2020, TSA published the final rule, ``Security 
Training for Surface Transportation Employees.'' \42\ This regulation 
requires owner/operators of higher-risk freight railroad carriers (as 
defined in 49 CFR 1580.101), public transportation agencies (including 
rail mass transit and bus systems and passenger railroad carriers (as 
defined in 49 CFR 1582.101), and OTRB companies (as defined in 49 CFR 
1584.101)), to provide TSA-approved security training to employees 
performing security-sensitive functions. In addition to implementing 
these provisions, the final rule also defined Transportation Security-
Sensitive Materials.\43\
---------------------------------------------------------------------------

    \42\ 85 FR 16456.
    \43\ See sec. 1501(13) of the 9/11 Act, as codified at 6 U.S.C. 
1151(13).
---------------------------------------------------------------------------

    The 9/11 Act also required TSA to issue regulations requiring 
certain public transportation agencies and rail carriers to conduct 
security assessments, vulnerability assessments, and security 
plans.\44\ Such assessments and plans must entail, for instance, 
identification and evaluation of critical information systems \45\ and 
redundant and backup systems needed to ensure continued operations in 
the event of an attack or other incident and identification of the 
vulnerabilities to these systems.\46\ The vulnerability assessment 
applicable to high-risk rail carriers must also identify strengths and 
weaknesses in (1) programmable electronic devices, computers, or others 
automated systems used in providing transportation; (2) alarms, 
cameras, and other protection systems; (3) communications systems and 
utilities needed for railroad security purposes, including dispatching 
and notification systems; and (4) other matters determined appropriate 
by the Secretary.\47\ For security plans, the statute requires 
regulations that address, among other things, the protection of 
passenger communication systems, emergency response, ensuring redundant 
and backup systems are in place to ensure continued operation of 
critical elements of the system in the event of a terrorist attack or 
other incident, and other actions or procedures as the Secretary 
determines are appropriate to address the security of the public 
transportation system or the security of railroad carriers, as 
appropriate.\48\
---------------------------------------------------------------------------

    \44\ See secs. 1405 and 1512, as codified at 6 U.S.C. 1134 and 
1162, respectively. See also section 1521, as codified at 6 U.S.C. 
1181 (which imposes similar requirements for OTRBs).
    \45\ See secs. 1405(a)(3) and 1512(d)(1)(A), as codified at 6 
U.S.C. 1134(a)(3), 1162(d)(1)(A), respectively.
    \46\ See secs. 1405(c)(2), 1512(d)(1)(D), and 1512(e)(1)(G), as 
codified at 6 U.S.C. 1134(c)(2), 1162(d)(1)(D), 1162(e)(1)(G), 
respectively.
    \47\ See sec. 1512(d), as codified at 6 U.S.C. 1162(d).
    \48\ See secs. 1405(c)(2) and 1512(e), as codified at 6 U.S.C. 
1134(c)(2), 1162(e), respectively.
---------------------------------------------------------------------------

    In short, the 9/11 Act provisions described above contain a 
combination of detailed requirements and grants of authority to the 
Secretary (and ultimately TSA) regarding the content of security 
training programs, vulnerability assessments, and security plans. Each 
of these provisions confirms and supplements TSA's authority to impose 
such requirements as are appropriate or necessary to ensure the 
security of the applicable systems.

G. Cyber Risk Management

    CRM involves all activities designed to identify and mitigate risk-
exposures to cyber technology, both informational and operational, to 
ensure safe, sustained operations of vital systems and associated 
infrastructure. DHS defines risk as the ``potential for an adverse 
outcome assessed as a function of threats, vulnerabilities, and 
consequences associated with an incident, event, or occurrence.'' \49\ 
TSA's consideration of cybersecurity risks includes consideration of 
threat information similar to the information discussed above, emerging 
intelligence, the need to mitigate the consequences of a cyber-attack, 
and the inherent vulnerabilities of transportation systems and 
operations to cybersecurity incidents.
---------------------------------------------------------------------------

    \49\ DHS Risk Lexicon, 2010 Edition, at 27, available at: 
https://www.cisa.gov/sites/default/files/publications/dhs-risk-lexicon-2010_0.pdf (last visited Sep. 19, 2022).
---------------------------------------------------------------------------

    The cybersecurity risks to the transportation sector encompass both 
the vulnerabilities related to secure and safe operation of vital 
systems and the consequences of a direct attack or ancillary failure or 
shutdown of a system due to an inability to isolate and control the 
impact of a cyber-attack. Existing CRM standards--which are identified 
in the next section of this ANPRM--address identification, assessment, 
and mitigation of risk from a variety of sources. Strong CRM generally 
enhances both security and safety and facilitates operations, protects 
the sector's entities, and ensures the resiliency of these critical 
sectors.

H. Existing Standards and Requirements

    Table 1 identifies industry and government standards and guidelines 
that could be used to develop a CRM program. This list is not 
exhaustive; incorporating CRM using other existing guidelines or 
standards may also be appropriate.

              Table 1--Cybersecurity Standards and Sources
------------------------------------------------------------------------
                Standard                            Source \1\
------------------------------------------------------------------------
Standards developed by government and government-affiliated agencies:
------------------------------------------------------------------------
    North American Electric Reliability  https://www.nerc.com/pa/Stand/
     Corporation's (NERC) Critical        Pages/USRelStand.aspx.
     Infrastructure Protection (CIP)
     cybersecurity reliability
     standards, approved by the Federal
     Energy Regulatory Commission
     (FERC).
    CISA's Chemical Facility Anti-       https://www.cisa.gov/chemical-
     Terrorism Standards (CFATS) \2\.     facility-anti-terrorism-
                                          standards.
    CISA's Cross-Sector Cybersecurity    https://www.cisa.gov/cpgs.
     Performance Goals (Common Bassline
     Controls and sector-specific
     controls and goals).
    DOE's Cybersecurity Capabilities     https://www.energy.gov/ceser/
     Maturity Model (C2M2).               cybersecurity-capability-
                                          maturity-model-c2m2.
    NIST Framework for Improving         https://www.nist.gov/
     Critical Infrastructure              cyberframework/framework.
     Cybersecurity.
    NIST Special Publication 800-171,    https://csrc.nist.gov/
     Protecting Controlled Unclassified   publications/detail/sp/800-171/
     Information in Nonfederal Systems    rev-2/final.
     and Organizations.

[[Page 73534]]

 
    Federal Risk and Authorization       https://www.fedramp.gov/.
     Management Program (FedRAMP), for
     Cloud Service Offerings.
    International Organization for       https://www.iso.org/standard/
     Standardization/International        73906.html.
     Electrotechnical Commission 27000
     family of standards.
------------------------------------------------------------------------
Standards developed by associations, and private sector organizations:
------------------------------------------------------------------------
    American Petroleum Institute.......  https://www.api.org/news-policy-and-issues/cybersecurity.
    MITRE Adversarial Tactics,           https://attack.mitre.org/.
     Techniques, and Common Knowledge
     (ATT&CK[supreg]).
------------------------------------------------------------------------
Standards developed for other sectors of the economy, both domestically
 and internationally, that could be models for requirements in the
 pipeline and rail sectors:
------------------------------------------------------------------------
    New York State Department of         https://www.governor.ny.gov/
     Financial Service cybersecurity      sites/default/files/atoms/
     compliance requirements (23 NYCRR    files/
     500).                                Cybersecurity_Requirements_Fin
                                          ancial_Services_23NYCRR500.pdf
                                          .
    Bank of England's ``impact           Bank of England et al.,
     tolerance'' for regulated firms      Operational Resilience: Impact
     and CBEST models.                    Tolerances for Important
                                          Business Services (March
                                          2022), available at: https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2021/ss121-march-22.pdf.
                                         Information on CBEST is
                                          available at: https://www.bankofengland.co.uk/financial-stability/operational-resilience-of-the-financial-sector/cbest-threat-intelligence-led-assessments-implementation-guide.
------------------------------------------------------------------------
\1\ All citations listed in this table last accessed on Sept. 19, 2022.
\2\ The CFATS Risk-Based Performance Standard (RBPS) 8 addresses
  cybersecurity.

II. Discussion of the Advance Notice of Proposed Rulemaking

    In light of the critical role that pipelines and rail sectors play 
in our Nation's economic and national security, as well as the ongoing 
and growing cyber threats to such sectors, TSA has determined that it 
is appropriate to issue a regulation for CRM in these sectors. This 
ANPRM is the first step in this process.

A. Policy Priorities

    TSA is issuing this ANPRM to solicit input to ensure this 
rulemaking effort adequately addresses the following policy priorities:
     Assessing and improving the current baseline of 
operational resilience and incident response. Prevention alone is not 
sufficient. An effective CRM program and regulatory regime must be 
based on the assumption that cyber-attacks will disrupt individual 
systems and processes that support important business services. 
Improving the capacity and ability to respond and recover swiftly when 
a cybersecurity incident occurs is key to mitigating disruption and 
ensuring resilient operations in today's cyber threat environment.
     Maximizing the ability for owner/operators to be self-
adaptive to meet evolving threats and technologies. Traditionally, 
regulations prescribe generally static requirements, i.e., particular 
control or performance requirements that endure until the regulator 
issues a modification. To ensure that cybersecurity requirements 
sustain their effectiveness, regulations should provide for a 
continuous assessment of the current threat environment and ensure 
timely adaptation of dynamic security controls based on identified 
tactics, techniques, and procedures of malicious cyber actors and 
adversaries, while at the same time allowing for implementation of 
emerging technologies and capabilities that provide security controls 
that may be more relevant and effective for their intended purpose.
     Identifying opportunities for third-party experts to 
support compliance. The use of third-party evaluators and certifiers of 
cybersecurity programs and cloud service providers can drive 
sustainable compliance at a scale that exceeds TSA's compliance 
resources.
     Accounting for the differentiated cybersecurity maturity 
across the surface sector and regulated owner/operators. Surface sub-
sectors and owner/operators have varying degrees of capability and 
capacity to adopt cybersecurity standards. A regulatory regime that 
drives improvement to baseline thresholds and fosters resilience of the 
sector, even as adversaries adapt to target the weakest link, should, 
to the extent possible, leverage a maturity-based model to ensure 
required controls are commensurate with cyber risk.
     Incentivizing cybersecurity adoption and compliance. An 
effective regulatory regime is one that incentivizes and facilitates 
adoption and ensures that different components of the regime are 
reinforcing one another. While subsidies and grants may be the first 
incentives that come to mind, they also require a funding source that 
is beyond TSA's control.
     Measurable outcomes. To the greatest extent possible, 
quantifiable measures to assess performance should be built into a 
cybersecurity regulatory regime. Regulations should recognize the need 
for identifying expected performance outcomes up front, and then 
adjusting these measures over time through an iterative process that 
reflects the current operations, including organizational issues, IT 
and OT systems, and known cybersecurity risks.
     Regulatory Harmonization. TSA recognizes the importance of 
ensuring that cybersecurity requirements are risk-informed, outcome/
performance-based rules and, to the extent practicable, are consistent 
and harmonized with other applicable cybersecurity regulatory 
requirements.

B. Core Elements of Cybersecurity Risk Management

    Following a review of the standards and guidelines identified 
above, and others, TSA identified common core elements of effective 
CRM. In discussions with subject matter experts, TSA also identified 
areas where additional requirements not captured in many current 
regimes are needed.

[[Page 73535]]

Together, TSA believes that the following core elements would provide a 
bedrock of CRM for the pipeline and rail sectors.
     Designation of a responsible individual for cybersecurity;
     Access controls;
     Vulnerability assessments;
     Specific measures to gauge the implementation, 
effectiveness, efficiency, and impact of cybersecurity controls;
     Drills and exercises;
     Technical security controls (e.g., multi-factor 
authentication, encryption, network segmentation, anti-virus/anti-
malware scanning, patching, and transition to ``zero trust'' 
architecture);
     Physical security controls;
     Incident response plan and operational resilience;
     Incident reporting and information sharing;
     Personnel training and awareness;
     Supply chain/third-party risk management; and
     Recordkeeping and documentation.

C. Request for Input To Inform Rulemaking

    TSA requests constructive input on current cybersecurity practices 
that reflect an understanding of both cybersecurity and the operational 
issues of applying CRM to pipeline and rail operations. As noted above, 
TSA is specifically interested in comments from the applicable owner/
operators, their representative associations, labor unions, state, 
tribal, and local governments, and the general public who rely on these 
systems.
    In addition to input on CRM and general operational issues, TSA is 
interested in understanding cost implications. Such input on costs is 
critical for understanding the potential impacts of a regulation, and 
specifically to inform proper accounting of associated costs and 
benefits.
    For those pipeline and rail owner/operators subject to the 
requirements in recently issued security directives imposing 
cybersecurity requirements, we are not expecting re-submission of 
information that has already been provided to TSA pursuant to the 
security directives, such as information contained in the results of 
cybersecurity vulnerability assessments.
    TSA believes that cybersecurity regulations should consider current 
voluntarily-implemented cybersecurity measures and related operational 
issues that affect implementation of these measures. Having a clear and 
comprehensive understanding of the current baseline will support TSA's 
efforts to provide more flexibility in meeting the desired security 
outcomes. To that end, TSA is seeking specific information, including 
information about the costs and additional staffing requirements 
associated with past cybersecurity-related efforts, to assist in 
developing effective regulatory policies, resources for implementation, 
and valid cost estimates.
    As discussed below, TSA is aware of the diversity of surface 
transportation operations, including national-level companies, 
publicly-owned systems, and small businesses, and of the need to ensure 
that requirements do not have unintended consequences on operations. To 
ensure that regulatory requirements reflect this concern, TSA asks 
commenters to include information regarding the nature and size of 
their business, as well as any information that could help TSA avoid 
regulations that have the potential to result in preventable 
operational impacts. This information will help TSA better understand 
and analyze the information provided. Failure to include this specific 
information will not preclude the agency's consideration of the 
information submitted.

III. Specific Requests for Comments

A. Overview

    Responses to the following questions will help TSA develop a more 
complete and carefully considered rulemaking or appropriate next step. 
The questions are not all-inclusive, and any supplemental information 
is welcome. In responding to each question, please explain the reasons 
for your answer. We encourage you to let us know your specific concerns 
with respect to any of the topics under consideration.
    As noted above, input received from this ANPRM will allow TSA to 
better understand how the pipeline and rail sectors are implementing 
CRM in policies, planning, and operations, and assess the need to 
update existing or develop new regulations to address CRM. TSA may 
share this information with other U.S. Government agencies to help 
develop future policies, guidance, and regulations on cybersecurity in 
the pipeline and rail sectors.
    TSA recognizes that the phrase ``cyber risk management'' may 
involve a wide range of applications related to cyber safety and 
security. We request relevant information on all issues and challenges 
related to CRM development and implementation for pipeline and rail 
owner/operators in the areas of the standards, regulatory barriers, 
economic burdens, training and education, and management and oversight.
    If you note in your submission that the information you are 
providing is business confidential, proprietary, or SSI, we will not 
share it with the public to the extent allowed by law. TSA may consider 
this information, however, to inform policy decisions or cost estimates 
in developing a proposed rule regarding CRM.
    When considering your comments and suggestions, we ask that you 
keep in mind TSA's mission to protect the nation's transportation 
systems to ensure freedom of movement for people and commerce and 
protect our national and economic security. Commenters should feel free 
to answer as many questions as desired, but please consider the 
principles below in responding. Whenever appropriate, commenters should 
provide the following as part of their responses:
     If the comment refers to a specific program, regulation, 
guidance, standard, or policy at issue, please provide a specific 
citations and a link to the relevant document, as applicable;
     If the comment raises specific concerns about application 
of an existing program, regulation, or policy, please provide specific 
suggestions that identify alternative way(s) for the agency to achieve 
its regulatory objectives; and
     Provide specific data that documents the costs, burdens, 
and benefits described in the comment submission.

B. Identifying Current Baseline of Operational Resilience and Incident 
Response

    B.1. What cybersecurity measures does your organization currently 
maintain and what measures has your organization taken in the last 12 
months to adapt your cybersecurity program to address the latest 
technologies and evolving cybersecurity threats? What are your plans to 
update your cybersecurity program in the next 12 months? How much does 
your organization spend on cybersecurity annually?
    B.2. What assessments does your organization conduct to monitor and 
enhance cybersecurity (such as cybersecurity risk, vulnerability, and/
or architecture design assessments, or any other type of assessment to 
information systems)? How often are they conducted? Who in your 
organization conducts and oversees them? What are the assessment 
components, and how are the results documented?
    B.3. Do the assessments you discussed in your response to B.2. use 
specific cybersecurity metrics to measure security effectiveness? If 
so, please

[[Page 73536]]

provide information on the metrics that you use.
    B.4. Are the actions you discussed in response to question B.1. 
based on any of the standards identified in section I.H. of this ANPRM? 
If so, please specify which standard. If your response is based on 
standards not identified in section I.H. of this ANPRM, please identify 
the standard and provide a link or other information to assist TSA in 
gaining a better understanding of the scope and benefits of the 
standard.
    B.5. For any standards identified in response to question B.3.:
    a. Are there fees associated with accessing copies of these 
standards?
    b. Have you found these standards to be effective against cyber 
related threats? If your answer is no, please explain why.
    c. Please provide any information on costs and benefits, if any, 
associated with implementing the standards.
    d. Is adoption of these standards, or other cybersecurity measures, 
required or incentivized by insurance companies, existing commercial 
contracts, or contracts with the Federal Government? Please also 
provide any information on other incentives to encourage adoption of 
these or other standards.
    B.6. ``Operational technology'' is a general term that encompasses 
several types of control systems, including ICS, SCADA, distributed 
control systems, and other control system configurations, such as 
programmable logic controllers, fire control systems, and physical 
access control systems, often found in the industrial sector and 
critical infrastructure. Such systems consist of combinations of 
programmable electrical, mechanical, hydraulic, pneumatic devices or 
systems that interact with the physical environment or manage devices 
that interact with the physical environment. If your OT systems are 
connected to an outside network (satellite, hardline internet, port 
wide computer network, etc.), what safeguards are you using to protect 
them from cyber threats? What are the costs to implement and maintain 
these safeguards? In addition, please provide details on cyber related 
standards or guidelines being used to guide actions assessing and 
mitigating threats to installed OT systems connected to vital 
operational equipment.

C. Identifying How CRM Is Implemented

    The following questions apply to pipeline and rail owner/operators 
that have implemented CRM.
    C.1. Please describe how your organization has implemented or plans 
to implement CRM. What frameworks, standards, or guidelines have 
informed your implementation of CRM for your pipeline and rail 
operations? Would you recommend any other standards or guidelines not 
mentioned in this ANPRM for application to pipeline or rail CRM 
programs? If possible, please provide any data available on the overall 
average cost to initially implement an owner/operator CRM and its 
annual costs to maintain (even if not a single action).
    C.2. Does your CRM include aspects of system protection, system 
penetration testing, security monitoring, incident response, incident 
forensic analysis, and a plan for restoration of operations? If not, 
which features does your CRM address? What are the challenges for 
incorporating any missing facets? Are some parts of CRM developed in-
house while a third-party develops other pieces? If so, why and what 
advantages do either of these approaches offer?
    C.3. Does your CRM include any other core elements identified in 
Section II.B. or other measures not previously discussed? Are some 
aspects developed in-house while a third-party develops other facets? 
If so, why and what advantages do either of these approaches offer?
    C.4. As part of implementing CRM, has your company developed or 
does it anticipate developing and maintaining CRM using in-house or 
newly acquired staff, or do you currently contract out developing and 
maintaining ongoing CRM to a third-party contractor or plan to do so? 
If your company uses a third-party or contractor to perform this 
function, please explain why. In addition, if you use a third-party 
contractor, do you have a vendor management program or framework in 
place? Do you have a vendor integrity audit program to ensure vendors 
are legitimate and have additional security measures, such as an 
insider threat program? Does your vendor also provide penetration 
testing? If CRM is or will be developed and managed in-house, what is 
the expected annual cost in terms of wage and hours of development and 
management? If CRM is or will be contracted out, what are the retainer 
and associated fees for the third-party? Do annual fees increase by the 
number of incidents they respond to and, if so, by how much?
    C.5. What cybersecurity personnel training and security awareness 
and skills education should pipeline and rail owner/operators be 
required to provide, and to which employees (i.e., should it apply to 
all employees or just those with specific responsibilities, such as 
cybersecurity personnel, those with access to certain systems, etc.)? 
Please provide relevant information regarding what CRM training courses 
are available and the duration of each course, as well as how much it 
costs you to develop and conduct or otherwise provide CRM training and 
update current courses and training requirements. This information 
should include costs for owner/operators to create or procure course 
content for the types of employees identified.
    C.6. How does your company address, respond to, or modify business 
practices due to the cost impacts of a cybersecurity incident? Does 
your company maintain estimates of the cost impacts (with respect to 
your organization and external parties) of various types of 
cybersecurity incidents, including but not limited to ransomware, data 
breaches, and attacks on operational technology? If so, what is the 
range of these costs based on the type or severity of the incident? 
Does your company insure against these kinds of costs, and, if so, what 
is the annual cost of insurance, and what kind of coverage is offered? 
If your company does not have insurance coverage, please explain why.

D. Maximizing the Ability for Owner/Operators To Meet Evolving Threats 
and Technologies

    D.1. In addition to the requirement to report cybersecurity 
incidents, should pipeline and rail owner/operators be required to make 
attempts to recover stolen information or restore information systems 
within a specific timeframe? If so, what would be an appropriate 
timeframe?
    D.2. From a regulatory perspective, TSA is most interested in 
actions that could be taken to protect pipeline and rail systems by 
ensuring appropriate safeguards of critical cyber systems within IT and 
OT systems. What types of critical cyber systems do you recommend that 
regulations address and what would be the impact if the scope included 
systems that directly connect with these critical cyber systems? Please 
provide sufficient details to allow TSA to identify where and how your 
recommendations relate to our current requirements or recommendations, 
as discussed in Section I.E.
    D.3. Recognizing that there are both evolving threats and emerging 
capabilities to address known threats, how could owner/operators adjust 
their vulnerability assessments and capabilities if TSA were to issue 
periodic benchmarks to pipeline and rail owner/operators on the scope 
of vulnerability assessments that are informed by the latest 
technologies and evolving threats? The purpose of the periodic guidance 
and assessments

[[Page 73537]]

would be to facilitate the owner/operator's evaluation of 
vulnerabilities and capabilities based on the most current technologies 
and threats.
    D.4. What are some benefits and challenges for pipeline and rail 
owner/operators in building operational resilience by conducting the 
vulnerability assessments required/recommended by TSA (whether based on 
the directives and information circulars discussed in Section I.E. of 
this ANPRM or the guidelines and assessments discussed in Section I.H.) 
and any assessments offered by CISA? \50\
---------------------------------------------------------------------------

    \50\ Source: CISA Assessments: Cyber Resilience Review (CRR), 
accessible at https://www.cisa.gov/uscert/resources/assessments.
---------------------------------------------------------------------------

    D.5. What would be the benefits and challenges for the pipeline and 
rail sectors if owner/operators were required to use an accredited 
third-party certifier to conduct audits/assessments to determine 
effectiveness of the owner/operator's cybersecurity measures and/or 
compliance with existing requirements? What would be the costs of 
implementing a requirement to use a third-party certifier?
    D.6. What impacts (positive and negative) to the pipeline and rail 
sectors workforce do you anticipate regarding the implementation of 
CRM? Will there be a need to hire additional employees? If so, how many 
and at what level and occupation?
    D.7. Should pipeline and rail owner/operators be required to 
conduct third-party penetration testing to identify weakness or gaps in 
CRM programs? Please address the identified costs and benefits of this 
action, and any legal, security, privacy, or other issues and concerns 
that may arise during the testing process or prevent third-party 
penetration testing.
    D.8. How could TSA maximize implementation of CRM by providing for 
innovative, effective, and efficient ways to measure cybersecurity 
performance? Please provide specific references or resources available 
for any measurement options discussed, as available.
    D.9. Should pipeline and rail owner/operators designate a single 
individual (such as a chief information security officer) with overall 
authority and responsibility for leading and managing implementation of 
the CRM? Or should they designate a group of individuals as responsible 
for implementation or parts thereof?
    D.10. Should the individuals who you identified under D.8. be 
required to have certain qualifications or experience related to 
cybersecurity, and if so, what type of qualifications or experience 
should be required? If not, what specific requirements should there be 
for who would implement a pipeline and rail owner/operators' CRM 
program? Would implementing this type of requirement necessitate hiring 
additional staff? If so, how many and at what level and occupation?
    D.11. Should pipeline and rail owner/operators be required to 
monitor and limit the access that individuals have to OT and IT systems 
in order to protect information and restrict access to those who have a 
demonstrated need for access to information and/or control? Actions 
include limiting user access privileges to control systems to 
individuals with a demonstrated need-to-know and using processes and 
tools to create, assign, manage, and revoke access credentials for 
user, administrator, and service accounts for enterprise assets and 
software. What would be the cost of implementing this type of 
requirement?
    D.12. What CRM security controls should pipeline and rail owner/
operators be required to maintain, and in what manner? Please address 
each of the following:
    a. Defense-in-depth strategies (including physical and logical 
security controls);
    b. Network segmentation;
    c. Separation of IT and OT systems;
    d. Multi-factor authentication;
    e. Encrypting sensitive data both in transit over external networks 
and at rest;
    f. Operating antivirus and anti-malware programs;
    g. Testing and applying security patches and updates within a set 
timeframe for IT and OT systems; and
    h. Implementing, integrating, and validating zero-trust policies 
and architecture.
    D.13. Please provide information on the cost to implement and 
integrate the CRM security controls identified in your response to 
question D.12.
    D.14. What baseline level of physical security of CRM architecture 
should pipeline and rail owner/operators be required to maintain, 
including ensuring that physical access to systems, facilities, 
equipment, and other infrastructure assets is limited to authorized 
users and secured against risks associated with the physical 
environment? How much would it cost to implement the baseline physical 
security measures you identified in your response? How many of the 
identified measures are currently maintained (if such information has 
not already been provided to TSA)?
    D.15. What would the benefits and challenges be for pipeline or 
rail owner/operators to build operational resilience by adopting an 
``impact tolerance'' framework to help ensure that important business 
services remain operational after a cybersecurity incident, as provided 
for in the Bank of England's Operational Resilience: Impact Tolerances 
for Important Business Services? \51\
---------------------------------------------------------------------------

    \51\ See, supra, Table 1.
---------------------------------------------------------------------------

    D.16. What minimum cybersecurity practices should pipeline and rail 
owner/operators require that their third-party service providers meet 
in order to do business with pipeline and rail owner/operators? What 
due diligence with respect to cybersecurity is involved in selecting a 
third-party provider? For example, do pipeline and rail owner/operators 
include contractual provisions that specifically require third-party 
service providers to maintain an adequate CRM program? Should TSA 
require such provisions, and if so, for what pipeline and rail segments 
and under what circumstances?
    D.17. How can pipeline and rail owner/operators develop a process 
to evaluate service providers who hold sensitive data, or are 
responsible for enterprise critical IT platforms or processes, to 
ensure that these providers are protecting those platforms and data 
appropriately?
    D.18. Please address the extent to which pipeline and rail owner/
operators should ensure that processes to procure control systems 
include physical security and cybersecurity in acquisition decisions 
and contract arrangements? In addition, please address the extent to 
which pipeline and rail owner/operators should ensure that vendors in 
the supply chain are vetted appropriately and that vendors vet their 
own personnel, service providers, and products and software.
    D.19. Are there any new technologies in use or under development 
that may be relevant to the future of secure IT and OT systems, and how 
should these technologies be considered or used to establish an 
effective regulatory CRM regime?
    D.20. How should pipeline and rail owner/operators address 
cybersecurity challenges or benefits posed by using a commercial cloud 
service provider? Please explain how pipeline and rail owner/operators 
can identify and mitigate risks associated with migration of data, 
services, or infrastructure to a public or shared cloud storage system 
and/or perspective on the security benefits and challenges that may 
arise from the use of commercial cloud infrastructure.

[[Page 73538]]

    D.21. How can pipeline and rail owner/operators most effectively 
address the risks of using very small aperture terminals networks and 
commercial satellite communications for remote communications? Please 
address how pipeline and rail owner/operators can identify and mitigate 
risks associated with use of these systems, which were often built for 
speed of communication without security in mind or specific measures to 
address known vulnerabilities. What would be the cost of implementing 
the actions you recommend for identifying and mitigating risks 
associated with these systems? If cost data are provided, please break 
it down by unit and extent to which they are implemented (e.g., 
isolated or system-wide).
    D.22. What other regulatory or procurement regimes do pipeline and 
rail owners/operators need to comply with (e.g., are you required to 
comply with Defense Federal Acquisition Regulation Supplement (DFARS) 
requirements)? What actions/documentation can pipeline and rail owner/
operators take/provide to allow TSA to consider compliance with another 
state or federal requirement to establish full compliance with TSA's 
requirements? How could TSA validate that the other requirements are, 
in fact, being fully implemented and provide the same level of security 
as TSA's requirements? Are there other regulatory regimes, potentially 
in other sectors or other countries, that pipeline and rail owners/
operators believe would be good references for TSA?
    D.23. How can maturity-based cybersecurity frameworks, such as 
CISA's Cross-Sector Cybersecurity Performance Goals and the NIST 
Framework for Improving Critical Infrastructure Cybersecurity,\52\ be 
leveraged in the pipeline and rail sectors to calibrate adoption in a 
manner that is tailored and feasible for these sectors?
---------------------------------------------------------------------------

    \52\ See Table 1.
---------------------------------------------------------------------------

    D.24. What existing statutes, standards, or TSA-issued regulations, 
policies, or guidance documents may present a challenge or barrier to 
the implementation of CRM in the pipeline and rail sectors? How could 
these statutes, standards, regulations, policies, or guidance documents 
be changed to remove the barriers or challenges? Please be as detailed 
and specific as possible.
    D.25. How could a future rulemaking implement risk-based and/or 
performance based requirements that achieve an effective cybersecurity 
baseline across the pipeline and rail industry?

E. Identifying Opportunities for Third-Party Experts To Support 
Compliance

    The following questions are specifically related to the role of 
third-parties to establish compliance with requirements, such as 
verifications and validations. TSA has maximized the capability of 
third-party certifiers in other contexts and is interested in options 
for leveraging this capability for cybersecurity. In general, the 
concept would require some level of approval by the Federal Government 
that recognizes the qualifications of the third-parties, vetting to 
identify any potential conflicts of interest or other risks associated 
with an insider threat, and consistent standards to be applied.
    E.1. How would you envision using third-party organizations to 
improve cyber safety and security in the pipeline and rail sectors? For 
example, should pipeline and rail owner/operators be able to use third 
parties to administer their CRM programs, and if so, to what extent and 
in what manner? Should pipeline and rail owner/operators use third-
party certifiers to verify compliance and the adequacy of their CRM 
programs? Please explain the basis for your position and provide 
specific examples and, where possible, estimated costs.
    E.2. What would the benefits and challenges be were TSA to require 
owner/operators to conduct compliance assessments by an accredited 
third-party certifier, similar to that described in the Bank of 
England's CBEST Threat Intelligence-Led Assessments (2021)? What 
features should be included in a compliance scheme that leverages 
third-party validators?
    E.3. What minimum cybersecurity practices or experience should TSA 
require that third-party experts meet for them to do business with the 
pipeline and rail owner/operators?

F. Cybersecurity Maturity Considerations

    F.1. What special considerations or potential impacts (i.e., risks, 
costs, or practical limitations) would pipeline and rail owner/
operators have to consider before implementing CRM in their respective 
operations? Are there differences between startup costs to implement 
and the ongoing costs to maintain CRM? Do small entities (including 
business owner/operators) face unique or disproportionate costs in 
implementing and maintaining CRM?
    F.2. What is your estimate of the percentage of pipeline and rail 
owner/operators that have already implemented CRM within their 
organizations? If you do not know specifically, please provide us with 
your best estimate or any sources of data that TSA may use to determine 
this number. Does your organization currently have a CRM program? Do 
you think there are disparities between the percentages of large and 
small entities that have implemented CRM? If so, why and what are they?
    F.3. Some sectors may have regulatory regimes in place imposing 
cybersecurity requirements. As some owner/operators may be subject to 
regulatory requirements imposed by multiple Federal, state, or local 
agencies, how should TSA most effectively achieve regulatory 
harmonization consistent with our transportation security 
responsibilities and relevant to pipeline and rail owner/operators?

G. Incentivizing Cybersecurity Adoption and Compliance

    TSA is particularly interested in comments on types of incentives, 
such as liability protection, insurance, commercial contracts, or other 
private or public sector options, that would incentivize adoption of 
cybersecurity and resilience measures, and whether and how TSA might 
facilitate the development of such incentives.
    G.1. If you have implemented CRM, was implementation required or 
incentivized by insurance companies, existing commercial contracts, or 
contracts with the Federal Government? How long did it take to 
implement CRM and what was the estimated cost of the implementation? 
What are the estimated annual costs of maintaining your CRM program?
    G.2. Does your company insure against significant cybersecurity 
incidents? If so, what are the general terms of your insurance, and how 
does it factor into your decision on how to respond to significant 
cybersecurity incidents? What is the scope of review or audits that 
your insurer conducts, or requires you to conduct, in order to assess 
insurance worthiness?
    G.3. What tools, technical assistance, or other resources could TSA 
provide to facilitate compliance with any specific federally-imposed 
cybersecurity requirement?

    Dated: November 22, 2022.
David P. Pekoske,
Administrator.
[FR Doc. 2022-25941 Filed 11-29-22; 8:45 am]
BILLING CODE 9110-05-P