On December 2, 2021, the US Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) announced two new Security Directives and additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector. These follow a pair of Security Directives from TSA, on May 28, 2021, and July 26, 2021, imposing a variety of cybersecurity requirements (technical and administrative) on the 100 TSA-designated “most critical” pipeline owners/operators. The Biden administration does not appear to be taking its foot off the gas any time soon, particularly when it comes to the cybersecurity of critical infrastructure. Media reports indicate a draft blueprint is currently being circulated by the White House seeking to enhance the cybersecurity of US water utilities, too.
IN DEPTH
The December 2 TSA Security Directives target higher-risk freight railroads, passenger rail and rail transit. They require covered owners and operators to do the following:
-
[effective December 31, 2021] report “cybersecurity incidents” to DHS’s Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of identifying them, with specifications on what must be included in the submitted report;
-
[by January 6, 2022] designate a cybersecurity coordinator and alternate, who must meet certain eligibility requirements and are “required to be available” to CISA “at all times (all hours/all days) to coordinate implementation of cybersecurity practices, and manage security incidents, and serve as a principal point of contact with TSA and CISA for cybersecurity-related matters”;
-
[by March 30, 2022] conduct a cybersecurity vulnerability assessment to identify potential gaps and vulnerabilities in their systems, using the form provided by TSA, and submit the completed form to TSA; and
-
[by June 28, 2022] develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption should Information Technology (IT) and/or Operational Technology (OT) be affected by a cybersecurity incident.
The Directives broadly define a cybersecurity incident to mean an unauthorized event that “jeopardizes, disrupts or otherwise impacts, or is reasonably likely to jeopardize, disrupt or otherwise impact, the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system.” Notably, a covered cybersecurity incident includes an event that is under investigation as a possible cybersecurity incident without final determination of the event’s root cause or nature (such as malicious, suspicious or benign).
The Directives require owners/operators to submit their completed vulnerability assessment form and remediation plan to TSA by March 30, 2022. The Directives also require the cybersecurity coordinator or “other accountable executive” to submit a statement to TSA certifying compliance with the cybersecurity incident response plan requirements within seven days of completing the plan. Documentation of compliance must be provided to TSA upon request and without a subpoena.
Given the Directives’ detailed requirements, including certifications and submissions to the government, as well as tight implementation deadlines, covered owners/operators should promptly assess their cybersecurity programs. The most pressing deadline is designating a cybersecurity coordinator and alternate. Organizations must be thoughtful about whom they choose; they should be mindful of the gating criteria as well as the individual’s role and responsibility within the organization. The coordinator and the alternate must be US citizens who are eligible for security clearances; entrusted to serve as the primary contact for cyber-related intelligence information and cybersecurity-related activities and communications with TSA and CISA, as well as work with appropriate law enforcement and emergency response agencies; accessible to TSA and CISA 24 hours a day, seven days a week; and empowered to coordinate cyber and related security practices and procedures internally.