Insights

  • Home
  • Insights
  • TSA Releases Proposed Rule to Enhance Pipeline and Railroad Cyber Risk Management

Share

PUBBanner_socialTSAReleasesProposedRuletoEn

TSA Releases Proposed Rule to Enhance Pipeline and Railroad Cyber Risk Management

The Transportation Security Administration's ("TSA") proposed rule would require owners and operators of certain pipeline, freight railroad, passenger railroad, rail transit, and over-the-road bus ("OTRB") systems to strengthen their physical security and cybersecurity risk management practices against potential technology security incidents.

November 27, 2024 Alert

On November 6, 2024, TSA announced a Notice of Proposed Rulemaking (the "Rule") which focuses on enhancing cybersecurity risk management in the surface transportation sector. The Rule builds on TSA's security directives issued in the aftermath of a major cyber attack on the largest refined products pipeline in the United States in 2021. TSA seeks to reduce the risk and potential impact of a successful attack or cybersecurity incident on a pipeline, railroad, or OTRB system.

As proposed, the Rule would apply to owners/operators of certain pipeline, freight railroad, passenger railroad, rail transit, and OTRB systems with designated cybersecurity risk profiles. It would require those entities to establish a cybersecurity risk management ("CRM") program that includes:

  • Conducting annual enterprise-wide cybersecurity evaluations to identify the entity's current cybersecurity profile compared to the target profile, and contain particular security outcomes and recommendations from the National Institute of Standards and Technology's Cybersecurity Framework;
  • Developing a Cybersecurity Operational Implementation Plan that identifies the parties responsible for implementing its CRM program, and provides detailed measures for identifying, monitoring, and protecting critical systems; and
  • Establishing a Cybersecurity Assessment Plan that identifies unaddressed vulnerabilities, as well as provides assessment schedules and an annual report of assessment results.

The Rule also tacks on incident notification obligations for certain OTRB owner/operators, requiring them to notify the Cybersecurity and Infrastructure Security Agency, or CISA, no later than 24 hours after a reportable security incident is identified. It also would require certain pipeline facilities and systems to designate a physical security coordinator to serve as the primary contact for physical security-related activities and intelligence with the TSA. Furthermore, OTRB owners/operators would be required to provide training for employees performing "security-sensitive" functions using a curriculum approved by TSA and in compliance with the schedule outlined in the Rule.

Companies that may be covered should carefully review the Rule and submit comments by February 5, 2025.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.
Contributors
You May Also Be Interested In

November 20, 2024 Newsletters

EU Geopolitical Risk Update - Key Policy & Regulatory Developments No. 117

November 18, 2024 Alert

NIS 2 Directive: Transposition Period is Up for EU Member States

November 12, 2024 Alert

Inaugural Meeting for FDA's Digital Health Advisory Committee to Focus on GenAI-enabled Medical Devices

November 06, 2024 Alert

New York Imposes Stringent Cybersecurity and Cyber Incident Reporting Obligations on Hospitals

Before sending, please note:

Information on www.jonesday.com is for general use and is not legal advice. The mailing of this email is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.