The Transportation Security Administration has changed the criteria pipeline operators must use when complying with directives to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency, which will soon apply to rail and aviation operators.
The move is happening as lawmakers try to agree on the shape of incident reporting legislation that would apply to the broader private sector, which controls the vast majority of the nation’s critical infrastructure. The devil will be in the details of key definitions as those negotiations continue with an eye toward passage in the annual National Defense Authorization Act.
In May, following a ransomware attack on Colonial Pipeline, TSA issued a security directive requiring high-risk pipeline operators to report any cybersecurity incident to CISA within 12 hours. Under the directive, such incidents should include an event that
“may affect the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system.”
The industry pushed back, and Republican lawmakers questioned whether TSA was sufficiently engaging their concerns that the directive would be overly burdensome.
Testifying before the House Transportation Committee, Victoria Newhouse, deputy assistant administrator for policy, plans and engagement, cited a new definition of “cybersecurity incident” to illustrate TSA’s willingness to engage with industry.
“We’ve taken that feedback and updated definitions of a reportable cybersecurity incident,” she said. “So we’ve taken that seriously.”
Newhouse said that sort of industry engagement is occurring across TSA’s cybersecurity efforts, including with two new directives the Department of Homeland Security announced Thursday for freight and transit rail operators.
Like the May directive for pipelines, the new directives will require operators to designate a cybersecurity coordinator that CISA and TSA could reach around the clock, develop an incident response plan and conduct a vulnerability assessment resulting in a plan to fill any gaps identified.
The new directives for rail operators also similarly mandate cybersecurity incidents be reported to CISA but narrow the definition of such incidents, noting they should include events that are “under investigation as a possible cybersecurity incident.”
Briefing reporters on the new directives Thursday, senior DHS officials said the new definition is meant to
“make sure that we capture those incidents that the government needs to be aware of because of the risk associated with it, and making sure that we learn of those that rise to that level, while making sure that we don’t request every incident and get drowned out by the noise.”
Another difference between the May directive for pipelines and the new directives for rail operators is that rail operators are given an additional 12 hours to report their incidents. During the hearing, Newhouse maintained the importance of the faster reporting timeline for pipelines.
“With respect to the security directives to the pipeline industry, we require reporting of the incidents within 12 hours,” she said. “And that is because of the criticality of our nation’s pipelines, the fact that they carry the majority of the significant effects that they would have if those were attacked because they carry the majority of the resources needed to run this country.”
The criticality of the pipeline industry also drove TSA to issue a second directive for its operators in July. The July mandate lists specific actions pipeline operators must take to mitigate cybersecurity risks, including basic cyber hygiene practices like regularly patching software and implementing multi-factor authentication and appropriate network segmentation.
DHS did not respond to a request for comment on whether a subsequent directive on proactive cybersecurity measures can similarly be expected for the rail operators.
Source:
Comments