Changes to Cybersecurity for Transportation and Energy Infrastructure

In recent months, the federal agencies have continued efforts to harden the cyber defenses of critical energy and transportation infrastructure. In December 2021, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) announced two new Security Directives providing additional guidance to strengthen cybersecurity across the transportation and critical infrastructure sectors. Most of the Security Directives were implemented for owners and operators of critical natural gas pipelines and liquefied natural gas facilities following the May 2021 cyberattack on Colonial Pipeline. The December 2021 Security Directives made these requirements applicable to higher-risk freight railroads, passenger rail, and rail transit. The Directives require owners and operators to:

  1. designate a cybersecurity coordinator; 
  2. report cybersecurity incidents to the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours; 
  3. develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption; and,  
  4. complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.

TSA’s guidance recommended that all other lower-risk surface transportation owners and operators voluntarily implement the same measures. TSA stated that it intended to expand the requirements of the aviation sector and issue guidance to smaller operators. TSA also announced that it intends to initiate a rule-making process for certain surface transportation entities to increase their cybersecurity resiliency.

In February 2022, the Russian invasion of Ukraine sparked renewed concerns over the threat of increased cyberattacks on U.S. infrastructure, and for good reason. In early March, the CEO of EQT Corporation, the largest producer of natural gas in the United States, reported that the number of cyberattacks to its systems has increased significantly since the start of the Russian invasion of Ukraine. Though the company also stated that is has so far successfully identified and blocked the attacks.

Cybersecurity efforts have seen increased movement in Congress as well. On March 2, the U.S. Senate unanimously passed the Strengthening American Cybersecurity Act of 2022. The bill combines language from several bills that have been previously authored by the bill’s sponsors: the Cyber Incident Reporting for Critical Infrastructure Act, the Federal Information Security Modernization Act, and the Federal Secure Cloud Improvement and Jobs Act. The law if passed would, among other things, require federal agencies and critical infrastructure operators to report cyberattacks to CISA within 72 hours and to report ransom payments within 24 hours.

Although it remains to be seen whether the bill passes in the U.S. House of Representatives, the uptick in cyber threats to critical infrastructure in quickly becoming the new normal and companies should be pro-active in strengthening their cyber defenses. 

Share this post: