TSA announces proposed rule that would require the establishment of pipeline and railroad cyber risk management programs

The Transportation Security Administration (TSA) has published a Notice of Proposed Rulemaking that proposes to mandate cyber risk management and reporting requirements for certain surface transportation owners and operators.
“TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure,” said TSA Administrator David Pekoske. “The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation.”
This rule proposes to continue TSA’s commitment to performance-based requirements. Building on the performance-based cybersecurity requirements TSA previously issued via annual Security Directives since 2021, the proposed rule leverages the cybersecurity framework developed by the National Institute of Standards and Technology and the cross-sector cybersecurity performance goals developed by the Cybersecurity and Infrastructure Security Agency (CISA).
Consistent with these requirements and standards, this rule proposes:
- To require that certain pipeline, freight railroad, passenger railroad and rail transit owner/operators with higher cybersecurity risk profiles establish and maintain a comprehensive cyber risk management program;
- To require these owner/operators, and higher-risk bus-only public transportation and over-the-road bus owner/operators, currently required to report significant physical security concerns to TSA to report cybersecurity incidents to CISA; and
- To extend to higher-risk pipeline owner/operators TSA’s current requirements for rail and higher-risk bus operations to designate a physical security coordinator and report significant physical security concerns to TSA.
TSA asserts that maintaining an effective cybersecurity posture is critically important to ensuring that the surface transportation sector is prepared for, and able to manage, cyber risks. The requirements contained in this proposed rule would strengthen cybersecurity resilience across the surface transportation systems sector.

2 WEEKS TO ‘CIP WEEK’ IN EUROPE - 12th-14th November 2024, Madrid, Spain

The International Association of Critical Infrastructure Protection Professionals (IACIPP) is delighted to announced preparations for the inaugural ‘Critical Infrastructure Protection Week’ in Europe are progressing well, as part of an initiative focused towards enhancing collaboration and cooperation amongst the industry.
The recent implementation of The Critical Entities Resilience Directive (CER Directive), which lays down obligations on EU Member States to take specific measures to ensure that essential services and infrastructures, for the maintenance of vital societal functions or economic activities, are provided in an unobstructed manner in the internal market. The passing of the deadline of 17th October 2024 for when Member States should have adopt and publish the measures necessary to comply with this Directive appears to have been met with challenges.
The NIS2 Directive, also known as the Network and Information Security Directive, is also a significant piece of legislation that was also being implemented on 17th October 2024, aimed at improving cyber security and protecting critical infrastructure across the European Union (EU).
It has built on the previous NIS Directive, addressing its shortcomings and expanding its scope to enhance security requirements, reporting obligations, and crisis management capabilities.
Compliance with the CER Directive and NIS2 Directive are crucial for businesses operating in the EU to safeguard their systems, mitigate threats, and ensure resilience. Penalties are enforceable on agencies and operators for non-compliance.
The implementation of these Directives has proven challenging, and in some instances compliance is still some way off.
The first ‘Critical Infrastructure Protection Week’ will take place in Madrid Spain and will see IACIPP host the ‘Critical Infrastructure Protection & Resilience Europe’ conference and exhibition and ‘EU-CIP Horizon Project’ conference as the first two events as part of the initiative.
IACIPP has lined up an excellent Keynote Session for the Opening of the event, including:
- Jose Luis Perez Pajuelo, Director General, National Center for Critical Infrastructure Protection (Ministry of Interior)
- Dr. Enrique Belda Esplugues, Director General, Port of Valencia, Spain
- Juan Diez Gonzalez, Head of Cybersecurity for Strategic Healthcare, Food and Research sectors, Spanish National Cybersecurity Institute (INCIBE)
- John Donlon, Chairman, International Association of CIP Professionals
John Donlon QPM, Chairman of The International Association of Critical Infrastructure Protection Professionals, said, “IACIPP is delighted the CIP Week in Europe initiative is gathering pace, with the important aim of encouraging greater information sharing, collaboration and co-operation within the industry.”
“The CER and NIS2 Directives are two of the most important pieces of legislation to arrive in Europe in recent years, and IACIPP along with other professional bodies concerns over the lack of preparation of some of the operators and agencies in meeting the deadline has been proven, and believe more needs to be done to ensure these minimum standards are met, and indeed exceeded in subsequent years. We are delighted to welcome such an esteemed set of keynote speakers to open the event, providing wisdom and insight into the challenges for the industry.”
“We are delighted the ‘Critical Infrastructure Protection & Resilience Europe’ conference and exhibition and ‘EU-CIP Horizon Europe Project’ conference are the first two events to contribute towards CIP Week, and highlight many of the challenges facing the industry. Madrid is an excellent location for the launch of this program, with the CN-PIC driving Spain’s efforts to meet the Directives’ and be prepared.” Added Mr Donlon.
With just two weeks to go to CIP Week in Europe, IACIPP is inviting the industry to join the discussions in Madrid on 12th-14th November 2024.
Further details and registration can be found at www.cipre-expo.com and www.cip-association.org.

CISA Launches #PROTECT2024 Election Threat Updates Webpage

The Cybersecurity and Infrastructure Security Agency (CISA) has launched a new one-stop shop website for election threat updates from CISA and its federal government partners. As foreign actors continue their efforts to influence and interfere with the 2024 elections, CISA is ensuring that information about the election threat environment is readily accessible.
Part of the larger #Protect2024 site launched in January, the page aims to make it easier to find specific threat related products that the American public can use to stay informed and the election community can use to prepare, including:
- Joint Statements from CISA, ODNI and FBI on threats to the 2024 election
- ODNI Election Threat Updates
- FBI and CISA “Just So You Know” Joint PSA Series
Since its initial launch, #Protect2024 has quickly grown and serves as the central point for critical resources, training lists and security services to support more than 8,000 election jurisdictions for the 2024 election cycle.

Plurilock and CrowdStrike Partner to Secure Critical Infrastructure and Organizations

Plurilock Security Inc., a global cybersecurity services and solutions provider, and CrowdStrike are pleased to announce a new partnership to secure critical infrastructure in democratic nations and economies against modern threats. Plurilock will provide sales and support of the AI-native CrowdStrike Falcon® cybersecurity platform to help power Plurilock’s Critical Services business unit.
Through the partnership, Plurilock will collaborate with CrowdStrike to deploy the Falcon platform and related Plurilock Critical Services to key Plurilock customers that are seeking to modernize or optimize their security operations for today’s surging threat environment. Both companies have deep expertise in AI and cybersecurity, with Plurilock having been founded on AI as a cybersecurity research spin-out, and CrowdStrike providing the world’s most advanced AI-native cybersecurity platform.
“Plurilock Critical Services secures enterprise customers that are of key importance to the world’s democracies—and that are increasingly targeted by sophisticated attacks,” said Ian L. Paterson, CEO of Plurilock. “The CrowdStrike Falcon platform enables our Critical Services team to consolidate point products, remove complexity, and deliver comprehensive visibility and real-time protection across the enterprise. This partnership enables us to provide some of the most demanding customers in existence with the solution best able to address the threats they currently face.”
“Collaborating with innovative partners like Plurilock is core to CrowdStrike’s mission of stopping breaches,” said Daniel Bernard, chief business officer, CrowdStrike. “Plurilock customers are targeted by the world’s most sophisticated adversaries, and require the most advanced technology and elite services to safeguard their critical assets. We look forward to leveraging the power of the Falcon platform to achieve our shared objectives and stop advanced threats.”

2nd E.DSO Digital Award

Are you the creator of a pioneering solution or technological innovation that will facilitate the energy transition and leave a significant impact for society?
E.DSO, the Association of Distribution System Operators (DSOs), is launching the ‘2nd E.DSO Digital Award’ in recognition of the most meaningful and relevant digital innovations contributing to the shaping of DSOs roles. This award wants to highlight the importance of digitalisation in the energy sector and to acknowledge those who are leading the way in creating a more efficient, resilient, and consumer-centric energy system.
This opportunity is reserved for start-ups that have developed an innovative, revolutionary and relevant technological tool and digital solution for a future energy system.
Candidates are invited to send a brief description plus a video of their invention and its contribution by 21 October 2024.
The Award will be announced during E.DSO 1st FutureGrid Innovation Summit scheduled in Brussels on 6 February 2025.

The latest issue of Critical Infrastructure Protection & Resilience News has arrived

Download your copy now at www.cip-association.org/CIPRNews
Please find here your downloadable copy of the Summer 2024 issue of Critical Infrastructure Protection & Resilience News, the official magazine of the International Association of CIP Professionals (IACIPP), for the latest views, features and news, including a Preview of the upcoming Critical Infrastructure Protection & Resilience Europe conference, Part of CIP Week in Europe in Madrid, Spain.
Critical Infrastructure Protection & Resilience News in this issue:
- CrowdStrike Outage: A Faulty Update Causes Worldwide Problems
- Perspective: Artificial Intelligence
- As cyberattacks increase, physical security should remain a top priority
- Solving the Puzzle of Protection
- Fortifying the frontline – why Zero Trust is key to national security
- Solar storms: Are we ready for another Carrington Event?
- The Secure SatCom Hub for All-Missions
- UN cybersecurity report assesses global progress in providing a safe and secure digital future for all
- An Interview with E.DSO
- Protecting electric grid health with drone-based power line inspection
- CIP Week in Europe, CIPRE and EU-CIP Preview
- Agency News
- Industry News
Download your copy at www.cip-association.org/CIPRNews

CISA Releases Plan to Align Operational Cybersecurity Priorities for Federal Agencies

The Cybersecurity and Infrastructure Security Agency (CISA) has published the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan. As the operational lead for federal cybersecurity, CISA uses this plan to guide coordinated support and services to agencies, drive progress on a targeted set of priorities, and align collective operational defense capabilities. The end result is reducing the risk to more than 100 FCEB agencies.
Each FCEB agency has a unique mission, and thus have independent networks and system architectures to advance their critical work. This independence means that agencies have different cyber risk tolerance and strategies. However, a collective approach to cybersecurity reduces risk across the interagency generally and at each agency specifically, and the FOCAL Plan outlines this will occur. CISA developed this plan in collaboration with FCEB agencies to provide standard, essential components of enterprise operational cybersecurity and align collective operational defense capabilities across the federal enterprise.
“Federal government data and systems interconnect and are always a target for our adversaries. FCEB agencies need to confront this threat in a unified manner and reduce risk proactively,” said CISA Executive Assistant Director for Cybersecurity, Jeff Greene. “The actions in the FOCAL plan orient and guide FCEB agencies toward effective and collaborative operational cybersecurity and will build resilience. In collaboration with our partner agencies, CISA is modernizing federal agency cybersecurity.”
The FOCAL plan is organized into five priority areas that align with agencies’ metrics and reporting requirements. Each priority has goals ranging from addressing universal cybersecurity challenges such as managing the attack surface of internet-accessible assets and bolstering cloud security to long-rage efforts including building a defensible architecture that is resilient in the face of evolving security incidents. The priority areas for FCEB agencies are:
- Asset Management – fully understand the cyber environment, including the operational terrain and interconnected assets.
- Vulnerability Management – proactively protect enterprise attack surface and assess defensive capabilities.
- Defensible Architecture – design cyber infrastructure with an understanding that security incidents will happen, and that resilience is essential.
- Cyber Supply Chain Risk Management (C-SCRM) - quickly identify and mitigate risks, including from third parties, posed to federal IT environments.
- Incident Detection and Response - improve the ability of Security Operations Centers (SOCs) to detect, respond to, and limit the impact of security incidents.
The FOCAL Plan was developed for FCEB agencies, but public and private sector organizations should find it useful as a roadmap to establish their own plan to bolster coordination of their enterprise security capabilities.
The Plan is not intended to provide a comprehensive or exhaustive list that an agency or CISA must accomplish. Rather, it is designed to focus resources on actions that substantively advance operational cybersecurity improvements and alignment goals.

UK Data centres to be given massive boost and protections from cyber criminals and IT blackouts

Technology Secretary Peter Kyle, has announced the government has now classed UK data centres – the buildings which store much of the data generated in the UK – as ‘Critical National Infrastructure’. It is the first Critical National Infrastructure (CNI) designation in almost a decade, since the Space and Defence sectors gained the same status in 2015.
It means the data housed and processed in UK data centres - from photos taken on smartphones to patients’ NHS records and sensitive financial investment information - is less likely to be compromised during outages, cyber attacks, and adverse weather events. Putting data centres on an equal footing as water, energy and emergency services systems will mean the data centres sector can now expect greater government support in recovering from and anticipating critical incidents, giving the industry greater reassurance when setting up business in UK and helping generate economic growth for all.
CNI designation will, for example, see the setting up of a dedicated CNI data infrastructure team of senior government officials who will monitor and anticipate potential threats, provide prioritised access to security agencies including the National Cyber Security Centre, and coordinate access to emergency services should an incident occur.
It comes as the government welcomes a proposed £3.75 billion investment in Europe’s largest data centre, as plans have been submitted to Hertsmere Borough Council for construction in Hertfordshire by data company DC01UK which will directly create over 700 local jobs and support 13,740 data and tech jobs across the country.
Critical National Infrastructure status will also deter cyber criminals from targeting data centres that may house vital health and financial data, minimising disruption to people’s lives, the NHS and the economy.
In the event of an attack on a data centre hosting critical NHS patients’ data, for example, the government would intervene to ensure contingencies are in place to mitigate the risk of damage or to essential services, including on patients’ appointments or operations.
The new protections will also boost business confidence in investing in data centres in the country, an industry which already generates an estimated £4.6 billion in revenues a year.

FBI, CISA, NSA, and US and International Partners Release Advisory on Russian Military Cyber Actors Targeting US and Global Critical Infrastructure

The Federal Bureau of Investigation (FBI )— in partnership with CISA, the National Security Agency (NSA), and other U.S. and international partners — have released a joint Cybersecurity Advisory Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure.
This advisory provides overlapping cybersecurity industry cyber threat intelligence, tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IOCs) associated with Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) cyber actors, both during and succeeding their deployment of the WhisperGate malware against Ukraine.
These cyber actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. The authoring agencies encourage organizations to review this advisory for recommended mitigations against such malicious activity.

DHS Has Efforts Underway to Implement Federal Incident Reporting Requirements

Cyber threats to systems that provide essential services such as banking and health care are growing.
A 2022 law required the Department of Homeland Security to take several actions to address these threats.
The first set of requirements for DHS included proposing a rule that identifies which infrastructure operators have to report about cyber incidents. DHS proposed the rule in March 2024. According to DHS, access to cyber incident reports could help it improve its prevention of and response to cyber threats.
DHS also met requirements related to specific programs, and to its coordination of federal cybersecurity efforts.
What GAO Found
The Department of Homeland Security (DHS) has implemented the 13 requirements from the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the act) that were due by March 2024. Specifically, DHS's Cybersecurity and Infrastructure Security Agency (CISA) submitted a proposed rule related to cyber incident reporting requirements to the Federal Register in March 2024, and it was published in April 2024. DHS plans to issue the final rule by October 2025. In addition, the department implemented the remaining 12 requirements (see figure). As a result of these efforts, DHS should be better positioned to coordinate the federal government cybersecurity and mitigation efforts more effectively, as intended by the act. Additionally, DHS should be better positioned to assist entities with defending against cyber incidents on the critical infrastructure.
Extent to Which the Department of Homeland Security (DHS) Implemented 13 Applicable Cyber Incident Reporting for Critical Infrastructure Act of 2022 Requirements
DHS identified a variety of challenges in implementing the act and is taking steps to address them. These challenges are related to harmonizing cyber incident reporting requirements, addressing cyber incident review responsibilities, and facilitating a more efficient method for federal agencies to begin sharing cyber incident reports. DHS noted that it has taken several mitigation steps to address these challenges, such as (1) identifying four recommendations for federal agencies and three proposals to Congress to address duplicative reporting requirements; (2) updating its technologies; and (3) hiring additional staff to facilitate the review, analysis, and sharing of reports. If implemented effectively, the four recommendations and three proposals can further mitigate challenges and help standardize incident reporting.
Why GAO Did This Study
Cybersecurity incidents involving critical infrastructure sectors—the sectors whose assets, systems, and networks provide essential services—cost the United States billions of dollars annually and cause significant disruptions. To provide increased visibility into the growing cyber threats to critical infrastructure, Congress and the President enacted a law on cyber incident reporting. This law calls for DHS to address 13 requirements by March 2024, including publishing a proposed rule for certain entities to submit reports on cyber incidents and ransom payments to DHS.
The law also includes a provision for GAO to report on the implementation of the act. This report (1) examines the extent to which DHS has implemented the act's requirements and (2) describes efforts DHS has made to identify and mitigate challenges with meeting the act's requirements.
To do so, GAO identified 59 requirements in the act that DHS was responsible for implementing. Of those, 13 requirements were due by March 2024. GAO organized the requirements into four categories: proposed rule for reporting requirements, cyber incident reporting council, ransomware pilot program, and joint ransomware task force. GAO then analyzed the department's implementation of the 13 requirements. GAO also summarized documentation and testimonial evidence regarding challenges DHS faced in implementing the act's requirements and its mitigation plans.
1 2 3 57