Transportation Security Administration Cybersecurity Pipeline Compliance Requirement

The Transportation Security Administration (TSA) is a U.S. government agency that is responsible for providing security for the nation’s transportation systems, including the aviation, rail, and highway sectors. As part of its mission, the TSA has established cybersecurity standards and requirements for certain transportation systems to ensure that they are secure and compliant with federal regulations.

The TSA Cybersecurity Pipeline Compliance (TSACPC) requirement applies to certain transportation systems that are considered critical infrastructure.  Owner/Operators impacted should have received a memorandum. This requirement is designed to ensure that these systems have robust cybersecurity controls in place to protect against cyber threats and vulnerabilities.

To meet the TSACPC requirement, transportation systems must implement a range of cybersecurity controls and practices, including:

    • Institutions must have a defined Cybersecurity Implementation Plan
    • Network segmentation: Systems must be segmented and access to sensitive areas of the network must be restricted.  Logical zones must be defined based on criticality and risks.
    • Access Control: Must be based on the principles of least privilege and separation of duties, or compensating controls must be defined.
    • Encryption: Data transmitted over networks must be encrypted to protect against unauthorized access.
    • Network security monitoring: Systems must be monitored for security threats and vulnerabilities.
    • Vulnerability management: Systems must be regularly tested for vulnerabilities and any identified vulnerabilities must be promptly addressed.
    • Multi-factor authentication for access to industrial control workstations or specify what compensating controls are in place.
    • Security incident response: Institutions must have a plan in place for responding to security incidents, including containment, preservation, recovery, and annual testing.

Assessment Program: Measuring the effectiveness of the Cybersecurity Program, performing architectural design reviews, and other assessment capabilities such as penetration testing. Overall, the TSACPC requirement is designed to help ensure that critical transportation systems are secure and compliant with federal regulations and can protect against cyber threats and vulnerabilities.

Lori Demello

Director, Compliance and Risk Management

Cybercrime Expected To Skyrocket in Coming Years

Early today Statista’ published the following post Chart: Cybercrime Expected To Skyrocket in Coming Years | Statista.   According to estimates from Statista’s Cybersecurity Outlook, the global cost of cybercrime is expected to surge in the next five years, rising from $8.44 trillion in 2022 to $23.84 trillion by 2027. Cybercrime is defined by Cyber Crime Magazine as the “damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm. ”As more and more people turn online, whether, for work or their personal lives, there are more potential opportunities for cybercriminals to exploit. At the same time, attacker techniques are becoming more advanced, with more tools available to help scammers. The coronavirus pandemic saw a particular shift in cyber-attacks, as Statista’s Outlook analysts explain: “The COVID-19 crisis led to many organizations facing more cyberattacks due to the security vulnerability of remote work as well as the shift to virtualized IT environments, such as the infrastructure, data, and network of cloud computing.”

Source: Statista Technology Market Outlook, National Cyber Security Organizations, FBI, IMF

One of the largest hurdles for cyber-security compliance is to develop and document a security program plan and measure that plan as it complies with a specific framework. Accomplishing this is our niche at Columbia Advisory Group. We have developed an approach where we document your current Security Program (what you have in place), assess your current state (define current maturity level), and then define a Plan (roadmap for the future). The best place to start is to perform vulnerability scanning and address weaknesses before they are exploited. We then evaluate current policies and procedures and recommend remediation and improvement. We can provide a Risk Register which is a tool utilized to track identified Information Technology Security risks and define potential solutions. We provide many services that help an organization achieve compliance with a variety of security frameworks (CSF, CMMC, NIST 800-52, TAC 202) or prepare for certification (SOC 2 Type 2, ISO 27001, PCI). We can also help an organization write many policies and procedures required for compliance.

About the Author:
Lori DeMello is Columbia Advisory’s Director of Risk and Compliance. Lori is an expert in areas of Risk Management, Compliance, Security, Regulatory Reviews, Security Assessments, Audit Preparation and Response, Security Services, Continuity of Operations Planning, Risk Assessments, Risk Management Planning, Disaster Recovery, and Change Management. Lead efforts in creating and maintaining critical process documentation for CAG internal and customers. She has 25 years of IT experience with Certifications in PMP, ITILv2 and ITiLv3.