The Transportation Security Administration (TSA) is a U.S. government agency that is responsible for providing security for the nation’s transportation systems, including the aviation, rail, and highway sectors. As part of its mission, the TSA has established cybersecurity standards and requirements for certain transportation systems to ensure that they are secure and compliant with federal regulations.
The TSA Cybersecurity Pipeline Compliance (TSACPC) requirement applies to certain transportation systems that are considered critical infrastructure. Owner/Operators impacted should have received a memorandum. This requirement is designed to ensure that these systems have robust cybersecurity controls in place to protect against cyber threats and vulnerabilities.
To meet the TSACPC requirement, transportation systems must implement a range of cybersecurity controls and practices, including:
- Institutions must have a defined Cybersecurity Implementation Plan
- Network segmentation: Systems must be segmented and access to sensitive areas of the network must be restricted. Logical zones must be defined based on criticality and risks.
- Access Control: Must be based on the principles of least privilege and separation of duties, or compensating controls must be defined.
- Encryption: Data transmitted over networks must be encrypted to protect against unauthorized access.
- Network security monitoring: Systems must be monitored for security threats and vulnerabilities.
- Vulnerability management: Systems must be regularly tested for vulnerabilities and any identified vulnerabilities must be promptly addressed.
- Multi-factor authentication for access to industrial control workstations or specify what compensating controls are in place.
- Security incident response: Institutions must have a plan in place for responding to security incidents, including containment, preservation, recovery, and annual testing.
Assessment Program: Measuring the effectiveness of the Cybersecurity Program, performing architectural design reviews, and other assessment capabilities such as penetration testing. Overall, the TSACPC requirement is designed to help ensure that critical transportation systems are secure and compliant with federal regulations and can protect against cyber threats and vulnerabilities.