Terms of
Clearance: Approved contingent that - within 90 days of this
approval date - DHS TSA will publish a 60-day Federal Register
notice seeking comments in accordance with 5 CFR 1320.8(d).
Inventory as of this Action
Requested
Previously Approved
05/31/2022
6 Months From Approved
2,343
0
0
96,063
0
0
0
0
0
TSA intends to publish Security
Directives (SD), which will be mandatory, and Information Circular
(IC), which will be non-mandatory recommendations, to various
surface transportation mode operators to address the ongoing
cybersecurity threat using a risk-based approach to transportation
security. The SDs would only apply to “Higher Risk” Railroads and
Rail Transit operations and the IC would apply to lower-risk
operations to enhance the surface transportation integrated system
to include transit bus operations and over-the-road bus (OTRB)
owner/operators.
Earlier this year, OMB
approved, two emergency ICR requests from TSA to collect
information via similar SDs directed to pipelines in order to
address cybersecurity threats. On May 8, 2021, the Colonial
Pipeline Company announced that it had halted its pipeline
operations due to a ransomware attack. This attack received
national attention as it temporarily disrupted critical supplies of
gasoline and other refined petroleum products throughout the East
Coast. Such attacks pose significant threats to the country’s
transportation infrastructure and economic security as extensive
interdependencies exist among transportation and other critical
infrastructure sectors. During the last few years, cybersecurity
incidents affecting surface transportation has become a growing
threat to the integrated cyber and physical systems that operate
daily in close coordination with and proximity nation-wide, and its
uninterrupted secure and safe operation is critical for the U.S.
economy. Malicious cyber actors have demonstrated their willingness
to conduct cyber-attacks against critical infrastructure by
exploiting the vulnerability of Internet-accessible Operational
Technology (OT) and Information Technology (IT) systems and assets.
Given the multitude of connected devices already in use by the
surface transportation industry and the vast amount of data
generated (with more coming online soon), protecting the
higher-risk freight rail, passenger rail, and transit industry has
become an increasing critically important and complex undertaking
to protect critical infrastructure from malicious cyber-attack and
other cybersecurity-related threats.
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.
DHS_TSA_011 79 FR 18867 (4.13.2010).pdf
1652-NEW Cyber Surface Modes SS (emergency request_to DHS) 11.17.2021.docx
Cybersecurity vulnerability assessment