Cyber-Securing Critical Infrastructure Redefined

This post is also available in: עברית (Hebrew)

The Department of Homeland Security (DHS) is redefining ‘Cybersecurity Incident’ in directives for surface transportation across the US. 

The Transportation Security Administration has changed the criteria pipeline operators must use when complying with directives to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA). This will also soon apply to rail and aviation operators. 

According to, the move follows cyber attacks such as the ransomware attack on Colonial Pipeline in May. After the incident, the TSA issued a security directive requiring high-risk pipeline operators to report any cybersecurity incident to CISA within 12 hours. 

Under the directive, such incidents should include an event that, “may affect the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system.” However, critics said the directive might be overly burdensome.   

The new directives will require operators to designate a cybersecurity coordinator that CISA and TSA could reach around the clock, develop an incident response plan and conduct a vulnerability assessment resulting in a plan to fill any gaps identified.

The new directives for rail operators also similarly mandate cybersecurity incidents be reported to CISA, but narrow the definition of such incidents, noting they should include events that are “under investigation as a possible cybersecurity incident.”

Watch this intriguing INNOTECH 2021 discussion panel on cyber incident identification and response: