As cybersecurity directives expire for covered infrastructures, the Transportation Security Administration (TSA) plans to reissue new directives with the added requirement that affected entities perform tabletop exercises to test their cyber incident response plans, David Pekoske, the agency’s chief, said last week.

The exercises will go beyond just a specific company to include other stakeholders, he said last Thursday as part of a cybersecurity panel hosted by the Center for Strategic and International Studies.

TSA already did a tabletop exercise at a cyber range in Boston with a company and “we found the learning from that to be incredible,” Pekoske said. “It was important to understand how you’re going to receive information on when a cyber-attack occurred. It may not be through traditional means that you would normally expect to see it. Secondly, how do you pivot from responding to the cyber incident to responding to what will be a crisis in many cases depending on the extent of the intrusion and the level of impact on the public from a safety and security, and from an availability of services perspective?”

In addition to the TSA, the Cybersecurity and Infrastructure Security Agency and the FBI also participated in the recent tabletop exercise. That was “reassuring” to the company because it showed “that there’s some increased level of coordination,” he said.

Following a ransomware attack in May 2021 against the information technology (IT) network of pipeline operator Colonial Pipeline, which shutdown its operating systems to ensure the attack didn’t compromise its operating technology (OT). The shutdown led to shortages of gasoline in some areas of the East Coast.

Immediately following the incident, TSA leaned on existing authorities to begin requiring pipeline operators to report certain cyber security incidents. Then, in July, the agency expanded its requirements to some companies in the pipeline sector to take specific mitigation measures to protect against ransomware and other known threats to their IT and OT systems, develop a cybersecurity contingency and recover plan, and conduct a cybersecurity architecture design review.

A year later, TSA and its industry stakeholders re-worked the regulations to be performance-based that outlined four key outcomes, including network segmentation, plans for access control of critical cyber systems, perform continuous monitoring and detection for cyber intrusions, and have a prioritized plan for patching and upgrading systems that is part of a cybersecurity implementation plan.