TSA Mandates Cybersecurity Actions for Freight, Passenger Rail

The Transportation Security Administration (TSA) on Dec. 2 issued two new Security Directives for “higher-risk” passenger railroads and rail transit agencies and freight railroads, respectively, to “strengthen” cybersecurity.

The move is “part of a series of new steps to prioritize cybersecurity” across the Department of Homeland Security (DHS), TSA said, and it was not unexpected. Homeland Security Secretary Alejandro Mayorkas on Oct. 6 announced that cybersecurity mandates for the rail transportation sector were on the way.

TSA reported that its two directives require owners and operators to:
• Designate a cybersecurity coordinator.
• Report cybersecurity incidents to DHS’s Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.
• Develop and implement a cybersecurity incident response plan “to reduce the risk of an operational disruption.”
• Complete a cybersecurity vulnerability assessment to “identify potential gaps or vulnerabilities in their systems.”

TSA is also “recommending that all other lower-risk surface transportation owners and operators voluntarily implement the same measures.”

To develop the directives, TSA said it “sought input from industry stakeholders and federal partners,” including CISA.

The Association of American Railroads (AAR) and the rail industry “have had productive consultations with agency officials [since TSA’s October announcement] to revise provisions that would have posed challenges in implementation,” AAR reported on Dec. 2. “With the final directives released today, a number of the industry’s most significant concerns have been addressed.” The association noted, however, that “an unresolved issue is the appointment of cybersecurity coordinators by railroads headquartered in Canada, and [it] will work with TSA and its Canadian members to resolve that issue.”

“Every Class I railroad and Amtrak, as well as many commuter and short line carriers, have chief information security officers and cybersecurity leads who will serve as the required Cybersecurity Coordinators,” according to AAR. “Further, railroads have conducted cybersecurity assessments on a recurring basis and have developed, exercised and applied Cyber Incident Response Plans. Through the AAR’s Railway Alert Network (RAN), railroads have been reporting significant cyber threats, incidents and security concerns to TSA, DHS and the Department of Transportation (DOT) since 2014.”

“For the better part of two decades, railroads have thoughtfully coordinated with each other and government officials to enhance information security, which has proven to be an effective, responsive way of addressing evolving threats,” AAR President and CEO Ian Jefferies said. “Let there be no mistake—railroads take these threats seriously and value our productive work with government partners to keep the network safe.”

“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” Secretary of Homeland Security Mayorkas said. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”

TSA noted that it recently updated its aviation security programs to require that airport and airline operators designate a cybersecurity coordinator and report cybersecurity incidents to the CISA within 24 hours, and it “intends to expand the requirements for the aviation sector and issue guidance to smaller operators.”