TSA Releases Rail Cybersecurity Directive (UPDATED)

The Transportation Security Administration (TSA) on Oct. 18 issued a new cybersecurity directive for designated passenger and freight railroads.

The directive, Enhancing Rail Cybersecurity – SD 1580/82-2022-01 (download below), “strengthens cybersecurity requirements and focuses on performance-based measures to achieve critical cybersecurity outcomes,” TSA reported. Effective for one year starting Oct. 24, 2022, it was developed with input from industry stakeholders as well as the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Railroad Administration (FRA).

According to TSA, the directive mandates that TSA-specified passenger and freight railroads implement the following cybersecurity measures to prevent disruptions to their infrastructure and/or operations:

1. Establish and implement a TSA-approved Cybersecurity Implementation Plan that describes the specific measures employed and the schedule for achieving the following:
   — “Implement network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised.
   — “Implement access control measures to secure and prevent unauthorized access to critical cyber systems.
   — “Implement continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations.
   — “Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.”
2. Establish a Cybersecurity Assessment Program and submit an annual plan to TSA that describes how the railroad will proactively test and regularly audit the effectiveness of cybersecurity measures, and identify and resolve device, network and/or system vulnerabilities.

According to TSA, this is the latest in its “performance-based” security directives; the Enhancing Rail Cybersecurity – SD 1580/82-2022-01 builds upon previous security directives that include requirements such as reporting significant cybersecurity incidents to CISA, establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan, and completing a cybersecurity vulnerability assessment.

“Through this security directive, TSA continues to take steps to protect transportation infrastructure in the current threat environment,” the agency said. “TSA also intends to begin a rule-making process, which would establish [permanent] regulatory requirements for the rail sector following a public comment period.”

“The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack,” TSA Administrator David Pekoske said. “We are encouraged by the significant collaboration between TSA, FRA, CISA and the railroad industry in the development of this security directive.”

FRA on Oct. 19 told Railway Age that, in general, it provides subject-matter expertise to TSA relating to cyber-vulnerable systems including but not limited to Positive Train Control (PTC). For Enhancing Rail Cybersecurity – SD 1580/82-2022-01, FRA supported TSA by reviewing draft versions as well as providing clarification regarding concerns voiced by the rail industry. 

“This directive expands upon previous directives, requiring further planning and reporting, as well as outlining policies and controls required to mitigate cybersecurity-related risks,” said Carolyn Hayward-Williams, Director of the Office of Railroad Systems and Technology at FRA. “The directive, as with the recent pipeline directive, provides flexibility to railroads in terms of mitigating cybersecurity-related risks by describing policies and control measures, rather that specific cyber solutions.”

Industry Response

“The new TSA requirements set in the directive institutionalize and build upon existing, effective industry practices that have helped keep the nation’s rail network secure and prevent associated operational disruptions,” the Association of American Railroads (AAR) said in an Oct. 19 statement. Through AAR’s Rail Information Security Committee (RISC), the association noted, railroads have coordinated and shared cybersecurity information at the industry level to address evolving threats and to enhance network security since 1999. “We appreciate the administration’s efforts on these important issues,” AAR President and CEO Ian Jefferies said.

Roie Onn, Co-Founder and CEO of rail security firm Cervello, commented: “As the rail industry continues to advance and digitize, having an effective and proactive cybersecurity plan becomes critical for the preparedness and resilience of railroad operations. The newly released TSA directives are an important step forward for rail. We’ve always stood behind the fundamental importance of implementing network segmentation policies as an effective preventative approach, hence we were pleased to see it included in the updated list. We hope the continued attention given by the U.S. to safeguarding the rail industry from cyber attacks will encourage governments and regulation authorities worldwide to take similar action.”

For more on TSA directives, listen to the December 2021 Rail Group On Air podcast, Rail Cybersecurity with Shift5’s Josh Lospinoso.