TSA Renews Rail Security Directives
Written by Marybeth Luczak, Executive Editor
The Transportation Security Administration (TSA) on Oct. 23 reported renewing and updating three security directives on passenger and freight railroad cybersecurity.
The directives—released Oct. 18, 2022, and set to expire Oct. 24, 2023—have been renewed for one year.
Developed with “comprehensive input” from industry stakeholders and federal partners, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Railroad Administration (FRA), the three security directives require “TSA-specified passenger and freight railroad carriers to take action to prevent disruption and degradation to their infrastructure with a flexible, performance-based approach, consistent with TSA’s requirements for pipeline operators,” according to the agency.
The revised security directives, Enhancing Rail Cybersecurity, and the revised security directive series, Enhancing Public Transportation and Passenger Railroad Cybersecurity, include a requirement for covered owners and operators to test a minimum of two objectives in their Cybersecurity Incident Response Plan every year, TSA reported. Additionally, they require including employees who have been identified by their positions as active participants in these exercises.
The revised security directive series, Rail Cybersecurity Mitigation Actions and Testing, also requires railroad owners and operators to submit annually an updated Cybersecurity Assessment Plan to TSA for review and approval and to report the results from the previous year using a schedule for assessing and auditing specific cybersecurity measures for effectiveness such that all cybersecurity measures are assessed within a three-year period, TSA said.
“The renewal is the right thing to do to keep the nation’s railroad systems secure against cyber threats, and these updates sustain the strong cybersecurity measures already in place for the railroad industry,” TSA Administrator David Pekoske said. “TSA’s partnerships with CISA, FRA and the railroad industry have been, and will continue to be, instrumental in our work towards strengthening resilience and preventing harm.”
In related news, TSA in May proposed vetting requirements for certain public transportation, railroad and over-the-road-bus (OTRB) employees under the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act). On Aug. 22, TSA reported extending the proposal comment period to Oct. 1, 2023. TSA is also considering a rulemaking focused on cyber risk management in the pipeline and rail sectors.
