The Transportation Security Administration is requiring U.S. freight and passenger railroads to comply with a new cybersecurity directive aimed at protecting the rail networks from harm.
The directive focuses on performance-based measures, according to TSA, and “will further enhance cybersecurity preparedness and resilience for the nation’s railroad operations.”
To safeguard against any cyber-related disruptions or degradations to rail infrastructure, TSA is requiring freight and passenger rail carriers to:
- Develop network segmentation policies and controls to ensure operations can continue to operate safely in the event that IT systems have been compromised.
- Secure and prevent unauthorized access to critical cyber systems through access control measures.
- Build and implement monitoring and detection policies and procedures that would detect cybersecurity threats and correct anomalies that would affect critical cybersystem operations.
- Utilize security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems using a risk-based methodology.
- Establish an executive a cybersecurity implementation plan that describes how rail carriers expect to meet the TSA security directive. The plan must be approved by the TSA.
- Establish a cybersecurity assessment program to test and audit the effectiveness of measures while also identifying and resolving potential vulnerabilities within devices, networks and systems.
Industry stakeholders and federal agencies, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Federal Railroad Administration (FRA), provided input as TSA developed the directive.
“The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyberthreats and have worked hard over the past year to build additional resilience,” TSA Administrator David Pekoske said in a news release. “And this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack.”
According to the Association of American Railroads (AAR), the directive institutionalizes and builds upon existing industry practices. Since 1999, AAR’s rail information security committee has been helping the industry coordinate and share cybersecurity information.
“There is no higher priority for the rail industry than the safety and security of our national network,” AAR President and CEO Ian Jefferies said. “For more than two decades, the industry has been a leader at bringing the right people and information together to address evolving cyberthreats. Collaboration between railroads and government partners on these issues has a long, productive history that will continue to maintain and advance the smart, effective solutions to keep our network safe and freight moving. We appreciate the [TSA]’s efforts on these important issues.”
In addition to announcing the directive Tuesday, TSA said it plans to begin a rulemaking process to establish regulatory requirements for the rail sector on these cybersecurity measures. That process will include a public comment period.
This new directive builds upon an existing older one that required the railroads to report significant cybersecurity incidents to the federal government, establish a cybersecurity point of contact, develop and adopt a cybersecurity incident response plan and complete a cybersecurity vulnerability assessment.