This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
11/11/2022
By Julie Sneider, Senior Associate Editor
The U.S. Transportation Security Administration last month rolled out a new cybersecurity directive for designated passenger and freight railroads.
The goal of the “Enhancing Rail Cybersecurity” directive issued Oct. 18 is to strengthen cybersecurity requirements and focus on performance-based measures to achieve critical outcomes, TSA officials said in a press release. The directive was developed with extensive input from the rail industry and federal partners, including the Department of Homeland Security and Federal Railroad Administration.
Railroads are required to establish and implement a TSA-approved cybersecurity implementation plan that describes the specific measures being used to meet the directive’s outcomes. They must establish a cybersecurity assessment program to test and regularly audit their cybersecurity measures, then identify and resolve any vulnerabilities.
“The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience,” said TSA Administrator David Pekoske in a press release. “This directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack.”
The directive calls on the TSA-specified passenger and freight railroads to take steps to prevent disruption to, and degradation of, their infrastructure to boost cybersecurity. The steps include:
• developing network segmentation in policies and controls to ensure an operational technology system can continue to operate safely if the information technology system has been compromised (or vice versa);
• creating access control measures to secure and prevent unauthorized access to critical cyber systems;
• creating continuous monitoring and detection procedures to detect threats and correct anomalies that affect cyber system operations; and
• applying security patches and updates to operating systems, applications, drivers and firmware on cyber systems in a timely manner using a risk-based methodology.
The new TSA requirements institutionalize and build on existing and effective industry practices that have helped keep the nation’s rail network secure, and will help prevent cyber-related service disruptions, said Association of American Railroads President and CEO Ian Jefferies in a press release.
Through the AAR’s Rail Information Security Committee, railroads since 1999 have coordinated and shared cybersecurity information with each other to address cyber threats and improve network security.
“The industry has been a leader at bringing the right people and information together to address evolving cyber threats,” said Jefferies. “Collaboration between railroads and government partners on these issues has a long, productive history that will continue to maintain and advance the smart, effective solutions to keep our network safe and freight moving. We appreciate the administration’s efforts on these important issues.”