TSA issues cybersecurity directive for freight, passenger railroads

The U.S. Transportation Security Administration yesterday announced a new cybersecurity security directive for designated passenger and freight railroads.

The Enhancing Rail Cybersecurity strengthens cybersecurity requirements and focuses on performance-based measures to achieve critical cybersecurity outcomes, TSA officials said in a press release.

The regulation was developed with "extensive input" from industry stakeholders and federal agencies, including the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Railroad Administration.

The security directive requires that TSA-specified passenger and freight railroad carriers take action to prevent disruption and degradation to their infrastructure to achieve the following critical security outcomes:

• develop network segmentation policies and controls to ensure that the operational technology system can continue to safely operate in the event that an information technology system has been compromised, and vice versa;

• create access control measures to secure and prevent unauthorized access to critical cyber systems;

• build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and

• reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.

Passenger and freight railroad carriers are required to:

• establish and execute a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures the passenger- and freight-rail carriers are utilizing to achieve the security outcomes set forth in the security directive; and

• establish a Cybersecurity Assessment Program to proactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks and systems.

The new TSA requirements build upon existing, effective industry practices that have helped keep the nation’s rail network secure and prevent associated operational disruptions, said Association of American Railroads President and CEO Ian Jefferies in a prepared statement.

Through AAR’s Rail Information Security Committee, railroads have coordinated and shared cybersecurity information at the industry level to address evolving threats and to enhance network security since 1999. 

"For more than two decades, the industry has been a leader at bringing the right people and information together to address evolving cyber threats," Jefferies said. "Collaboration between railroads and government partners on these issues has a long, productive history that will continue to maintain and advance the smart, effective solutions to keep our network safe and freight moving."