This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
12/3/2021
The Transportation Security Administration (TSA) yesterday announced two new security directives and additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector in response to ongoing threats to surface transportation systems and associated infrastructure.
The actions are among several steps the U.S. Department of Homeland Security (DHS) is taking to increase cybersecurity for critical U.S. infrastructure, according to a press release issued by the TSA, which is is part of DHS.
TSA aims to boost cybersecurity in the transportation sector through the security directives, appropriately tailored regulations and voluntary engagement with key stakeholders. To develop that approach, the administration sought input from industry stakeholders and federal partners, including the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), which provided guidance on cybersecurity threats to the transportation network and countermeasures.
The TSA security directives announced yesterday target higher-risk freight and passenger railroads. The directives require owners and operators to: designate a cybersecurity coordinator; report cybersecurity incidents to CISA within 24 hours; develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption; and complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.
Also yesterday, the TSA issued guidance recommending that all other lower-risk surface transportation owners and operators voluntarily implement the same measures.
Since Homeland Security Secretary Alejandro Mayorkas’ October announcement that the TSA would issue the cybersecurity directives, the Association of American Railroads (AAR) and the rail industry have had "productive consultations" with federal officials to revise provisions that would have posed challenges in implementation, AAR officials said in a press release.
A number of the industry's most significant concerns have been addressed in the final version of the directives, they said.
"For the better part of two decades, railroads have thoughtfully coordinated with each other and government officials to enhance information security, which has proven to be an effective, responsive way of addressing evolving threats," said AAR President and CEO Ian Jefferies. "Let there be no mistake — railroads take these threats seriously and value our productive work with government partners to keep the network safe."
Railroads have chief information security officers and cybersecurity leads, conduct cybersecurity assessments on a recurring basis and maintain cyber incident response plans. But one issue that's not yet resolved is the appointment of cybersecurity coordinators by railroads headquartered in Canada. The AAR will work with the TSA and its Canadian members to resolve that issue, AAR officials said.