TSA Announces a New Cybersecurity Directive for Freight and Passenger Railroads

Last week, the Transportation Security Administration (TSA) announced a new cybersecurity directive for passenger and freight railroads. It is effective for one year, starting on October 24th, 2022, and replaces the cybersecurity directive from TSA that was issued last year, Railway Age reports.

The directive states that passenger and freight railroads need to implement a variety of cybersecurity measures to help prevent disruptions to their infrastructure and/or operations.

TSA Administrator David Pekoske detailed the nation’s railroads having a lengthy track record of forward-thinking efforts. “The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack.”

Measures freight and passenger railroads are required to implement

  1. Establish and implement a TSA-approved Cybersecurity Implementation Plan
  2. Establish a Cybersecurity Assessment Program and submit a yearly plan to TSA that details how the railroad will proactively test and regularly audit the effectiveness of cybersecurity measures, and identify and resolve device, network and/or system vulnerabilities

Additionally, the security directive insists that TSA-specified freight and passenger railroad carriers take action to help prevent disruption and degradation to their infrastructure in order to achieve the following critical security outcomes:

  • Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa
  • Create access to secure and prevent unauthorized access to critical cyber systems
  • Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber systems operations
  • Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology

How has the industry responded?

Those in the industry know that the need for proper cybersecurity is important and understand that the new TSA requirements will continue to build upon the already existing industry practices.

Furthermore, the Association of American Railroads (AAR) has stated their appreciation for the administration’s efforts on these important issues. Additionally, Roie Onn, Co-Founder and CEO of Cervello, a rail security firm, echoes the AAR’s comments… “as the rail industry continues to advance and digitize, having an effective and proactive cybersecurity plan becomes critical for the preparedness and resilience of railroad operations.”  

Looking Ahead

This security directive allows TSA to continue to take steps to protect transportation infrastructure in the current threat environment.

As always, we will continue to provide updates on the latest in the industry throughout the year and beyond. Should you have any questions or comments, please don’t hesitate to contact our team today!

Share on facebook
Share on twitter
Share on email
Share on google