On Monday, the Transportation Security Administration (TSA) announced it had renewed updates to security directives that regulate passenger and freight railroad carriers.
The revised directives, part of an effort to enhance the cybersecurity of surface transportation systems and associated infrastructure, were set to expire on Oct. 24 but have instead been renewed for one year, officials said. The renewed directives also include updates seeking to strengthen the industry against cyberattacks.
“The renewal is the right thing to do to keep the nation’s railroad systems secure against cyber threats, and these updates sustain the strong cybersecurity measures already in place for the railroad industry,” said TSA Administrator David Pekoske.
Developed after consultation from industry stakeholders and federal partners like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation’s Federal Railroad Administration, the security directives enhance cybersecurity for railroad operations across the country. The updates require TSA-specified passenger and freight railroad carriers to take action to protect their cyber infrastructure with a flexible, performance-based approach, consistent with TSA’s requirements for pipeline operators.
“TSA’s partnerships with CISA, FRA and the railroad industry have been, and will continue to be, instrumental in our work towards strengthening resilience and preventing harm,” Pekoske said.
The revised directives, Enhancing Rail Cybersecurity, and the revised SD series, Enhancing Public Transportation and Passenger Railroad Cybersecurity, include require testing a minimum of two objectives in covered owners and operators Cybersecurity Incident Response Plans every year. Additionally, the updates also require including employees identified as active participants in those plans as participants in the exercises.
A third updated directive, Rail Cybersecurity Mitigation Actions and Testing, also requires owners and operators to submit Cybersecurity Assessment Plans to TSA annually for review and approval, as well as report results from previous years using a schedule that assesses and audits specific cybersecurity measures every three years.