WASHINGTON — New rules from the Transportation Security Administration requiring railroads to report cybersecurity breaches and review their vulnerability to online attacks will take effect on Dec. 31.
Bloomberg reports the rules will require companies to report hacking incidents within 24 hours, conduct a vulnerability assessment, develop a plan to respond to hacking, and designate a cybersecurity coordinator.
“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” Homeland Security Secretary Alejandro Mayorkas said in a statement.
The rules will finalize a proposal reported earlier this year [see “Rail operators to face new cybersecurity requirements,” Trains News Wire, Oct. 7, 2021], which received some pushback from railroads. A spokeswoman for the Association of American Railroads said then that the rules require moves “that have long been in place.” On Thursday the organization indicated many of its concerns had been resolved, with AAR CEO Ian Jefferies saying, “Railroads take these threats seriously and value our productive work with government partners to keep the network safe.”
Now that PTC is implemented (perhaps not 100% effectively), now is the perfect time to start the cyber audits. All you have to say is “Colonial Pipeline” and people should get the drift.
PTC is just ripe for hacking. It’s only a matter of time.