WASHINGTON — The U.S. Transportation Security Administration has issued its cybersecurity directives for freight and passenger railroads, a move greeted positively by the Association of American Railroads.
The 14-page directive requires railroads to submit a cybersecurity implementation plan to the TSA for approval with 120 days. That plan must address measures to prevent operational disruption to the railroad’s information technology system, establish access control measures, implement monitoring and detection policies for security threats, and establish procedures to ensure systems regularly receive security patches and updates.
In its announcement, the TSA says the directive was developed “with extensive input from industry stakeholders and federal partners,” including the Federal Railroad Administration and the TSA’s own Cybersecurity and Infrastructure Security Agency.
“The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack,” said TSA Administrator David Pekoske. “We are encouraged by the significant collaboration between TSA, FRA, CISA and the railroad industry in the development of this security directive.”
AAR CEO Ian Jefferies said in a statement that “collaboration between railroads and government partners on these issues has a long, productive history that will continue to maintain and advance the smart, effective solutions to keep our network safe and freight moving. We appreciate the administration’s efforts on these important issues.”
The TSA first announced plans for new rail cybersecurity requirements in October 2021, with with the intention of enacting them later that year. At the time, the AAR expressed concern that the rail industry had been given just three days to review the draft version of the directive, and that it would require actions that were already in place [see “Rail operators to face new cybersecurity requirements,” Trains News Wire, Oct. 7, 2021].