The Transportation Security Administration issued long-awaited directives Tuesday designed to enhance the cyber resilience of the nation’s freight and passenger rail systems. The measures are part of a wider effort by the Biden administration to protect critical infrastructure against malicious hacks.
Passenger and freight rail operators will be required to develop a TSA-approved Cybersecurity Implementation Plan, which describes specific measures the company is taking.
Companies will also need to establish a Cybersecurity Assessment Program, which will be used to conduct proactive testing and regular audits of cybersecurity upgrades and check for vulnerabilities in various systems, devices and networks.
“The nation’s railroads have a long track record of forward looking efforts to secure their network against cyberthreats and have worked hard over the past year to build additional resilience,” TSA Administrator David Pekoske said in the announcement Tuesday. “This directive, which is based on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack.”
The Biden administration's efforts to protect key critical infrastructure providers stepped up folliowing the 2021 ransomware attacks on Colonial Pipeline and meat supplier JBS USA.
The measures, designed with the Cybersecurity and Infrastructure Security Agency and the Federal Railroad Administration, are intended to protect vulnerable systems that are essential to making sure trains run safely and on time.
They will specifically help address the following issues:
- Develop network segmentation policies and controls to protect operational technology against attacks on IT systems.
- Create access control measures to prevent unauthorized access to critical systems.
- Build continuous monitoring and detection policies and procedures to detect cyber threats.
- Apply security patches and operating system updates to reduce the risk of exploitation of unpatched systems.
The TSA in December 2021 announced new directives and voluntary guidelines to boost passenger rail and higher risk freight security, primarily addressing incident reporting and coordination.
Josh Lospinoso, founder and CEO of Shift5, noted the nation’s rail industry has faced serious threats in recent years, pointing out an April 2021 attack on the Metropolitan Transportation Authority in New York by suspected state-linked hackers and a ransomware attack against the Santa Clara Valley Transportation Authority.
“The growing frequency and severity of attacks is a national security concern,” Lospinoso said via email. “Rail serves as a critical enabler of our nation’s economy.”
The rail industry was already under tremendous pressure this year, as the industry faced a potentially crippling strike by tens of thousands of workers before a deal was reached in mid September.
The Association of American Railroads said there is no higher priority for the rail industry than the safety and security of its national network.
“Collaboration between railroads and government partners on these issues has a long, productive history that will continue to maintain and advance the smart, effective solutions to keep our network safe and freight moving,” the association said in a statement.