The Transportation Security Administration (TSA) in December 2021 issued two security directives requiring higher-risk freight railroads, passenger rail and rail transit to implement measures to strengthen cybersecurity within the sector.
In its press release, the TSA stated that it determined these requirements needed to be issued immediately to protect the transportation sector. The TSA also stated that it sought input from industry stakeholders and federal partners, including the Cybersecurity and Infrastructure Security Agency (CISA), in developing its approach.
Railroad Security and Incident Disclosures: TSA Guidance
Key among the requirements in the security directives is a requirement to report cybersecurity incidents to CISA within 24 hours. The directives also require these rail transportation owners and operators to:
- Designate a cybersecurity coordinator;
- develop and implement a cybersecurity incident response plan; and
- conduct a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.
Homeland Security Secretary Alejandro Mayorkas said the new requirements “will help keep the traveling public safe and protect our critical infrastructure from evolving threats” and indicated that the Department of Homeland Security will continue public and private partnerships to increase the resilience of critical infrastructure.
Ian Jefferies, president and CEO of the Association of American Railroads, said in a statement that “ailroads take these threats seriously and value our productive work with government partners to keep the network safe.”
The press release also announced that the TSA is releasing guidance recommending that all other lower-risk rail transportation owners and operators voluntarily implement the same measures.
Blog courtesy of Hunton Andrews Kurth, a U.S.-based law firm with a Global Privacy and Cybersecurity practice that’s known throughout the world for its deep experience, breadth of knowledge and outstanding client service. Read the company’s privacy blog here.