On 2 December 2021, the United States Transportation Security Administration (TSA) released two Security Directives applicable to the rail industry that will require certain owners and operators to implement new cybersecurity measures. The directives go into effect on December 31, 2021 and will expire on December 31, 2022. And TSA plans to engage in rulemaking in 2022 to augment these cybersecurity requirements. The directives follow similar cybersecurity-focused directives issued earlier this year for pipeline companies, and further underscore the focus by TSA and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) on prescribing specific cybersecurity requirements on industry to protect critical infrastructure.
The first directive, “Enhancing Public Transportation and Passenger Railroad Cybersecurity,” applies to owners or operators of passenger railroad or rail-transit systems, while the second directive, “Enhancing Rail Cybersecurity,” applies to freight railroad carriers. Both directives require owners and operators to undertake the following four critical actions:
- Cybersecurity Coordinator. Within seven days (i.e., on or before January 7, 2022) owners and operators must designate a primary Cybersecurity Coordinator (and at least one alternate) to coordinate implementation of cybersecurity practices, manage cybersecurity incidents, and serve as the principal point of contact with TSA and CISA. The Cybersecurity Coordinator must be available to TSA and CISA on a 24-hour/7-days-per-week basis.
- Reporting. Owners and operators must report cybersecurity incidents (which are broadly defined within the directives) to CISA “as soon as practicable, but no later than 24 hours” after identifying an incident. This requirement extends to incidents occurring on owners/operators’ Information Technology (IT) or Operational Technology (OT) networks or systems, and the directives also outline detailed reporting requirements.
- Cybersecurity Incident Response Plan. Owners and operators must develop and implement within 180 days (i.e., on or before June 29, 2022) a Cybersecurity Incident Response Plan to reduce the risk of operational disruption should a cybersecurity breach affect their IT or OT systems. The directives outline specific content requirements for the plan.
- Cybersecurity Vulnerability Assessment. Owners and operators must conduct and submit to TSA within 90 days (i.e., on or before March 31, 2022) a cybersecurity vulnerability assessment to: evaluate current practices and activities to address cyber risks; identify gaps in current cybersecurity measures; and identify remediation measures and a plan to address any identified vulnerabilities and gaps.
Pursuant to the directives, any information submitted by owners and operators may be shared among TSA, CISA, the National Response Center, and other agencies, as appropriate. TSA also issued an Information Circular recommending (but not requiring) that owners and operators not covered by either of the Security Directives take the same actions to enhance cybersecurity.
As companies continue to take a hard look at their own cybersecurity readiness, TSA has turned its focus to the rail sector to make sure it is up to the task. The TSA’s cybersecurity focus on the transportation sector is an outgrowth of the Colonial Pipeline ransomware incident, which underscored potential cybersecurity vulnerabilities in the nation’s critical infrastructure. TSA’s recent efforts to increase cybersecurity-readiness for the pipeline sector have resulted in new compliance initiatives that have led to numerous pipeline companies spending thousands of hours and millions of dollars upgrading, updating, and upscaling their cybersecurity protections.
[View source.]
