The Department of Homeland Security’s Transportation Security Administration (“TSA”) recently released a new cybersecurity directive to address the ongoing cybersecurity threat to passenger and freight railroad carriers and reduce the risk of harm to the national and economic security of the United States, including potential supply chain disruptions, that may result from just a minor disruption in critical rail systems. The security directive was developed by the TSA in consultation with Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Department of Defense, and the Department of Transportation’s Federal Railroad Administration. The security directive entitled “Rail Cybersecurity Mitigation Actions and Testing” is effective on October 24, 2022 and will expire in one year, on October 24, 2023.
The security directive applies to the same railroads that are subject to the Security Directive 1580-21-01 “Enhancing Rail Cybersecurity,” which went into effect on December 31, 2021, as well as additional TSA-designated freight and passenger railroads that have been notified by the TSA based on a risk determination. Under the directive, these owners and operators are required to establish and implement a TSA-approved Cybersecurity Implementation Plan that describes the measures to be taken and a proposed timeline for achieving an approved system. The directive also requires owners and operators to establish a Cybersecurity Assessment Program and submit an annual plan to the TSA that describes how the program will be maintained and how owners and operators will address any discovered vulnerabilities. In order to establish a TSA-approved Cybersecurity Implementation Plan, owners and operators of freight and passenger railroads must:
1. Develop network segmentation policies and controls to ensure that their operation technology systems can safely operate if the information technology system has been compromised;
2. Implement access control measures to secure their networks and prevent unauthorized access to critical systems;
3. Implement continuous monitoring and detection policies and procedures that detect cybersecurity threats and correct anomalies in critical cyber systems; and
4. Adopt a risk-based methodology that would enable the timely application of security patches and system updates in order reduce the risk of exploitation of unpatched systems.
All TSA-specified owners and operators of freight and passenger railroads will be required to submit a Cybersecurity Implementation Plan to the TSA for approval. Once approved, the TSA will use the plan to set security measures and requirements which the TSA will ultimately use to inspect for compliance.