The Transportation Security Administration (TSA) issued two Security Directives that mandate cybersecurity actions by passenger railroads and rail transit agencies and freight railroads, respectively.
Since Secretary Mayorkas’ October announcement that TSA would issue such directives, AAR and the rail industry have had productive consultations with agency officials to revise provisions that would have posed challenges in implementation.
With the final directives released, a number of the industry’s most significant concerns have been addressed.
“For the better part of two decades, railroads have thoughtfully coordinated with each other and government officials to enhance information security, which has proven to be an effective, responsive way of addressing evolving threats,” said AAR President and CEO Ian Jefferies. “Let there be no mistake — railroads take these threats seriously and value our productive work with government partners to keep the network safe.”
Specifically, the Security Directives mandate four categories of actions:
– Appointment of a primary and alternate Cybersecurity Coordinator with TSA;
– Reporting of cybersecurity incidents to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA);
– Completion of a cybersecurity self-assessment using a form provided by TSA; and
– Development and implementation of a Cyber Incident Response Plan.
Every Class I railroad and Amtrak, as well as many commuter and short line carriers, have chief information security officers and cybersecurity leads who will serve as the required Cybersecurity Coordinators. Further, railroads have conducted cybersecurity assessments on a recurring basis and have developed, exercised and applied Cyber Incident Response Plans.
Through the AAR’s Railway Alert Network (RAN), railroads have been reporting significant cyber threats, incidents and security concerns to TSA, DHS and the Department of Transportation (DOT) since 2014. AAR does note that an unresolved issue is the appointment of cybersecurity coordinators by railroads headquartered in Canada and will work with TSA and its Canadian members to resolve that issue.