The Transportation Security Administration (TSA) issued two security directives on Thursday, requiring rail and rail transit groups to take steps to strengthen cybersecurity in the sector, including reporting cyber incidents to the federal government.
The security directives require higher-risk freight rail, passenger rail, and rail transit organizations to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery and to appoint a cybersecurity coordinator.
The directives also call for these organizations to conduct vulnerability assessments on their networks and then create a cybersecurity incident response plan based on the security issues discovered. One directive applies to freight rail groups, while the other applies to passenger rail and rail transit companies; however, both are identical and will be made public.
“These new cybersecurity requirements and recommendations will help keep travelers safe and our critical infrastructure safe from evolving threats.” “DHS will continue to collaborate with partners at all levels of government and in the private sector to strengthen the resilience of our critical infrastructure across the country,” Homeland Security Secretary Alejandro Mayorkas said.
Mayorkas first announced the upcoming rail directive in October, emphasizing the importance of protecting against ransomware attacks in particular.
Mayorkas also stated that a similar directive would be issued for the aviation sector, with senior DHS officials telling reporters on Thursday that the TSA had “recently updated aviation security programs to require airport operators to take similar steps” to what rail sector groups were required to do.
Since Mayorkas’ announcement, key industry groups have expressed concerns about the planned directive, including the possibility that the reporting mandate for incidents is too broad and that the rail sector is not aware of increased threats. One particular source of concern was the requirement to specify the type of cyber incident to report.
Senior DHS officials told reporters that the TSA had worked with industry groups to address these concerns, and that two drafts of the directives had been distributed to stakeholders for review and feedback prior to the announcement on Thursday.
“With respect to the definition, the key balance that we need to strike is obviously trying to make sure that we capture those incidents that the government needs to be aware of because of the risk associated with it and making sure that we learn of those that rise to that level, while not tracking every incident and getting drowned out by the noise,” a senior DHS official said.
TSA’s deputy assistant administrator for Policy, Plans, and Engagement, Victoria Newhouse, testified Thursday before the House Transportation and Infrastructure Committee that the agency had taken steps to increase industry input in the directive and was working “extremely closely” with other agencies in this effort.
“We have continued to engage vigorously,” Newhouse testified. “As recently as this week, I and several of my top leadership here at TSA met with freight rail and passenger rail executives in our facility for a classified briefing to show them what we’re seeing, elicit input, and ask for more input for either future requirements or other guidelines that we could issue together by simply telling them this is what they need to do.”
Newhouse also stated that “a number of pipeline individuals, CISOs, and other security personnel are receiving briefings as we speak,” and that “we do have an apparatus around the United States to support those briefings thanks to our law enforcement and intelligence community partners.”
The Association of American Railroads (AAR), which represents rail companies across North America, including the National Railroad Passenger Corporation, or Amtrak, was among those who expressed concern. AAR spokesperson Jessica Kahanek told The Hill ahead of the announcement that some initial concerns had been addressed.
“In recent weeks, AAR has had fruitful consultations with TSA officials to address the negative effects that the Security Directives, as originally drafted, would have on long-standing effective practices maintained by railroads,” Kahanek said. “As a result, we anticipate that changes to the directives’ content have been made to alleviate these significant concerns.”
TSA previously issued two security directives aimed at strengthening pipeline cybersecurity earlier this year, following the ransomware attack on Colonial Pipeline, which caused temporary gas shortages in several states and crippled a critical supply chain.
Previous pipeline sector directives required pipeline owners and operators to report cybersecurity incidents to CISA within 12 hours, to implement security measures to protect against ransomware attacks, and to develop recovery plans in the event of a successful attack.