The Department of Homeland Security’s Transportation Security Administration (TSA) recently announced two new security directives as well as additional guidance for voluntary measures to strengthen the transportation sector’s cybersecurity.
The directives are targeted higher-risk freight railroads, passenger rail, and rail transit. Under the directives, owners and operators are required to designate a cybersecurity coordinator; report cybersecurity incidents within 24 hours; develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption; and complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.
Lower-risk surface transportation owners and operators received guidance to implement the same measures voluntarily.
The Association of American Railroads (AAR) released a statement following the announcement.
“For the better part of two decades, railroads have thoughtfully coordinated with each other and government officials to enhance information security, which has proven to be an effective, responsive way of addressing evolving threats,” AAR President and CEO Ian Jefferies said. “Let there be no mistake — railroads take these threats seriously and value our productive work with government partners to keep the network safe.”
In addition, the TSA recently updated its aviation security programs to require that airport and airline operators designate a cybersecurity coordinator and report cybersecurity incidents within 24 hours.