In an effort to reduce the risk of cybersecurity threats on critical railroad operations and facilities, the Transportation Security Administration Monday announced updates to three security directives regulating passenger and freight railroad carriers.
The updated directives, which were set to expire on Oct. 24, were renewed for one year with updates designed to strengthen the industry’s defenses against cyberattacks, officials said. The updates were made after the agency received input on the directives from industry stakeholders and federal partners like the Department of Transportation’s Federal Railroad Administration (FRA) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
“The renewal is the right thing to do to keep the nation’s railroad systems secure against cyber threats, and these updates sustain the strong cybersecurity measures already in place for the railroad industry,” said TSA Administrator David Pekoske. “TSA’s partnerships with CISA, FRA and the railroad industry have been, and will continue to be, instrumental in our work towards strengthening resilience and preventing harm.”
The updates require TSA-specified passenger and freight railroad carriers take action to prevent cyberattacks on their infrastructure through flexible, performance-based approaches, consistent with TSA’s pipeline operator requirements.
The updates include a requirement that covered owners and operators test at least two objectives in their Cybersecurity Incident Response Plan every year, and that all of the employees identified as active participants in those plans take part in the exercises. Additionally, the revised directives require railroad owners and operators to submit updated Cybersecurity Assessment Plans to TSA annually for review and approval, as well as report the previous year’s results.