New TSA Cybersecurity Directives for Passenger and Freight Railroads

By Rex Johnson

Here’s why it’s happening, and how you can meet the requirements.

In an ongoing effort to improve the cybersecurity readiness of vital infrastructure, the United States Transportation Security Administration (TSA) has issued new directives for passenger and freight railroads. Learn what this means for you as a railroad owner or operator, and how you can meet compliance requirements quickly and easily.

TSA Cybersecurity Directives

On December 1, 2021, the Transportation Security Administration (TSA) issued two new security directives that focus on both passenger and freight rail systems. These are known as Security Directive (SD) 1580-2021-01 “Enhancing Rail Cybersecurity” and SD 1582-2021-01 “Enhancing Public Transportation and Passenger Railroad Cybersecurity.”

These directives apply to all freight railroad carriers as well as Public Transportation/Passenger Rail (PTPR) system owners and operators of a passenger railroad or rail transit system. Both directives have an effective date of December 31, 2021 and require the same four critical actions described below.

Why is this happening?

Cybersecurity incidents affecting critical infrastructure such as surface transportation are a growing and evolving threat. In mid-November, the US Office of Management and Budget (OMB) released a supporting statement on Cybersecurity Measures for Surface Modes which outline the Security Directives. These directives are part of an ongoing effort by the federal government to improve the cybersecurity readiness of critical infrastructure and enhance national security.

Rail systems are not the only ones with this mandate. New directives have been provided for airport operators as well. According to experts, further cybersecurity requirements for the protection of critical infrastructure will continue.

According to DHS Secretary Alejandro Mayorkas, “These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats. DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”

These actions are in response to the Executive Order on Improving the Nation’s Cybersecurity signed into law by President Biden on May 12. These actions provided stricter requirements on meeting cybersecurity compliance. A breakdown of the order is available here.

What are the requirements?

The four critical actions required by these directives include:

  1. Designate a Cybersecurity Coordinator: The rail owner/operators must designate one primary, and at least one alternate at the corporate level, within seven days of the effective date (January 7, 2022). This will provide the appropriate point of contact(s) between the rail systems and TSA. The primary and alternate(s) must:
    1. Be a U.S. citizen and eligible to hold a security clearance;
    2. Serve as the primary contact for cybersecurity-related intelligence information, activities, and communications with TSA and the Cybersecurity and Infrastructure Security Agency (CISA);
    3. Be available to TSA, and CISA at all hours and days (24x7);
    4. Coordinate cybersecurity related practices and procedures internally within their organization; and
    5. Work with appropriate law enforcement and emergency response agencies.
  2. Report Cybersecurity Incidents: Within 24 hours after a cybersecurity incident is identified, the rail owner/operators must report the incident to CISA. Incidents include:
    1. Unauthorized access of an information or operational technology system;
    2. Discovery of malicious software on an informational or operational technology system;
    3. Any activity that results in a denial of service (DoS) of these systems; and
    4. Any other incident that results in operational disruption of these systems, or other aspects of the owner/operator’s rail systems or facilities, or an incident that has the potential to cause impact to many passengers, critical infrastructure, core government function, or impacts national security, economic security, or public health and safety.
  3. Implement an Incident Response Plan: Within 180 days from the effective date (completed by June 29, 2022), the rail owner/operators must develop and adopt a Cybersecurity Incident Response Plan (CIRP). The plan must:
    1. Identify who (by position) is responsible for implementing specific measures of the plan;
    2. Prompt identification, isolation, and segregation of any infected system from the rest of the networks;
    3. Consult situational exercises, such as tabletops, to test the effectiveness of procedures, and personnel responsible for implanting measures in the CIRP; and
    4. Notify TSA in writing that they have met the requirement of a CIRP within seven days of completion.
  4. Cybersecurity Vulnerability Assessment: The rail owner/operators must complete a cybersecurity vulnerability assessment and identify gaps. This is not to be confused with a network vulnerability assessment; as it includes operational, business, and technical areas. TSA has provided a form for this requirement that the organization will submit. The assessment should identify remediation measures to address the vulnerabilities and gaps and implement the plan for such remediation. This vulnerability assessment must be completed within 90 days of the effective date of the directive (March 31, 2022).

What does this mean for you?

As the federal government raises the bar on meeting cybersecurity compliance, organizations need to take a risk-based approach to maintaining these standards. The reality is that many organizations will not be able to meet these deadlines without professional help. CAI can assist you in complying with these new requirements by helping you develop your incident response plan and conducting vulnerability assessments.  CAI has extensive experience in both the transportation and freight industries and can assist your organization.

To learn more about starting your assessment, please complete the contact form and our cybersecurity experts will reach out to you shortly.

New TSA Cybersecurity Directives for Passenger and Freight Railroads

Download PDF

About the Author...

Rex Johnson profile image

Rex Johnson is the CAI Cybersecurity Director & Practice Leader. He is a retired Lieutenant Colonel from the US Army and has over 30 years of senior-level experience holding CISSP, CISA, CIPT, PMP, and PCIP certifications.

Fill out the form below to get a customized cybersecurity assessment according to your organization’s requirements.

Related Resources

service desk team answering questions over the phone in front of computers
Virtual Event

Cybersecurity 2022: New Talent, Proven Procedures | LinkedIn Live Event

Cyber-attacks on businesses and government agencies are increasing at an alarming rate. With constraining budgets and aging legacy systems, many businesses and government agencies are ill-equipped to handle this responsibility alone. Join this 30-minute session to learn how taking the first, critical steps towards improving your cyber posture starts with finding the right talent and implementing proven procedures.

Register on LinkedIn
digital background with words "hacker attempt failed" highlighted

How Local Governments Can Get Ahead of Their Threat Opponents

Since COVID's onset, there's been a 300%* increase in cyberattacks (Cobalt). With organizations moving to remote work environments and new technologies, security vulnerabilities and gaps are surfacing due to outdated strategies. This month, the government and its industry partners evaluate cybersecurity measures ensuring data is protected and secure for all Americans. Read the Center for Digital Government's interview with CAI's Rex Johnson, to understand how to implement a strong cybersecurity strategy for the future.

Read the article
woman, sitting at desk, is in shock after she has accidentally opened a malicious email

Distracted by Phishing: 5 Steps Employees Can Take to Reduce Cyber Risk

According to global cyber education company Cybrint, 95% of cybersecurity breaches occur due to human error. Even with security awareness training becoming more commonplace, mistakes still happen. In this article, CAI's Rex Johnson provides tips to help encourage more security-minded habits across the workplace – from the C-suite on down.

Read the article