What are the new US Transportation Security Administration (TSA) cybersecurity directives and why have they been implemented?
In an ongoing effort to improve the cybersecurity readiness of vital infrastructure, the United States Transportation Security Administration (TSA) has issued new directives for passenger and freight railroads. Learn what this means for you as a railroad owner or operator, and how you can meet compliance requirements quickly and easily.
- The TSA has issued new cybersecurity directives for passenger and freight rail systems that go into effect December 31, 2021
- These requirements will affect approximately 80% of freight rail operators and 90% of passenger rail across the country
- Railroad owners/operators must take 4 critical actions to meet the requirements
- These new measures are part of the broader effort to protect the nation’s critical infrastructure from disruptive ransomware attacks and ongoing cyber-espionage
What are TSA cybersecurity directives?
On December 1, 2021, the Transportation Security Administration (TSA) issued two new security directives that focus on both passenger and freight rail systems. These are known as Security Directive (SD) 1580-2021-01 “Enhancing Rail Cybersecurity” and SD 1582-2021-01 “Enhancing Public Transportation and Passenger Railroad Cybersecurity.”
These directives apply to all freight railroad carriers as well as Public Transportation/Passenger Rail (PTPR) system owners and operators of a passenger railroad or rail transit system. Both directives have an effective date of December 31, 2021, and require the same four critical actions described below.
How can passengers and freight railways meet the new requirements?
Cybersecurity incidents affecting critical infrastructure such as surface transportation are a growing and evolving threat. In mid-November, the US Office of Management and Budget (OMB) released a supporting statement on Cybersecurity Measures for Surface Modes which outlines the Security Directives. These directives are part of an ongoing effort by the federal government to improve the cybersecurity readiness of critical infrastructure and enhance national security.
Rail systems are not the only ones with this mandate. New directives have been provided for airport operators as well. According to experts, further cybersecurity requirements for the protection of critical infrastructure will continue.
According to DHS Secretary Alejandro Mayorkas, “These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats. DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”
These actions are in response to the Executive Order on Improving the Nation’s Cybersecurity signed into law by President Biden on May 12. These actions provided stricter requirements for meeting cybersecurity compliance. A breakdown of the order is available here.
What are the requirements?
The four critical actions required by these directives include :
- Designate a cybersecurity coordinator: The rail owner/operators must designate one primary, and at least one alternate at the corporate level, within seven days of the effective date (January 7, 2022). This will provide the appropriate point of contact(s) between the rail systems and TSA. The primary and alternate(s) must:
- Be a U.S. citizen and eligible to hold a security clearance
- Serve as the primary contact for cybersecurity-related intelligence information, activities, and communications with TSA and the Cybersecurity and Infrastructure Security Agency (CISA)
- Be available to TSA, and CISA at all hours and days (24x7)
- Coordinate cybersecurity-related practices and procedures internally within their organization
- Work with appropriate law enforcement and emergency response agencies
- Report cybersecurity incidents: Within 24 hours after a cybersecurity incident is identified, the rail owner/operators must report the incident to CISA. Incidents include:
- Unauthorized access of an information or operational technology system
- Discovery of malicious software on an informational or operational technology system
- Any activity that results in a denial of service (DoS) of these systems
- Any other incident that results in operational disruption of these systems, or other aspects of the owner/operator’s rail systems or facilities, or an incident that has the potential to cause impact to many passengers, critical infrastructure, core government function, or impacts national security, economic security, or public health and safety
- Implement an incident response plan: Within 180 days from the effective date (completed by June 29, 2022), the rail owner/operators must develop and adopt a Cybersecurity Incident Response Plan (CIRP). The plan must:
- Identify who (by position) is responsible for implementing specific measures of the plan
- Prompt identification, isolation, and segregation of any infected system from the rest of the networks
- Consult situational exercises, such as tabletops, to test the effectiveness of procedures, and personnel responsible for implementing measures in the CIRP
- Notify TSA in writing that they have met the requirement of a CIRP within seven days of completion
- Cybersecurity vulnerability assessment: The rail owner/operators must complete a cybersecurity vulnerability assessment and identify gaps. This is not to be confused with a network vulnerability assessment; as it includes operational, business, and technical areas. TSA has provided a form for this requirement that the organization will submit. The assessment should identify remediation measures to address the vulnerabilities and gaps and implement the plan for such remediation. This vulnerability assessment must be completed within 90 days of the effective date of the directive (March 31, 2022).
What does this mean for you?
As the federal government raises the bar on meeting cybersecurity compliance, organizations need to take a risk-based approach to maintain these standards. The reality is that many organizations will not be able to meet these deadlines without professional help. CAI can assist you in complying with these new requirements by helping you develop your incident response plan and conducting vulnerability assessments. CAI has extensive experience in both the transportation and freight industries and can assist your organization.