The Transportation Security Administration (TSA) on Thursday issued two security directives requiring rail and rail transit groups to implement steps to strengthen cybersecurity of the sector, including a requirement to report cyber incidents to the federal government.
The security directives require higher-risk freight rail, passenger rail, and rail transit groups to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of detection and to designate a cybersecurity coordinator.
The directives also require these groups to complete vulnerability assessments of their networks and then develop a cybersecurity incident response plan based on security issues discovered. One directive applies to freight rail groups, while the other to passenger rail and rail transit companies, but are identical and will be made public.
“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats. DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide,” Homeland Security Secretary Alejandro Mayorkas said.
Mayorkas first announced the upcoming directive for the rail sector in October, pointing to the need in particular to protect against ransomware attacks.
Mayorkas also announced that a similar directive would be rolled out for the aviation sector, with senior DHS officials telling reporters Thursday that TSA had “recently updated aviation security programs to require airport operators to take similar steps” to what rail sector groups were being required to do.
Since Mayorkas’s announcement, key industry groups have expressed concerns around the planned directive, including the potential issue of the reporting mandate for incidents being too broad and not being aware of increased threats to the rail sector. One particular issue of concern was the need to define what type of cyber incident to report.
The senior DHS officials told reporters that TSA had worked with industry groups to address these concerns, and had given two drafts of the directives to stakeholders to review and provide feedback on prior to the announcement on Thursday.
“With respect to the definition the key balance that we need to strike is obviously trying to make sure that we capture those incidents that the government needs to be aware of because of the risk associated with it and making sure that we learn of those that rise to that level, while making sure that we don’t track every incident and get drowned out by the noise, so that is the careful balance we have tried to strike as we craft that language,” a senior DHS official said.
Victoria Newhouse, the deputy assistant administrator for Policy, Plans and Engagement at TSA testified during a House Transportation and Infrastructure Committee hearing Thursday that TSA had taken steps to heighten industry input in the directive, and was working “extremely closely” with other agencies in this effort.
“We have continued robust engagement,” Newhouse testified. “As recently as this week I along with several of my top leadership here at TSA have met with freight rail and passenger rail executives with a classified briefing in our facility to show them what we are seeing, elicit input, and ask them for more input for either future requirements or other guidelines that we could issue together by us just telling them this is what they need to do.”
Newhouse also noted that on Thursday ahead of the directive’s announcement, “a number of pipeline individuals, CISOs and other security personnel are receiving briefings as we speak, and we do have an apparatus around the United States to support those briefings thanks to our law enforcement and intelligence community partners.”
One of the groups that had expressed concerns was the Association of American Railroads (AAR), which represents rail companies across North America including the National Railroad Passenger Corporation, otherwise known as Amtrak. Jessica Kahanek, a spokesperson for AAR, told The Hill ahead of the announcement that some initial concerns had been addressed.
“AAR has had productive consultations with TSA officials in recent weeks to address adverse effects that the Security Directives, as originally drafted, would have on long-standing effective practices maintained by railroads,” Kahanek said. “As a result, we anticipate that changes have been made to the content of the directives to alleviate these significant concerns.”
TSA previously issued two security directives designed to shore up the cybersecurity of the pipeline sector earlier this year following the ransomware attack on Colonial Pipeline, which caused temporary shortages of gas in several states and crippled a key supply chain.
The previous directives for the pipeline sector required owners and operators to report cybersecurity incidents to CISA within 12 hours, to take security measures to protect against ransomware attacks and develop recovery plans in the event of a successful attack.