TSA issues mandatory requirements for ‘high-risk’ rail infrastructure

US Department of Homeland Security heeds calls for tougher cyber-resilience rules for transport sector

The US Transportation Security Administration (TSA) has ordered operators of critical rail infrastructure to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.

A pair of security directives issued by the TSA on December 2 also oblige organizations involved in ‘high-risk’ freight railroads, passenger rail, and rail transit to designate a cybersecurity coordinator.

Among other things, the cybersecurity coordinator will report to the TSA and CISA and oversee the formulation and implementation of a cybersecurity incident response plan as well as the completion of a cybersecurity vulnerability assessment.

The TSA, which is part of the Department of Homeland Security (DHS), has issued separate, voluntary guidance recommending that the same measures are adopted by lower-risk surface transportation owners and operators.

‘Evolving threats’

“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” said secretary of homeland security Alejandro N Mayorkas.

“DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”

Catch up with the latest critical infrastructure security news

The aviation sector was also recently instructed to appoint a cybersecurity coordinator and notify the CISA of security incidents within 24 hours, with the TSA saying further provisions are in the pipeline.

The TSA also expects to initiate a rule-making process for certain surface transportation entities to increase their cybersecurity resiliency, according to a press release published by the DHS.

Security sprints

The measures have emerged from a 60-day transport security ‘sprint’, which follows other DHS sprints focused on ransomware, an infosec recruitment drive, and industrial control systems. Election security and international capacity-building sprints are still to come.

While the mandatory requirements will likely be welcomed by many in the infosec industry, Tara Wisniewski, executive VP of advocacy, global markets, and member engagement at infosec training nonprofit (ISC)², has previously suggested such measures are necessary but not sufficient.

“The key to establishing and maintaining those standards is education and professional development, which needs to be mandated side-by-side with technology and other best practice measures,” she told The Daily Swig in October, after lawmakers had urged the DHS to introduce tougher security standards for the transport sector.

Cybersecurity has been a cornerstone of President Biden’s agenda in the wake of a series of devastating cyber-attacks to impact federal agencies and critical infrastructure.

A wide-ranging executive order signed in May ordered an overhaul of federal software procurement and instructed software vendors to promptly notify US federal government customers of security breaches.

RELATED FTC implements tougher data protection rules to safeguard customer information