Government

Rail industry gets new cyber directives from TSA

Companies will have to designate cybersecurity coordinators and follow clear rules for incident response.

December 2, 2021

WASHINGTON, DC - NOVEMBER 09: Maryland Area Regional Commuter (MARC) trains sit on the tracks at Union Station on November 9, 2021 in Washington, DC. (Photo by Drew Angerer/Getty Images)

U.S. rail companies must commit more attention and resources to cybersecurity under Transportation Security Administration directives announced Thursday by the Department of Homeland Security.

The new requirements include that surface rail owner and operators designate a cybersecurity coordinator; report a cybersecurity incident to DHS’s cybersecurity agency within 24 hours; complete a vulnerability assessment; and create a plan to respond to cybersecurity incidents.

The directives will cover approximately 80 percent of freight rail and 90 percent of passenger rail, according to a DHS official.

DHS Secretary Alejandro Mayorkas announced that TSA would be rolling out directives for surface transportation in an October speech at the Billington cybersecurity summit.

Early plans for the directives, which would have required companies to report incidents within 12 hours, received criticism from industry and Republicans.

In October, Republicans led by Sen. Rob Portman of Ohio called for DHS’s OIG to investigate the directives, citing industry complaints that the agency should “give adequate consideration to feedback from stakeholders and subject matter experts who work in these fields and that the requirements are too inflexible.”

A DHS official pushed back against the concerns in a call with reporters, noting that the requirements are baseline best cybersecurity practices many companies already follow. DHS officials say that they worked with the industry while developing the directives, including sharing and receiving comments on two drafts.

The directives go into effect December 31. Owners and operators will have 90 days to conduct a cybersecurity vulnerability assessment and 180 days to implement a cybersecurity incident response plan.

The TSA this summer also issued additional security requirements for the pipeline sector after a May ransomware attack on Colonial Pipeline, one of the largest east coat fuel providers. At the time, no mandatory cybersecurity requirements existed for private pipeline operators and owners.

At a House Transportation Committee hearing Thursday, Chairman Peter DeFazio, D-Ore., praised the new directives as a positive step for the industry.

“Voluntary cooperation sometimes isn’t enough,” he said. “The leeches on Wall Street are going to say, ‘Hey, why are you spending all that money on cybersecurity, it’s driving down your stock price? We just want to see you put the money in the bank.'”

Republican Rep. Brian Babin of Texas expressed skepticism.

“We’ve got to be extraordinarily careful as lawmakers and rulemakers to make sure we don’t meddle in something we don’t understand and unintentionally create more bloated regulation or stifle innovation with overly burdensome requirements that don’t truly secure our infrastructure,” he said.

Tim Starks contributed reporting to this story.