Cyberthreats to railroads loom as industry and TSA grow an uneasy partnership

If the U.S. ever goes to war with a major adversary, one of the first waves of cyberattacks will likely target infrastructure that rarely comes up in discussions about digital threats: railroads.

Americans understand that power, water and healthcare systems face constant and sometimes sophisticated hacks from foreign governments and criminal gangs. But the U.S. pays far less attention to vulnerabilities in its rail system — even though the consequences of stalled or crashed trains could be disastrous.

“We can't live without rail,” said Tom VanNorman, senior vice president at the industrial cybersecurity firm GRIMM.

Until recently, the government left it up to railroad operators to decide how to protect themselves. But in 2022, the Transportation Security Administration issued the first-ever federal cyber regulations for railroads, ordering freight and passenger carriers and public-transit systems to implement basic security measures and report incidents when they occur.

Over the past two years, rail operators have made progress in adopting the required protections and deepening ties with the TSA. But interviews with experts suggest that the rail industry still lags behind other major infrastructure sectors in understanding the severity of the threats it faces and marshaling resources accordingly.

To shore up rail networks’ defenses against hackers, railroads will need to embrace a mission that is still relatively new for them, the government will have to balance security imperatives with business realities, and both sides of the partnership will have to build trust after a regulatory rollout that rankled the industry.

“This is an area where national security, economic security, and public safety are front and center,” said Grant Geyer, chief strategy officer at the operational technology (OT) cyber firm Claroty. “It’s incredibly important to put focus and spotlight in this area.”

'Ripe opportunity' for attacks

As new railroad technology has improved physical safety and made it easier to monitor and control trains and tracks, those digitized systems have also created opportunities for hackers to disrupt operations and even cause fatal crashes.

“The railroads, just like every other industry, became more connected to the internet for remote operations … which, if it's not correctly managed, leaves you open to somebody being able to gain access to your network,” said a senior TSA official, who requested anonymity to speak candidly.

Rail infrastructure — from tracks to switches to substations — spreads across vast distances, making security upgrades difficult and time-consuming. Some equipment can’t be upgraded and requires extensive planning to replace. And rail operators allow a wide variety of computer engineers to access their networks, often without strict controls.

These conditions create “a ripe opportunity” for cyberattacks, according to Robert Huber, chief security officer at the OT cyber firm Tenable.

The potential consequences of these vulnerabilities are serious and varied.

Hackers could sabotage and derail trains, causing mass casualties, widespread property damage, and, depending on the train, possibly even toxic chemical releases like the one in East Palestine, Ohio, in February 2023. A cyberattack that freezes up tracks could prevent trains from moving the freight that powers the U.S. economy, from still-essential coal to live chickens. Bad actors could also disable automated signaling systems and force companies to revert to slower manual operations, paralyzing rail networks designed to operate on precise schedules.

Rail outages would be especially dangerous during wartime, when the U.S. military needs trains to move troops, supplies, and vehicles to naval bases for deployment.

“Disrupting this infrastructure degrades America’s ability to mobilize its forces,” said Annie Fixler, deputy director of the think tank Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation.

The Ukraine war has vividly demonstrated railroads’ strategic importance, as both sides have attacked the other’s rail infrastructure to disrupt supplies of weapons and fuel. And the Biden administration has repeatedly warned that China, through its infrastructure-focused Volt Typhoon operation, is intent on sabotaging U.S. rail systems in the event of a conflict over Taiwan.

Senior government officials are tracking these risks.

“Rail transportation, and transportation systems in general, have been consistently mentioned in intelligence,” said the senior TSA official. “We continue to be concerned.”

There haven’t been any “major operational disruptions” yet, the official said, but “we have seen incidents.”

Growing pains

Despite the high stakes, the rail industry has not kept pace with growing digital threats, according to multiple experts who work with these companies.

Railroads are “a little bit behind” on cybersecurity, Huber said, because their “focus has been more on rail safety.”

“Cybersecurity is not core to their vernacular,” Geyer said.

The six U.S. freight rail operators — BNSF, Canadian National Railway, CPKC, CSX, Norfolk Southern, and Union Pacific — declined to comment for this story. But the Association of American Railroads (AAR), the trade group representing freight carriers, defended its members. “The industry has had a strong focus on cybersecurity for over two decades,” spokesperson Jessica Kahanek said.

Amtrak, the country’s dominant passenger rail operator, declined an interview request. Spokesperson Olivia Irvin said safety and security are Amtrak’s “highest priority” and the company is “building capabilities to comply [with] and in many cases exceed” government requirements.

But while rail operators had some basic defenses before the TSA’s rules, “it certainly wasn’t to the level of what they should be doing,” said VanNorman.

Rail operators face multiple challenges. Their systems need to be interoperable so that, for example, Amtrak trains can travel on BNSF Railway tracks. But upgrading interconnected systems requires lengthy consultations with multiple equipment vendors. And these changes can be expensive, not to mention logistically daunting for companies without full-time cybersecurity teams.

Requiring the basics

The TSA’s rail cybersecurity directives, first issued in October 2022 and renewed a year later, mandate several basic protections. The first two directives require freight operators and public transit and passenger rail operators to designate cyber leads, report incidents to the government, create incident response plans and conduct vulnerability assessments. The third directive requires all covered companies to adopt TSA-approved plans to meet four security goals: network segmentation, access controls, continuous monitoring and patching.

Instead of mandating specific ways to meet these four goals, the directive lets companies propose solutions. The TSA tried a more rigid approach with the pipeline industry in 2021 and faced intense criticism for it. “We learned a lesson there that that is not the way to manage cybersecurity,” the senior TSA official said.

Experts praised the TSA’s rail requirements. VanNorman called them “a really good start for an industry that historically has not had any sort of cybersecurity regulations.”

The freight rail industry was less pleased. 

AAR spokesperson Kahanek said the TSA published the directives after “very limited industry input,” which required “significant” revisions to address “problematic requirements.” (Even so, she said, all of the group’s members have met the requirements.)

On the other hand, the Massachusetts Bay Transportation Authority — the only one of the seven public-transit systems contacted for this story that provided a comment — praised the directives. Spokesperson Lisa Battiston highlighted their “adaptive and risk-based approach.”

The TSA sees the railroads making progress. “We’re actively working with them,” the senior official said, “and there’s a learning curve.” The agency has been especially focused on helping the smaller, understaffed railroads that often operate tracks at the ends of rail lines.

All covered railroads have submitted the required cyber upgrade plans, and the TSA is in the process of reviewing them. “We do see some bright signposts that the things that we've asked people to do are working,” the senior official said.

Some company managers have privately thanked the TSA for helping them justify major new security investments to executives who might otherwise have put off the expenses, the official said. “A federal mandate to do things gave them the impetus to convince a board or somebody who is controlling the budget to say, ‘Yeah, we’ll make that investment now.’”

Building on a partnership

The success of the TSA’s program will depend on how smoothly it can work with rail operators to maintain its regulations.

The agency’s compliance and inspections team holds biweekly meetings with companies to solicit feedback and answer questions. The agency also has hosted webinars to address common issues and produced lengthy guidance documents with examples of how to implement the directives.

“Our relationship with the railroads is a strong one,” the senior TSA official said. “We never see eye to eye on 100% of everything, but we've found a mutually agreeable compromise.”

Kahanek said the AAR has “had productive conversations that have yielded tangible improvements,” including giving railroads more time to report hacks.

The relationship hasn’t always been easy. The TSA recently declared that mandatory safety technology called positive train control (PTC) qualifies as a “critical cyber system” subject to the regulations. “That came after a significant amount of debate with railroads,” the TSA official said. The industry argued that PTC wasn’t necessary for operations, but the government concluded that it needed safeguards. Past PTC failures have caused traffic suspensions and slowdowns.

“We're not blind to the fact that these things cost money,” the TSA official said, “but we believe that those costs are necessary to prevent widespread system disruption.” The official said “we're probably going to be asking for a little bit more” from industry every year.

The TSA is also working on codifying its temporary directives into formal regulations. As part of that process, the agency plans to add new requirements — pegged to guidance from CISA and the National Institute of Standards and Technology — that address corporate governance, not just technical measures.

“We want to position [companies] for the long term to be able to have a good, solid cybersecurity program,” the TSA official said. “There are some things that we think are appropriate for a long-term program … that we will add.”

It remains to be seen how railroads will respond to those new mandates. Fixler said the rail industry still doesn’t “understand what TSA is trying to do.” But the stakes of this work have grown exponentially as China and other adversaries seek ways to paralyze America in a crisis.

“The risk is there, it's real,” Geyer said, “and while it may not be realized today, if that risk is realized, it has extreme consequence.”