Cybersecurity regulations for passenger and freight railroads renewed by TSA

The Transportation Security Administration (TSA) renewed cybersecurity directives for passenger and freight railroad carriers that were set to expire on Tuesday.

The rules — split into three separate directives — mandate that operators test parts of their cybersecurity incident response plans every year, submit annual updated cybersecurity assessment plans to TSA and report on the effectiveness of the efforts.

Carriers are mandated to develop network segmentation policies and controls that separate operational technology (OT) systems from general IT systems in case of compromise.

The directives also order carriers to create access control measures, build out detection policies for cyberthreats and implement timely patching or updating processes for operating systems, applications, drivers and firmware.

“The renewal is the right thing to do to keep the nation’s railroad systems secure against cyber threats, and these updates sustain the strong cybersecurity measures already in place for the railroad industry,” said TSA Administrator David Pekoske, noting that the agency worked in partnership with the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Railroad Administration on the documents.

The rules were first issued in October 2021 after the Colonial Pipeline ransomware attack brought cybersecurity to the forefront for the federal government and were renewed last October alongside several new measures. The latest renewal, issued Monday, extends all of the rules another year.

After facing backlash from experts and stakeholders in several industries for creating cybersecurity regulations considered too prescriptive, TSA officials revised their efforts and made the rules more performance-based in 2022, focusing on a variety of ways critical infrastructure organizations can prevent disruption and degradation to their operations.

The rail industry has seen its fair share of cyberattacks in recent years. In August, the largest switching and terminal railroad in the U.S. was hit with ransomware. In January, one of the world’s largest rail and locomotive companies announced a data breach that involved troves of employee information following an alleged ransomware attack last summer.

San Francisco’s Bay Area Rapid Transit (BART) had a ransomware attack in January. In April 2021, the New York City's Metropolitan Transportation Authority — one of the largest transportation systems in the world — was hacked by a group based in China.

While the attack did not cause any damage and no riders were put at risk, city officials raised alarms in a report because the attackers could have reached critical systems and may have left backdoors in the system.

The same month, California's Santa Clarita Valley Transportation Authority dealt with a ransomware attack, and in 2020, the Southeastern Pennsylvania Transportation Authority was had a ransomware incident.

Anne Neuberger, White House deputy national security adviser for cyber and emerging technology, hosted a group of railroad executives last year for a classified briefing about the cyberthreats posed by nations like Russia and China.

In recent months, TSA and CISA officials have warned that the Chinese government would consider destructive or disruptive attacks on American pipelines, railroads and other critical infrastructure if it believed the U.S. would get involved during a potential invasion of Taiwan.