The Transportation Security Administration (TSA) on Tuesday evening said it has issued new cybersecurity directives mandating new requirements for passenger and freight railroad carriers, building on prior security directives aimed at rail carriers.
The latest directives require passenger and freight railroad carriers to strengthen their networks through segmentation policies and controls to ensure operational technology systems can safely function if information technology systems are compromised. It also requires access control measures, continuous monitoring and detection policies to detect threats and correct anomalies, and timely security patches and updates for operating systems and applications.
The requirement also directs carriers to establish and implement a TSA-approved plan describing the specific measures they are taking to achieve cybersecurity outcomes in the directive. It also requires them to establish a cybersecurity assessment program to test and routinely audit the effectiveness of the measures taken in the implementation plan and to identify and resolve vulnerabilities.
The directive was developed with input from industry stakeholders and federal partners, including the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation’s Federal Railroad Administration. Prior security directives focused on incident report to CISA, establishing a point of contact for cybersecurity, developing a cybersecurity incident response plan, and conducting a vulnerability assessment.
In the past 17 months, TSA has also issued cybersecurity directives for pipeline owners and operators, and airline and airport operators. The wave of requirements was driven by a ransomware attack against a U.S. pipeline operator in May 2021 that forced the company to temporarily shut down operations.