(WWLP) – The Transportation Security Administration (TSA) has updated three security directives (SD) regulating passenger and freight railroad carriers to keep surface transportation systems and associated infrastructure secure.
The revised directives, which were set to expire on October 24, have been renewed for one year with updates to strengthen cybersecurity.
Developed with comprehensive input from industry stakeholders and federal partners, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation’s Federal Railroad Administration (FRA), the three security directives strengthen cybersecurity resilience for the nation’s critical railroad operations. In line with TSA’s requirements for pipeline operators, it requires TSA-specified passenger and freight railroad carriers to take steps to prevent disruptions and degradations to their infrastructure.
“The renewal is the right thing to do to keep the nation’s railroad systems secure against cyber threats, and these updates sustain the strong cybersecurity measures already in place for the railroad industry,” said TSA Administrator David Pekoske. “TSA’s partnerships with CISA, FRA and the railroad industry have been, and will continue to be, instrumental in our work towards strengthening resilience and preventing harm.”
It’s required for covered owners and operators to test a minimum of two objectives in their Cybersecurity Incident Response Plan every year under the revised security directives, Enhancing Rail Cybersecurity, and the revised SD series, Enhancing Public Transportation and Passenger Railroad Cybersecurity. These exercises must also include employees who are identified by their positions as active participants.
According to the revised security directive series, Rail Cybersecurity Mitigation Actions and Testing, railroad owners and operators must submit a Cybersecurity Assessment Plan every year to TSA, and report the results from the previous year using a schedule for assessing and auditing cybersecurity measures for effectiveness, so that all of them are assessed within three years.