The Transportation Security Administration (TSA) has issued two security guidelines that mandate cybersecurity actions by passenger railways and rail transport agencies and freight railways, respectively.
Since Secretary Mayorkas announced in October that the TSA would issue such guidelines, the AAR and the rail industry have had productive consultations with agency officials to revise provisions that would have posed implementation challenges. artwork.
With the release of the final guidelines, a number of the industry’s most significant concerns have been addressed.
“For nearly two decades, the railways have judiciously coordinated with each other and with government officials to improve information security, which has proven to be an effective and responsive way to deal with threats in constantly evolving, ”said Ian Jefferies, President and CEO of AAR. “Make no mistake, the railways take these threats seriously and value our productive work with government partners to keep the network safe. “
More specifically, the safety directives impose four categories of actions:
– Appointment of a principal and alternate Cybersecurity Coordinator with the TSA;
– Reporting of cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS);
– Carrying out a cybersecurity self-assessment using a form provided by the TSA; and
– Development and implementation of a response plan to cyber incidents.
Each Class I railroad and Amtrak, as well as many commuter and shortline carriers, have information security officers and cybersecurity officers who will serve as required cybersecurity coordinators. In addition, the railways have conducted cybersecurity assessments on a recurring basis and have developed, exercised and implemented cyber incident response plans.
Through the AAR Rail Alert Network (RAN), railways have been reporting cyberthreats, incidents and significant safety issues to the TSA, DHS, and the Department of Transportation (DOT) since 2014. The AAR notes that an unresolved issue is the appointment of cybersecurity coordinators. by railways headquartered in Canada and will work with TSA and its Canadian members to resolve this issue.