On October 24, 2022, the Transportation Security Agency (TSA) issued Security Directive 1580-21-01A to enhance railroad cybersecurity. This Directive is in effect for one year and applies to freight railroad carriers (owners/operators) and other TSA-designated freight railroads. This rail Security Directive follows another similar one released this summer by the TSA for pipeline owners and operators, and the four key requirements of SD 2021-02B closely match the pipeline requirements.
The Security Directive builds on requirements from previous Directives that include designating a cybersecurity coordinator, reporting incidents to TSA and CISA, developing a Cybersecurity Incident Response Plan and performing a Cybersecurity Vulnerability Assessment. In addition to the Security Directive, the TSA released a 14-page document covering rail cybersecurity mitigation actions and testing which goes into detail about specific required actions, cybersecurity measures, record keeping and procedures.
Carriers must submit a cybersecurity implementation plan for TSA approval. Once approved by TSA, the plan will set the security measures and requirements against which TSA will inspect for compliance. The new Directive mandates that TSA-specified passenger and freight railroads must implement the following cybersecurity measures:
Implementing the right OT cyber risk management foundation will ensure that rail carriers can identify, manage and report on everything happening inside their operational technology infrastructure.
Choosing a cybersecurity standard is a solid starting point to help rail owners and operators attain these objectives for achieving cyber resilience. The NIST CSF is an excellent choice for rail operators, and many other critical infrastructure organizations have implemented this framework successfully. Another great option to look at for rail is the ISA/IEC 62443 standards. Either of these security standards can help lay the groundwork for a measurable, provable cybersecurity program.
With the expanding anxiety around cyberattacks targeting rail critical infrastructure over the past two years, it's clear that having strong cyber resilience plans in place has never been more important, and is going to be a non-negotiable objective for rail carriers in 2023 and beyond.