A Breakdown of TSA’s Security Directive 1580-21-01A to Enhance Railroad Cybersecurity

November 1, 2022

On October 24, 2022, the Transportation Security Agency (TSA) issued Security Directive 1580-21-01A to enhance railroad cybersecurity. This Directive is in effect for one year and applies to freight railroad carriers (owners/operators) and other TSA-designated freight railroads. This rail Security Directive follows another similar one released this summer by the TSA for pipeline owners and operators, and the four key requirements of SD 2021-02B closely match the pipeline requirements.

The Security Directive builds on requirements from previous Directives that include designating a cybersecurity coordinator, reporting incidents to TSA and CISA, developing a Cybersecurity Incident Response Plan and performing a Cybersecurity Vulnerability Assessment. In addition to the Security Directive, the TSA released a 14-page document covering rail cybersecurity mitigation actions and testing which goes into detail about specific required actions, cybersecurity measures, record keeping and procedures.

Carriers must submit a cybersecurity implementation plan for TSA approval. Once approved by TSA, the plan will set the security measures and requirements against which TSA will inspect for compliance. The new Directive mandates that TSA-specified passenger and freight railroads must implement the following cybersecurity measures:

  1. Establish and implement a TSA-approved Cybersecurity Implementation Plan that describes the specific measures employed and the schedule for achieving the following:
    • “Implement network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised.
    • “Implement access control measures to secure and prevent unauthorized access to critical cyber systems.
    • “Implement continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations.
    • “Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.”
  2. Establish a Cybersecurity Assessment Program and submit an annual plan to TSA that describes how the railroad will proactively test and regularly audit the effectiveness of cybersecurity measures, and identify and resolve device, network and/or system vulnerabilities.

Implementing the right OT cyber risk management foundation will ensure that rail carriers can identify, manage and report on everything happening inside their operational technology infrastructure.

Choosing a cybersecurity standard is a solid starting point to help rail owners and operators attain these objectives for achieving cyber resilience. The NIST CSF is an excellent choice for rail operators, and many other critical infrastructure organizations have implemented this framework successfully. Another great option to look at for rail is the ISA/IEC 62443 standards. Either of these security standards can help lay the groundwork for a measurable, provable cybersecurity program.

With the expanding anxiety around cyberattacks targeting rail critical infrastructure over the past two years, it's clear that having strong cyber resilience plans in place has never been more important, and is going to be a non-negotiable objective for rail carriers in 2023 and beyond.