On 10/23, the TSA issued the 2023 versions of their cyber-focused security directives for railroads (SD 1580-21-01B, SD 1580/82-2022-01A, and SD 1582-21-01B). At a high level, the new directives primarily extend existing requirements. The new language should not significantly alter the compliance plans that railroads have been progressing, with a few notable exceptions (especially item number 1, below).
Here is my read of the meaningful changes:
- The new SDs give the TSA the ability to compel an owner/operator to include specific systems in the scope of the railroad’s compliance program if the TSA disagrees with that railroad’s internal scoping calculus. This change may substantially increase the compliance requirements in cases where the TSA asserts that a major system is critical to operations, when the owner/operator did not initially define the system as critical. If the railroad did not include a certain system in the scope, the TSA now can say, essentially, “We disagree, include it.
- Yearly, the TSA requires submission of a cybersecurity assessment plan (CAP) for TSA approval. This plan details how the railroad will validate their cybersecurity controls. While this requirement was included in the initial SDs, the scope of the requirement has been clarified in the updated version. Over the course of 3 years, the TSA now requires that the CAP address 100% of the controls defined in the railroad’s security plan.
- Each year, the railroads must report the results of the assessment to the TSA.
- The TSA has added requirements regarding yearly incident response testing. Each test must address two objectives and must include key individuals responsible for incident response.
I think we will have to wait and see how the inspection process evolves to get a full understanding of the impacts to the industry from these and any future modifications. My suspicion is that compliance requirements, and the effort necessary to satisfy them, will increase over time.
Either way, railroads should plan for continued additional compliance effort compared to a baseline of their programs prior to any cyber regulations.
About Our Contributing Writer:
Dr. Mark Grant is longtime cybersecurity leader, having worked at CSX in Jacksonville, Florida for 17 years. Grant served as the chief information security officer for eight years during his time with CSX. He is now working as a trusted advisor to help companies enhance IT, security, and business strategies.