The US Cybersecurity and Infrastructure Security Agency (CISA) recently revealed its proposed rule under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), spotlighting the rail sector's critical role in the United States’s infrastructure and the evolving cyber threats it faces. This development underscores the heightened cybersecurity requirements for rail operators, reflecting CISA's commitment to supporting the sector's resilience against cyber incidents.

CIRCIA mandates that CISA establish reporting requirements for cyber incidents and ransom payments for covered entities, a move prompted by the growing sophistication of cyber threats. The rail sector, an integral part of the Transportation Systems Sector, is particularly emphasized due to its essential role in ensuring the ongoing welfare and transportation of the economy and public.

In regards to the rail industry, under CISA's proposal, entities within the rail subsector, including freight railroad carriers and public transportation and passenger railroads (PTPR), must report cyber incidents. This requirement aligns with existing regulations under 49 CFR 1580.1(a)(1), (4), and (5) for freight railroads, and 49 CFR 1582.1 for PTPR. The rationale is clear: the rail sector's operational integrity is crucial for national security, economic stability, and public safety.

The scope of CISA's reporting requirements is broader than the current mandates by the Transportation Security Administration (TSA), reflecting a long-term strategic approach to managing cyber risks. This includes entities not currently subject to enhanced cybersecurity measures but are now required to report cyber incidents. The goal is to promote a deeper understanding of the cyber threat landscape, enhancing the overall security posture of the transportation sector.

CISA's proposal also extends to critical pipeline facilities and systems, highlighting the interconnectedness of various transportation modes and the collective effort needed to safeguard them against cyber threats. Including entities under TSA's Security Directives for airports, passenger and all-cargo aircraft operators, indirect air carriers, and Certified Cargo Screening Facilities in the reporting requirements underscores the multi-layered approach to enhancing cybersecurity across the transportation sector.

A notable aspect of CISA's proposal is its alignment with the Maritime Transportation Security Act (MTSA), which incorporates entities regulated under MTSA into the reporting framework. This integration reflects the recognition of the maritime sector's criticality and the need for a unified response to cyber threats across all modes of transportation.

In conclusion, CISA's proposed rule under CIRCIA represents a significant step forward in strengthening the cybersecurity framework for the rail sector and the broader transportation industry. By establishing comprehensive reporting requirements, CISA aims to enhance the sector's ability to respond to and recover from cyber incidents, ensuring critical transportation infrastructure's continued reliability and security. This initiative is particularly timely, reflecting a global trend where the standardization and regulation of cybersecurity measures within transportation, especially rail systems, are becoming increasingly important. 

As the rulemaking process progresses, stakeholders in the rail sector are encouraged to engage with CISA, providing insights and feedback to refine and optimize the implementation of these critical cybersecurity measures. This effort aligns with movements in other regions, emphasizing the importance of global recognition of transportation security and the need for a unified approach to managing cyber threats across the transportation sector. CISA encourages comments and related material to be submitted before June 3, 2024, inviting stakeholders to contribute nationally to more secure and resilient transportation infrastructure. 

People illustrations by Storyset