What Do We Know 

On October 18, 2022, the U.S. Transportation Security Administration (TSA) rolled out a new Security Directive (SD)* for U.S passenger and freight railroads.

This is the third SD that TSA has issued to the rail sector in the last year, building upon two prior SDs published, on December 1, 2021, focused on both passenger and freight rail systems known as 1580-2021-01 “Enhancing Rail Cybersecurity” and SD 1582-2021-01 “Enhancing Public Transportation and Passenger Railroad Cybersecurity.” These prior directives apply to all freight railroad carriers and Public Transportation/Passenger Rail (PTPR) system owners and operators of a passenger railroad or rail transit system. Both SDs went into effect December 31, 2021, and require rail owners/operators to:

1. Designate and use a primary and at least one alternate Cybersecurity Coordinator at the corporate level.
2. Report cybersecurity incidents to CISA involving systems the owner/operator has responsibility to operate and/or maintain.
3. Implement a Cybersecurity Incident Response Plan within 180 days of the SD effective date.
4. Complete a cybersecurity vulnerability assessment to identify cybersecurity gaps and report findings to the TSA within 90 days of the SD effective date.

The new SD titled Enhancing Rail Cybersecurity – SD 1580/82-2022-01 is effective October 24, 2022, and extends cybersecurity requirements to achieve critical cybersecurity outcomes. According to the TSA, this new SD focuses on performance-based measures and “will further enhance cybersecurity preparedness and resilience for the nation’s railroad operations.”  According to the TSA, the SD was developed with input from federal agencies, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Federal Railroad Administration (FRA), and industry stakeholders. It focuses on achieving key cybersecurity outcomes rather than dictating to rail carriers how to achieve them. 

What Are the New TSA Requirements

Specifically, the new TSA SD 1580/1582-2022-01 requires rail owners/operators to:

1. Establish and implement a TSA-approved Cybersecurity Implementation Plan that describes the specific measure employed to achieve the following within 120 days of the SD effective date.

• Identify critical cyber systems or data that, if compromised or exploited, could result in operational disruption.
• Develop network segmentation policies and controls to ensure that the Operational Technology systems can continue to safely operate in the event that an Information Technology system has been compromised and vice versa.
• Create access control measures to secure and prevent unauthorized access to critical cyber systems.
• Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations.
• Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.

2. Establish a Cybersecurity Assessment Program and submit an annual plan to TSA that describes how the owner/operator will proactively and regularly assess the effectiveness of cybersecurity measures and identify and resolve device, network, and/or system vulnerabilities. This plan is required to be submitted to TSA within 60 days of the TSA’s approval of the owner/operator’s Cybersecurity Implementation Plan.

Looking Forward

These TSA SDs demonstrate the Biden-Harris Administration’s proactive approach to improving the United States' cyber security and defense of critical infrastructures. These directives present the fundamental shift in how safety and security are viewed in the rail industry and how governments are revisiting and reassessing their rail cybersecurity policies. As rail systems are increasingly recognized as vulnerable critical infrastructure worldwide, we expect to see continued regulatory pressures on the industry. TSA’s security directive joins Europe’s NIS Directive and APAC’s rail-specific frameworks in Australia, Singapore, and India. 

In addition to announcing its new SD, in its press release, the TSA stated its intention to begin a rulemaking process, establishing regulatory requirements for the rail sector following a public comment period. Rulemaking is a process for developing and issuing rules (also called “regulations”). Legislative rules have the force and effect of law; that is, they are legally binding on the agency, rail owner/operators, and the courts.

The expectation is that the TSA will seek to develop formal cybersecurity rules for both passenger and freight rail systems by the end of 2023. The next step will be issuing a notice of proposed rulemaking (NPRM), which will provide an opportunity for public comment on the proposal before the TSA can issue a final rule. The NPRM may be preceded by an advanced notice of proposed rulemaking (ANPRM) to get early rule-making participation. When the TSA issues the ANPRM and/or NPRM, it is normally published in the Federal Register. 

Cylus will continue to monitor these developments and stands ready to assist our clients in assessing the risks to their rail systems and preparing their cybersecurity programs to meet evolving regulatory requirements and heightened levels of scrutiny.

* Security directives are formal written notifications requiring the recipient to take security measures specified within the directive.