arrow
Back to Blogs

Understanding the TSA’s NPRM: New Cybersecurity Rules for Railroads

Dr. Mark Grant
Dr. Mark Grant

The Transportation Security Administration (TSA) has proposed new regulations to enhance cybersecurity across the surface transportation sector, specifically targeting pipeline and rail (freight, passenger, and transit) owners/operators. These proposed Cyber Risk Management (CRM) requirements aim to increase the resilience of critical infrastructure against cyber threats.

The CRM requirements would apply to specific pipeline and rail owners/operators, with a more limited reporting obligation for specific over-the-road bus (OTRB) owners/operators. 

The TSA NPRM seeks to codify and expand upon existing requirements established through TSA's security directives.

Comparison of Notice of Proposed Rulemaking (NPRM) Requirements & Existing TSA Security Directives

1. Cybersecurity Coordinator:

  • Existing Directives: Railroad operators must designate a Cybersecurity Coordinator available 24/7 to TSA and the Cybersecurity and Infrastructure Security Agency (CISA).
  • NPRM: Maintains this requirement, ensuring continuous communication channels for cybersecurity matters.

2. Incident Reporting:

  • Existing Directives: Operators must report cybersecurity incidents to CISA within 24 hours. 
  • NPRM: Continues this obligation, emphasizing prompt reporting to facilitate timely responses

3. Cybersecurity Incident Response Plan (CIRP):

  • Existing Directives: Operators must develop and implement a CIRP to address and mitigate cyber incidents. 
  • NPRM: Reinforces the necessity of a CIRP, ensuring preparedness for potential cyber threats.

4. Cybersecurity Vulnerability Assessment:

  • Existing Directives: Operators are required to conduct assessments to identify and address vulnerabilities in their systems. 
  • NPRM: Proposes the continued utilization of a Cybersecurity Assessment Program to evaluate and enhance cybersecurity measures regularly.

5. Impact to Cybersecurity Implementation Plan (CIP):

  • Existing Directives:  Railroads are required to develop and maintain a CIP, detailing measures to protect critical cyber systems (including PTC) and address identified vulnerabilities. The CIP must address network segmentation, access controls, continuous monitoring, vulnerability management, and incident response.
  • NPRM: The NPRM formalizes the CIP requirement, meaning that what was previously mandated through security directives would now be required under federal regulation. This shift makes the requirement more permanent and enforceable through rulemaking.
  • NPRM: The NPRM also expands the scope of the CIP, emphasizing alignment with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It encourages railroads to adopt a risk-based, outcome-focused approach, which may involve more granular controls and performance-based requirements.

6. Impact to Cybersecurity Assessment Program (CAP):

  • Existing Directives: Railroads must maintain a CAP that includes yearly programs to evaluate their cybersecurity posture and mitigation of risks. The CAP must also align with and include assessments of all controls detailed in the approved CIP, addressing all controls over a three-year cycle. 
  • NPRM:  The NPRM enhances the CAP requirements through a more structured and documented assessment process that must be repeated regularly. This includes defining how vulnerabilities should be assessed, prioritized, and addressed.
  • NPRM: The NPRM introduces requirements for more formal third-party or internal assessments to verify compliance with cybersecurity standards. Rail operators may need to bring in third-party auditors to review their CAP, which adds an external validation component that wasn't explicitly emphasized in the directives.
  • NPRM: The NPRM also requires the CAP to integrate incident response readiness assessments. This means that, beyond identifying vulnerabilities, the CAP must ensure that all systems are adequately prepared to handle potential cybersecurity incidents.

Key Differences and Enhancements

  1. Legal Standing: Moving from security directives to codified regulations solidifies compliance requirements, increasing penalties for non-compliance and potentially increasing risks related to non-compliance.
  2. Documentation and Validation: Requirements for maintaining detailed compliance records and involving third-party validation expand both scope and rigor. This proposal introduces new requirements that will have varying financial impacts on railroad operators of different sizes.
  3. Cyber Risk Management Program: Operators must establish and maintain a comprehensive program to manage cyber risks effectively.
  4. Performance-Based Cybersecurity Measures: The NPRM introduces performance-based requirements, allowing operators flexibility in achieving critical cybersecurity outcomes such as network segmentation, access control, continuous monitoring, and timely system patching.
  5. Alignment with NIST Framework:  The proposed rule aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, promoting standardized practices across the industry.
  6. Reporting to CISA: The NPRM mandates that specific pipeline, freight railroad, passenger railroad, and rail transit owners and operators report cybersecurity incidents to CISA. 

Understanding the Costs

The TSA's Notice of Proposed Rulemaking (NPRM) provides high-level cost estimates for implementing the proposed cybersecurity measures. The TSA estimates a total annualized cost for rails of ~$97M.   

Compliance with these regulations comes at a cost, varying by the size and complexity of operations.  Based on some simple assumptions, the cost might be expected to look something like this:

  • Large Railroads: For major rail operators, the estimated average annual cost to comply with the proposed requirements may approach $8M. This figure accounts for expenses related to developing and maintaining a comprehensive cyber risk management program, conducting regular cybersecurity assessments, and reporting incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
  • Medium-Sized Railroads: Mid-sized operators could expected to incur average annual costs of in excess of $1M. These costs cover activities similar to those for large railroads but are scaled to reflect their reduced complexity and size.
  • Small Railroads: Smaller operators, including short-line and regional railroads, might see annual impacts nearing $100k. These costs are primarily associated with bolstering cybersecurity protocols, training staff, and ensuring compliance with reporting requirements.

Challenges and Considerations

The NPRM introduces requirements for third-party validation and more detailed documentation, adding rigor to compliance efforts. Railroads with mature cybersecurity frameworks may find the transition smoother, while others may face challenges adapting to these elevated standards.

Operational complexity and the TSA’s evolving compliance expectations will also influence costs. For some, the NPRM's emphasis on incident readiness and continuous improvement may require significant investment.

Why It Matters

By transitioning from directives to codified regulations, the TSA aims to create a consistent and enforceable cybersecurity baseline across the transportation sector. This shift underscores the critical importance of securing rail systems protecting infrastructure and the communities and industries that rely on them.

Next Steps for Rail Operators

Rail operators should evaluate their cybersecurity practices, identify gaps, and develop plans to align with the NPRM’s proposed regulations (full notice here). Early preparation will be vital in managing costs and ensuring compliance. 

Talk with an expert to learn how Cylus can help with TSA compliance.

About Our Guest Writer:

Dr. Mark Grant is longtime cybersecurity leader, having worked at CSX in Jacksonville, Florida for 17 years. Grant served as the chief information security officer for eight years during his time with CSX. He is now working as a trusted advisor to help companies enhance IT, security, and business strategies.

Originally published
November 19, 2024
,
updated
November 19, 2024
.

Share this post