Skip to content

Photo by iStock

TSA Issues New Cybersecurity Regulations for Rail Owners and Operators

The U.S. Transportation Security Administration (TSA) issued new rules on cybersecurity practices for rail owners and operators.

The new regulations, which were published on 19 October, are meant to improve cybersecurity preparedness and resiliency for passenger and freight rail companies.

The directive, SD 1580/82-2022-01, is effective as of 24 October 2023 and will replace the cybersecurity directive from TSA issued last year.

Railroads must provide the TSA with a proposed cybersecurity implementation plan by 21 February 2023. This plan must detail specific cybersecurity efforts that rail carriers will implement to reach security goals. These include network segmentation policies and controls that support operations technology (OT) systems even when an IT system is compromised; access control measures; continuous monitoring and detection policies and methods to counter cybersecurity threats; and the timely application of “security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems,” according to the directive.

Owners and operators must also create and implement an assessment program and submit an plan to TSA every year which describes how the company will determine the efficacy of its cybersecurity measures and deal with any related vulnerabilities.

According to the TSA, the directive was created with input from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense, Department of Transportation’s Federal Railroad Administration, and industry stakeholders.

“The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack,” said TSA administrator David Pekoske in a press release.

The directive supports the Biden administration’s efforts to shore up essential infrastructure against cyber attacks. In July 2022, the TSA issued revised cybersecurity requirements for U.S. pipeline operators.

Cybersecurity expert and founder of OT/transportation security company Shift5, Josh Lospinoso, noted that while parts of the directive—specifically, network segmentation—are a step in the right direction, more will need to be done to secure rails.

Air gapping as a silver bullet is a myth in the era of converged IT/OT within infrastructure, Lospinoso said in an email to Security Management. He added that critical operational technology components like brake controls on locomotives should not be considered as separate from IT. With such interconnectivity, network segmentation policies should be implemented, but not used as the last-line of defense.

In 2021, Colonial Pipeline’s operations—including delivering almost half of the U.S. East Coast’s fuel supply—came to a halt when the company suffered a ransomware attack. Specific to rail companies, a 2016 ransomware attack against the San Francisco Municipal Transportation Agency shut down some metro operations for a few days.

Beyond the United States, other rail systems have attracted cyber attacks in recent years. In 2017, Germany’s main train operator Deutsche Bahn was attacked with the WannaCry ransomware, which disrupted train station’s screens that usually announce arrivals and departures.

One significant safety element of most railroads today is the Positive Train Control (PTC) system. The system provides autonomous operation and correction of trains when human error occurs. When fully installed and operational, a PTC system will stop “dispatcher or operator error resulting in train-to-train collisions, derailments caused by speeding, trains improperly entering work zones, and trains entering an occupied track,” according to Lawfare strategist Claudia Swain.  

If a PTC system were to be hacked, worst-case scenarios could look like more than 100 deaths from just one train in the control of a malicious attacker, while a hacked network that controls multiple trains could results in a higher death toll, Swain wrote.

“The railroads that have implemented PTC move over 5 million tons of freight annually, and a disruption to this movement would have damaging ripple effects across industries, including on international trade,” Swain said. “Rail is the second largest transborder mode of transport for freight after trucks and was responsible for $179 billion of freight in 2018 moved in both directions across the Canadian and Mexican borders.”