TSA to require stricter cybersecurity measures for railroads 

The Transportation Security Administration (TSA) will introduce regulations that require major U.S. railroads to improve their cybersecurity procedures, said Homeland Security Secretary Alejandro Mayorkas during an Oct. 6 keynote address at the 12th annual Billington CyberSecurity Summit.

New rules for “higher-risk railroad and rail transit entities” will require them to: 1) identify a cybersecurity point person; 2) report incidents to the Cybersecurity and Infrastructure Security Agency (CISA); and 3) put together a contingency and recovery plan in case they become a victim of malicious cyber activity.  

“Reducing cybersecurity risk is in every organization’s self-interest, especially considering the indiscriminate nature of ransomware,” Mayorkas said. 

New regulations, which will become active before the end of 2021, also will apply to aircraft operators. Similar rules came into effect earlier this year for maritime entities. 

“Whether by air, land, or sea, our transportation systems are of utmost strategic importance to our national and economic security,” Mayorkas said. “The last year and a half has powerfully demonstrated what’s at stake.”

TSA also is initiating a rulemaking process to develop a “longer-term regime” to strengthen cybersecurity and resilience in the transportation sector, he noted. Cybersecurity also will be a top priority in the next cycle of the Federal Emergency Management Agency’s (FEMA) transportation-related grant programs. A working group including CISA, FEMA, TSA, and the Coast Guard is working to increase the required minimum spent on cybersecurity through FEMA grant awards, he said. 

October is Cybersecurity Awareness Month. CISA is encouraging stakeholders to use the hashtag #BeCyberSmart to promote resources and raise cybersecurity awareness. Several related resources are available on NGFA’s cybersecurity page.