Listen to this post

On October 18, 2022, the Transportation Security Administration (“TSA”) issued a new cybersecurity directive requiring passenger and freight railroad carriers to create plans for responding to cybersecurity incidents. The new directive is one of many actions taken by the Biden Administration to strengthen the cybersecurity posture of the U.S.’s critical infrastructure following a significant ransomware attack on a major U.S. pipeline in 2021.

The new directive requires railroad carriers to (1) implement network segmentation policies and controls to allow the continuous operating of systems in the event of a breach; (2) create access control measures to prevent unauthorized access to systems; (3) implement monitoring and detection policies and procedures to detect and prevent security flaws and vulnerabilities; and (4) apply security patches and updates for all critical systems in a timely manner, among other requirements.

By February 2023, railroad carriers  must submit a TSA-approved Cybersecurity Implementation Plan that describes how the carrier plans to comply with the new directive. The directive also requires railroad carriers to establish a Cybersecurity Assessment Program and file annual compliance assessments with the TSA. 

Learn more about TSA’s cybersecurity initiatives and related guidance.