DHS: Cybersecurity coordinators and vulnerability assessments mandatory for rail companies

TSA says rail services are "higher risk" and that the new rules "need to be issued immediately to protect transportation security."
Written by Jonathan Greig, Contributor

The Department of Homeland Security (DHS) announced two new cybersecurity directives handed down by the Transportation Security Administration (TSA) on Thursday designed to better protect freight railroads and passenger rail transit in the US.

TSA said rail services are "higher risk" and that the new rules "need to be issued immediately to protect transportation security."

The new rules make it mandatory for rail company owners and operators to have a cybersecurity coordinator, report cybersecurity attacks to CISA in 24 hours or less, and create a cybersecurity incident response plan. The rules also require owners to complete cybersecurity vulnerability assessments.

DHS also detailed voluntary measures to improve cybersecurity across the transportation sector following a series of attacks over the last two years. 

"These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats," said Secretary of Homeland Security Alejandro Mayorkas. "DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide." 

These are just the latest cybersecurity directives handed down by DHS this year, as the agency seeks to charge government-adjacent industries to improve their cybersecurity measures. 

Following multiple attacks on critical infrastructure in the US this year -- including oil pipelines, transportation companies, and agricultural organizations -- DHS has regularly provided new guidance and mandatory rules

Congress is also mulling a variety of bills related to incident reporting and other cybersecurity measures. While previous administrations sought to promote cybersecurity hygiene through voluntary measures, the Biden Administration has handed down more stringent measures as ransomware incidents continue. 

DHS has faced backlash from some private sector companies and Republican members of Congress over the cybersecurity rules, with many arguing that they are being forced on companies without advance guidance. 

In its statement on Thursday, DHS made a point of saying TSA worked with "industry stakeholders," "federal partners," and CISA to create the directives. 

Victoria Newhouse, a TSA deputy assistant administrator, confirmed to Congress on Thursday that private industry experts were consulted on the new rules. Newhouse said she and other officials met with rail companies to discuss the range of threats facing their industry. 

One of the criticisms Republican lawmakers have levied against DHS is that the directives are being handed down in the absence of detailed, specific threats. 

On Thursday, DHS said CISA "provided expert guidance on cybersecurity threats to the transportation network and countermeasures to defend against them."

TSA suggested "all other lower-risk surface transportation owners and operators" also institute the rules, although it would be voluntary. TSA already released guidance for aviation industry operators, pipelines, and other enterprises. 

A DHS official told The Wall Street Journal that Thursday's directives will affect 90% of passenger rail systems in the US and 80% of freight rail systems that they consider high risk.

Editorial standards