The Transportation Security Administration issued a directive on Thursday that requires freight railroads to report cyber incidents within 24 hours. Additionally, all freight rail operators will designate a cybersecurity coordinator, develop an incident response plan, and conduct vulnerability assessments. Similar directives were issued for passenger rail and public transit operators.
Homeland Security Representative, Alejandro Mayorkas, stated “These new…requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats…DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”
AAR President and CEO, Ian Jefferies, said the final directive had addressed some of its most significant concerns. The association said the industry had already been taking cybersecurity security seriously. “For the better part of two decades, railroads have thoughtfully coordinated with each other and government officials to enhance information security, which has proven to be an effective, responsive way of addressing evolving threats. Let there be no mistake, railroads take these threats seriously and value our productive work with government partners to keep the network safe.”
The new cybersecurity requirements come as ransomware attacks continue to target companies across the country. Some of the attacks left behind devastating impacts on operations. None of the U.S. freight railroads have experienced a catastrophic incident. However, CSX and short-line operator OmniTrax were both the target of ransomware attacks earlier this year.