On October 18, 2022 the Transportation Security Administration issued a new cybersecurity directive for designated passenger and freight railroads. TSA feels the new requirements “strengthens cybersecurity requirements and focuses on performance-based measures to achieve critical cybersecurity outcomes.”
Some of the new measures include establishing and implementing a TSA-approved Cybersecurity Implementation Plan that describes the specific measures employed, and establishing a Cybersecurity Assessment Program and submitting it annually to TSA. The plan should describe how the railroad will proactively test and regularly audit the effectiveness of cybersecurity measures, and identify and resolve device, network and/or system vulnerabilities.
The agency said in a statement “Through this security directive, TSA continues to take steps to protect transportation infrastructure in the current threat environment. TSA also intends to begin a rule-making process, which would establish [permanent] regulatory requirements for the rail sector following a public comment period.”
