New federal cybersecurity requirements for railway operators announced

Railways have been the target of large attacks in recent years, including a data breach at China Railways (CR) in 2019. Other key attacks include a breach of 146 million records in the database of Network Rail and the service provider C3UK, and a malware attack on Sadler, a railway equipment manufacturer. In October, President Biden released the Enhancing Rail Cybersecurity Directive from the Transportation Security Administration for critical infrastructure with directives to railway companies.

TSA administrator David Pekoske said, “The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack.”

Requirements of the Enhancing Rail Cybersecurity Directive
The new directive has four main requirements:
1. Designate a Cybersecurity Coordinator – This role implements cybersecurity practices, manages cybersecurity incidents and serves as a liaison between the railway and both TSA and the Cybersecurity and Infrastructure Security Agency (CISA) regarding cybersecurity. Because the coordinator must be available 24/7, railways must also designate a backup coordinator. All cybersecurity coordinators must be U.S. citizens and eligible for security clearance.
2. Report Cybersecurity Incidents to CISA – All cybersecurity incidents, including unauthorised access, malicious software and DoS attacks, must be reported to CISA within 24 hours of the event. In addition to all relevant information about what occurred, the railway must report the impact on the railway and the railway’s response to the incident.
3. Develop a Cybersecurity Incident Response Plan – The plan must include how the railway will prompt identification, isolation and segregation of the infected systems as well as security of backed-up data. The plan also establishes capability and governance for isolating the systems. Railways must adopt their plan within 180 days of the directive and must also conduct regular testing of the plan.
4. Assess Cybersecurity Vulnerability – The assessment must identify gaps and document remediation measures. Railways need to complete the assessment within 90 days of the directive.

The U.S. depends on transportation services, including railways, as a cornerstone of its economy. In addition to tourism, transportation services play a critical role in the supply chain. By requiring additional cybersecurity measures for railways, the U.S. reduces the risk of disruption resulting from an attack on the country’s critical infrastructure.