More Cyber Collaboration Between TSA and Industry Will Put Railroad Operators on the Right Track 

The Transportation Security Administration (TSA) announced updates to three security directives last week aimed at strengthening the cyber resilience of passenger and freight railroads. The new guidance reflects TSA’s efforts to improve collaboration with private industry and its interagency partners. 

The first two directives require passenger and freight rail operators to have cybersecurity coordinators and a cyber incident response plan. The operators must also conduct vulnerability assessments and report cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). TSA’s update offers more specificity on how operators must annually test their cybersecurity incident response plans, including by adding a requirement that employees participate in these exercises.  

The third, much more detailed security directive contains more substantive updates. It includes a new section clarifying that railroad owners and operators must annually submit a cybersecurity assessment plan to TSA for review and approval. Previous versions of the directive also required owners and operators to designate systems, data, or equipment as critical cyber systems requiring enhanced security measures. The updated directive now states that TSA can overrule a company if they disagree about which of the company’s systems could cause operational disruptions if compromised by hackers. The directive notes that even with these updates, TSA is striving for a “flexible, performance-based approach.” 

Serving alongside the Department of Transportation as the sector risk management agency responsible for coordination with all transportation subsectors, TSA first issued its rail security directives in December 2021. TSA took this action after an earlier ransomware attack on U.S. company Colonial Pipeline disrupted operations of the pipeline supplying nearly half of the fuel used on the East Coast. Industry stakeholders initially criticized the rail directives as too prescriptive. Since then, TSA has gathered input from industry and other government agencies. These partnerships “have been, and will continue to be, instrumental in [TSA’s] work towards strengthening resilience and preventing harm,” TSA Administrator David Pekoske stated.  

TSA’s security directives aim to shift how the rail industry views cybersecurity. Railway infrastructure relies on equipment that is often over 20 years old. This architecture was not designed with digital security in mind. But now, old vulnerabilities are resurfacing. While there has been no recorded operational disruption from a cyberattack, the industry has experienced data breaches and ransomware attacks in recent years, as Shawn Taylor of enterprise cybersecurity firm Forescout noted at a rail cybersecurity conference last week.  

TSA should continue to work with CISA, the Department of Transportation’s Federal Railroad Administration, and the rail industry to further mitigate the cyber risks facing the industry. In particular, TSA should improve its cooperation with industry. 

Right now, the agency is still missing opportunities to engage with industry partners, having not participated in last week’s conference. Meanwhile, in response to a U.S. government request for information on regulatory harmonization, the Association of American Railroads expressed concerns that TSA’s efforts conflict with existing federal safety regulations. TSA should build stronger partnerships with this association as well as with other industry-led groups, such as the North American Transportation Cybersecurity Consortium, a collaborative effort of 50 rail transportation companies and local agencies. 

Throughout the process of issuing the rail security directives and similar requirements for the pipeline and aviation subsectors, TSA has come to recognize the importance of collaboration with industry. But the agency still has room for improvement. TSA should foster this collaboration to ensure the safety and security of U.S. critical rail infrastructure — before hackers succeed in causing operational disruptions. 

Annie Fixler is the director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD) and an FDD research fellow. Gabrielle Christello is a CCTI intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow Annie on X @afixler. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.