November 21, 2024 | The Cipher Brief
Wanted: A Plan to Secure America’s Railroads Against Cyberattacks
November 21, 2024 | The Cipher Brief
Wanted: A Plan to Secure America’s Railroads Against Cyberattacks
The Transportation Security Administration (TSA) published a proposed cybersecurity rule on November 6 that would “require the establishment of pipeline and railroad cyber risk management programs,” solidifying prior security directives. The rule is a positive step, but implementing it within the rail subsector will require continued collaboration between the federal government and private companies.
Large and Small Railroads Need Cyber Risk Management
The proposed rule consolidates separate directives the TSA had issued for mass transit, freight rail, and pipelines over the past three years into a single set of cybersecurity requirements. Under the new rule, Washington requires companies to establish and maintain a cyber risk management program; complete annual cybersecurity self-assessments; have a cyber incident response plan; and report physical and cyber incidents to the TSA and the Cybersecurity and Infrastructure Security Agency, respectively.
Of the more than 600 freight rail companies in the United States, only about 70 are covered under the new rule. The six largest freight rail companies, which account for more than 90 percent of industry revenue, are all subject to this rule. The remaining railroads are much smaller but provide critical ligature between the larger railroads, including serving as essential movers of military equipment, troops, and supplies. A cybersecurity incident at these smaller railroads would have a “significant impact on rail transportation, national security, and economic security,” the TSA noted.
Industry Input Improves Cybersecurity Requirements
The TSA’s notice of proposed rulemaking comes on the heels of years-long regulatory efforts following a 2021 cyberattack on Colonial Pipeline, a company responsible for transporting almost half of the East Coast’s fuel. Due to a longstanding lack of collaboration between the public and private sectors, the TSA originally waffled between overly prescriptive and overly vague instructions, as it attempted to impose cybersecurity requirements on private entities. Over the next three years, the TSA focused on incorporating industry input, leading to more coherent security directives.
The new rule from the TSA builds on a wide range of industry feedback, with a TSA official reporting that during the crafting of the cybersecurity requirements, the agency gathered input from industry operators to “the maximum extent practicable.” As part of the formal rulemaking process, the TSA is now seeking additional public comments, particularly on supply chain risk management and implementation costs.
The TSA estimates it will cost rail companies less than $1 million per year to implement the requirements. That’s not a lot of money in the world of cybersecurity. However, the agency acknowledges that it may have an incomplete picture of feasibility and cost for some of the private entities who fall under the new rule.
Cybersecurity Funding Needed for Small Rail Companies
Despite their criticality to the military mobility mission and to national security, some of the smaller rail companies may struggle with even the modest cybersecurity investment necessary to implement the proposed requirements. To help these companies improve their cybersecurity posture, Congress should create a grant program for small freight railroads to pay for both capital improvements and the workforce necessary to implement cybersecurity risk management. With the TSA seeking to create reasonable minimum cybersecurity requirements, Congress now has a role to play by helping small companies make the necessary financial commitments for critical infrastructure cybersecurity.
Annie Fixler is the director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, contributing to the cyber-enabled economic warfare project and the Transformative Cyber Innovation Lab. She is also a research fellow at FDD and works on issues related to the national security implications of cyberattacks on economic targets, adversarial strategies and capabilities, and U.S. cyber resilience. Johanna “Jo” Yang is a research and editorial associate at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. Her research focuses nation-state cyber threats, critical infrastructure protection, and U.S. cybersecurity policy.