More Regulations Coming Down the Tracks: TSA Issues New Security Directive for Enhanced Railroad Cybersecurity

The TSA’s Railroad Directive follows a series of similar security directives aimed at pipelines, which were issued in response to the Colonial Pipeline cyber incident in 2021. Just as pipelines have been subject to ransomware attacks, railroads have experienced cyberattacks, including one in 2012 that slowed train service in the Pacific Northwest. In fact, as railroads have adopted new technology, such as positive train control systems to prevent rail accidents, new cyber vulnerabilities may have emerged as well.

These attacks and others on critical infrastructure have spurred the TSA’s issuance of directives requiring critical infrastructure owners and operators to implement certain cybersecurity measures. This new Railroad Directive largely parallels the TSA’s third pipeline cybersecurity directive, with the exception that the TSA does not require railroad carriers to develop a cybersecurity incident response plan under this directive.

The Railroad Directive requires covered railroad carriers to implement certain access control measures such as:

• Network segmentation policies and controls designed to prevent disruption of the Operational Technology system if the Information Technology system is compromised or vice versa,
• Policies for secret authenticator resets,
• Multi-factor authentication or compensating controls for Operational Technology components or assets,
• Policies and procedures to manage access rights based on the principles of least privilege and separation of duties, and
• Standards that limit the use of shared accounts.

The TSA also requires continuous monitoring and detection policies and procedures, including capabilities and procedures to:

• Defend against phishing email attacks;
• Block communications with known or suspected malicious IP addresses;
• Block and prevent unauthorized code, including macro scripts, from executing;

• Monitor and/or block connections from known or suspected malicious command and control systems;
• Collect and maintain logs in order to analyze data for potential intrusions and anomalous behavior on Critical Cyber Systems and other Operational Technology and Information Technology systems that directly connect with Critical Cyber Systems;
• Mitigation measures or manual controls to ensure industrial control systems can be isolated when a cybersecurity incident in the Information Technology system creates a risk to the safety and reliability of the Operational Technology system; and
• A patch management strategy that prioritizes CISA’s Known Exploited Vulnerabilities Catalog.

Further, the Railroad Directive mandates that covered railroad carriers adopt a cybersecurity implementation plan describing the entity’s plan for meeting each of the requirements in the Directive. Once approved by the TSA, this plan will guide the TSA’s compliance inspection of covered entities. Railroad carriers are also required to file annual compliance assessments with the TSA. Violators of the new Railroad Directive risk a civil monetary penalty of up to $11,904 per violation, according to the TSA’s 2021 Enforcement Sanction Guidance Policy. The Railroad Directive further requires covered railroad carriers to develop a cybersecurity assessment program to assess the effectiveness of the cybersecurity implementation plan and identify and resolve device, network and system vulnerabilities.

More Regulation to Come

In addition to the TSA’s latest directives, companies in critical infrastructure sectors should be aware of other cybersecurity regulations on the horizon. The following are expected to come into effect in the near term:

• CISA
  • In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was signed into law. CIRCIA directs CISA to complete mandatory rulemaking activities before reporting requirements take effect. Under CIRCIA, covered entities will be required to report cybersecurity incidents and ransomware payments to CISA within 72 and 24 hours, respectively. A future CISA rule is expected to detail which entities among identified critical infrastructure sectors will be subject to the rule. CISA is currently seeking public input on potential aspects of the proposed regulation until November 14, 2022.
• SEC
  • In March 2022, the SEC proposed amendments to its rules that would require public companies to report material cybersecurity incidents and provide periodic updates on previously reported incidents. Additionally, the amendment would mandate the inclusion in annual reports of cybersecurity risk management and strategies, cybersecurity policies and procedures, and board of directors’ and management’s oversight and implementation of those policies and procedures. Annual reporting or proxy disclosure about the board of directors’ cybersecurity expertise would also be required.

What This Means for You

The new Railroad Directive demonstrates a systematic effort by the government to defend critical infrastructure against cybersecurity attacks. While there is uncertainty around the enforcement of TSA directives (as publicly available information on compliance and enforcement is limited), violators do risk penalties ranging from a warning letter or letter of correction up to a civil monetary penalty. However the TSA decides to enforce the Railroad Directive, owners and operators of critical infrastructure should be mindful, as new cybersecurity regulations may also raise the expected standard of care.

V&E assists clients in identifying, managing, and mitigating cybersecurity risks, from early planning and assessment to managing incident response and resulting investigations and litigation.

*Winnie Johnson is a law clerk in our Houston office.