Skip to content

TSA unveils new railroad cybersecurity directive

October 20, 2022 – Published on The Record

The Transportation Security Administration (TSA) unveiled new cybersecurity regulations for passenger and freight railroad carriers this week, expanding its list of critical infrastructure industries given specific guidelines for how to protect their systems. 

The rules take effect on October 24 and will last one year. In the meantime, TSA is beginning a process to “establish regulatory requirements for the rail sector following a public comment period.”

Carriers are now mandated to develop network segmentation policies and controls that separate operational technology systems from other IT systems in case of compromise. 

The new directives also order carriers to create access control measures, build out detection policies for cyber threats and implement timely patching or updating processes for operating systems, applications, drivers, and firmware. 

GuidePoint Security’s Chris Warner said resources in the railway industry are limited when it comes to cybersecurity, not only in terms of financial budgets but also a shortage of knowledgable employees who can implement mature cybersecurity regulations and modern approaches.

“The requirement of network segmentation policies and controls will be quite a lift for railway operators, as many will have to re-design much of their control systems,” he said. 

“While this is certainly a step in the right direction for transportation, we will see some bumps in the road as the railway industry will have to modernize away from legacy systems and add in new access controls.”

Read More HERE.