TSA Renews Cybersecurity Requirements for Passenger, Freight Railroad Carriers


TSA has updated three security directives (SD) regulating passenger and freight railroad carriers to enhance cybersecurity in surface transportation systems and associated infrastructure. These revised directives have been renewed for one year and require TSA-specified passenger and freight railroad carriers to take action to prevent disruption and degradation to their infrastructure with a flexible, performance-based approach, consistent with TSA’s requirements for pipeline operators.

The revised security directives, Enhancing Rail Cybersecurity, and the revised SD series, Enhancing Public Transportation and Passenger Railroad Cybersecurity, include a requirement for covered owners and operators to test a minimum of two objectives in their Cybersecurity Incident Response Plan every year. They also require including employees who have been identified by their positions as active participants in these exercises.

The revised security directive series, Rail Cybersecurity Mitigation Actions and Testing, also requires railroad owners and operators to annually submit an updated Cybersecurity Assessment Plan to TSA for review and approval and report the results from the previous year using a schedule for assessing and auditing specific cybersecurity measures for effectiveness such that all cybersecurity measures are assessed within a three-year period.

“The renewal is the right thing to do to keep the nation’s railroad systems secure against cyber threats, and these updates sustain the strong cybersecurity measures already in place for the railroad industry,” said TSA Administrator David Pekoske. “TSA’s partnerships with the Cybersecurity and Infrastructure Security Agency, FRA and the railroad industry have been, and will continue to be, instrumental in our work toward strengthening resilience and preventing harm.”