U.S. Railroad Operators Must Disclose Cybersecurity Incidents Within 24 Hours
Last week, the Transportation Security Administration continued its 60-day sprint around securing high-risk transit systems by mandating railroad owners disclose cybersecurity incidents within 24 hours.
When it comes to cybersecurity, the Biden administration is seemingly leaving no stone unturned.
Late last week the Department of Homeland Security issued a directive for U.S. all surface transportation owners and operators - namely freight and rail systems - to report all cybersecurity incidents within 24 hours.
The action comes on the heels of directives issued by President Biden to strenghen critical infrastructure and the electric sector, and goes along with the White House's prioritization of cybersecurity so far this year.
Under the new directives, issued by the Transportation Security Administration (TSA) on Thursday, higher-risk freight railroads, passenger rail, and rail transit owners will need to do the following:
- designate a cybersecurity coordinator;
- report cybersecurity incidents to CISA within 24 hours;
- develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption; and,
- complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.
According to the Wall Street Journal, the directives will change how about 80% of freight rail owners and 90% of passenger rail systems currently report incidents. Those that aren't deemed "high risk" are still being encouraged to implement the same measures, according to the DHS' announcement.
The directives mirror those issued last month for the airline industry. In those, TSA told critical airport operators, passenger aircraft operators and all-cargo aircraft operators they’d have to designate a cybersecurity coordinator and report cyber incidents to CISA.
The Secretary of Homeland Security Alejandro N. Mayorkas announced the movement, part of one of the department’s 60-day sprints, at the 12th Annual Billington Cybersecurity Summit.
The concept of the sprint - essentially a way to mobilize the DHS to respond to an issue - was initially brought up by Mayorkas back in March in advance of Biden’s Cybersecurity Executive Order; the first was around ransomware, the second tackled the cybersecurity workforce gap
For many of these industries, having uniform guidance that makes it mandatory to report hacks and ensuring someone is in charge of disclosing them is overdue. In many instances, previous measures were voluntary but recent incidents, including this year's paralyzing attack against Colonial Pipeline, have indicated that more stringent reporting is needed to keep critical infrastructure in check.