The TSA issued security directives Thursday that implement new cybersecurity requirements on the passenger rail and high-risk freight rail sectors.
The directive and some of its core requirements were announced in October by Secretary of Homeland Security Alejandro Mayorkas, but wouldn’t be formally issued later in the year. The regulation will outline four core requirements that rail entities will be expected to put in place to protect their systems and assets from being hacked: designating cybersecurity coordinators to interact with the government; reporting incidents to the Cybersecurity and Infrastructure Security Agency (CISA); creating incident response plans to quickly respond to a compromise; and conducting self-assessments of their systems and cybersecurity posture to address potential vulnerabilities and gaps.
Many of the requirements are similar to mandates placed on oil and gas pipeline operators following the Colonial Pipeline ransomware attack in May. While the Biden administration has shown an interest in extending these same core requirements to other sectors of critical infrastructure, they’ve faced pushback from industry and congressional Republicans who have claimed the regulations are being rushed and require further study.
In a House Transportation and Infrastructure Committee hearing Thursday, chair Peter DeFazio, D-Ore., said the regulations in the directive represented a security baseline that every organization should be following.
“I don’t think that implementing basic cybersecurity standards, reporting requirements and cybersecurity awareness training should be voluntary. It should be required,” DeFazio said.
According to TSA officials, a number of changes were made to the directive following talks with executives from passenger and high-risk freight rail companies, particularly around what would qualify as a reportable incident. Owners and operators are required to report to CISA whether any information or operational technology system under their control had been compromised, whether any malware was discovered, any activity that resulted in a denial of service of those systems or a disruption of larger freight operations.
The document defines a cybersecurity incident as an event that "without lawful authority, jeopardizes, disrupts or otherwise impacts, or is reasonably likely to [impact] the integrity, confidentiality or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers, or information systems or information resident on the system."
It also requires the entity to report the earliest known date of compromise and detection, actions taken, any other parties notified of the breach, relevant information like malicious IP addresses, malware hashes or domain abuse, a description of the entity's response, and it's potential impact on IT and OT systems.
When the planned directive was first announced, industry groups and members of Congress had fretted that TSA and the government should be doing more to engage with private stakeholders. In October, a group of Republican senators wrote to TSA Administrator David Pekoske in October asking the agency to hold off on releasing the directive until it could engage with industry on potential impacts and unintended consequences (something Mayorkas pledged to do in his original announcement.)
In the same House hearing, Victoria Newhouse, Deputy Assistant Administrator for Policy, Plans and Engagement at the TSA told lawmakers that the agency had done its due diligence canvassing stakeholders on the new rules. She also said the agency had conducted classified briefings with executives from the rail industry as recently as this week.
“We continue our robust engagement with our partners through our Surface Transportation Security Advisory Committee…along with numerous corporate executives, all the way down to the security level,” Newhouse said.
She said one of the biggest challenges they’ve identified has revolved around the broad definition of a reportable cybersecurity incident, something Newhouse said they have worked to address.
“We have taken steps and a great deal of feedback to modify that definition to not include all potential incidents, we have narrowed that and focused that based on industry feedback,” she said.
This is a developing story. Check back for updates