US unveils new cyber mandates for passenger and freight rail carriers

The new directives require most railroads to designate a cybersecurity coordinator and report hacking incidents within 24 hours. PHOTO: AFP

WASHINGTON (BLOOMBERG) - Major passenger and freight railroads will soon be required to report cybersecurity breaches quickly and review how susceptible they are to cyberattack, senior officials at the US Department of Homeland Security said Thursday (Nov 2).

The requirements, which take effect Dec 31, come as the Biden administration has put increasing pressure on the private sector to protect the nation's critical infrastructure from hackers.

That follows a series of devastating hacks that infiltrated federal agencies and major businesses, including the May ransomware attack on Colonial Pipeline Co that temporarily curtailed fuel supplies along the East Coast.

The new directives from the Transportation Security Administration require that most railroads designate a cybersecurity coordinator, report hacking incidents within 24 hours, conduct a vulnerability assessment and develop an incident-response plan for breaches.

Senior officials said Thursday that Congress gave the government the authority to issue new directives that bypass the typical notice-and-comment period for federal regulations, although officials said they consulted with industry.

TSA recently updated its aviation security programmes to require that airport and airline operators identify a cybersecurity coordinator and report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency, known as Cisa.

TSA intends to expand the requirements for the aviation sector and issue guidance to smaller operators.

"These new cybersecurity requirements and recommendations will help keep the travelling public safe and protect our critical infrastructure from evolving threats," said Homeland Security Secretary Alejandro Mayorkas, in a statement.

"DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide."

The Department of Transportation, which regulates aviation and rail, has already imposed various anti-hacking protections on such things as aircraft computer designs, but hasn't created the kind of rules announced by DHS.

The DHS requirements are designed to add a new layer of protection on the transportation sector.

After originally expressing pushback, the Association of American Railroads said many of its major concerns were resolved in the final directives.

But the group, which represents North American freight railroads, added that they are still working with TSA on an outstanding issue with the appointment of cybersecurity coordinators by Canadian railroads.

"Railroads take these threats seriously and value our productive work with government partners to keep the network safe," AAR President and Chief Executive Officer Ian Jefferies said in a statement Thursday.

In November, Cisa began requiring federal agencies to fix cybersecurity flaws within specific time frames. That order applied to all software and hardware on federal information systems, including those managed by a government agency or hosted by third parties.

Join ST's Telegram channel and get the latest breaking news delivered to you.