TSA issued a new directive, Security Directive 1580/82-2022-01, “Rail Cybersecurity Mitigation Actions and Testing” that sets performance-based cybersecurity standards for the rail industry. The new requirements will impact a range of cybersecurity components, as described in more detail below. This directive builds on last year’s Security Directive 1580-21-01, “Enhancing Rail Cybersecurity,” which took effect December 31, 2021. Like Security Directive 1580-21-01, this directive applies to Class I freight railroads, transporters of rail security-sensitive materials in high threat urban areas, and railroads that host either of the preceding types of rail carriers. It also applies to additional freight and passenger railroads that TSA directly notified based on a risk determination that were not subject to the previous directive.  The new directive applies to these rail carriers’ “critical cyber systems,” defined as a system or data that, if compromised or exploited, could result in operational disruption – and indeed, one of the first steps expected of covered rail carriers is to identify all such critical cyber systems within their environment.

The new directive requires covered rail carriers to develop network segmentation policies and controls that separate operational technology systems from other information technology systems in case of compromise of one or the other.  Carriers also must create access control measures, build out detection policies for cyber threats, and implement timely patching or updating processes for operating systems, applications, drivers, and firmware.  All of these requirements must be included in a “Cybersecurity Implementation Plan” that must be submitted to TSA by February 21, 2023, which TSA has to approve – and the agency may ask clarifying questions or require revisions before granting such approval.

This new directive reflects TSA’s evolving approach to imposing prescriptive and granular cybersecurity requirements on critical infrastructure entities within its jurisdiction. This new directive tracks closely a similar directive issued in July 2022 governing covered owners/operators of pipeline systems or facilities. Notably, that directive revised TSA’s prior approach to directly imposing a number of specific cybersecurity requirements rather than asking covered entities to submit proposed approaches to meeting those requirements (in a Cybersecurity Implementation Plan) for approval. Thus the rail industry subject to this new directive, while still facing potentially onerous requirements and uncertainty as to what TSA will approve as part of a Cybersecurity Implementation Plan, is not immediately subject to a series of direct requirements to reset passwords, complete access reviews, etc. as was the case for covered pipeline companies. Reflecting the US government’s broader evolving approach, the Cybersecurity and Infrastructure Security Agency (CISA), a different sub-agency alongside TSA within the Department of Homeland Security, has issued its own information request regarding cybersecurity incident reporting for critical infrastructure and will be collecting comments through November 14, 2022, in advance of an upcoming rulemaking. It remains to be seen to what extent TSA and CISA will harmonize their incident reporting requirements.

Further details on the specific requirements under the new directive follow. Covered rail carriers must:

• Establish and implement a TSA-approved Cybersecurity Implementation Plan that achieves the following outcomes:
  • Identify critical cyber systems;
  • Develop network segmentation policies and controls to ensure that “operational technology systems” (i.e., devices or systems that interact with the physical environment or manage devices that interact with the physical environment) can continue to safely operate in the event that “information technology systems” (e.g., systems for automatic acquisition, storage, analysis, management, transmission or reception of data) are compromised and vice versa;
  • Create access control measures to secure and prevent unauthorized access to critical cyber systems;
  • Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and
  • Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.
• Establish a Cybersecurity Assessment Program and submit the plan annually to TSA that describes how the rail carrier will proactively and regularly assess the effectiveness of cybersecurity measures and identify and resolve vulnerabilities.

The directive includes requirements for recordkeeping related to Cybersecurity Implementation Plans and Cybersecurity Assessment Programs. It also includes direction regarding amendments to Cybersecurity Implementation Plans in the event of business or operational changes such as changes in ownership or control or changes in conditions affecting security.

Cybersecurity Implementation Plans must be submitted no later than 120 days after the effective date of the directive (by February 21, 2023). The plans must describe physical and logical security controls to meet each of the requirements described above. After plans are approved by TSA, all elements of the plan must be implemented and maintained. If a rail carrier does not have any Critical Cyber Systems, they must notify TSA in writing within 60 days of the effective date of the directive (by December 23, 2022).  Rail carriers must submit annual plans for Cybersecurity Assessment Programs within 60 days of TSA’s approval of their Cybersecurity Implementation Plan.

[View source.]