New TSA security directive for railroad carriers focuses on performance-based measures

October 20, 2022 – Published on Industrial Cyber

The U.S. Transportation Security Administration (TSA) issued Tuesday a cybersecurity security directive regulating designated passenger and freight railroad carriers to enhance cybersecurity resilience by focusing on performance-based measures. The security directive will further enhance cybersecurity preparedness and resilience for the nation’s railroad operations and build on the agency’s work to strengthen defenses in other transportation modes.

Effective on Oct. 24 for one year, the seven-page security directive titled “Enhancing Rail Cybersecurity – SD 1580/82-2022-01” lays down cybersecurity requirements for passenger and freight railroad carriers.

Commenting on the new cybersecurity requirements for passenger and freight railroad carriers, Chris Warner, senior OT cybersecurity consultant at GuidePoint Security, wrote in an emailed statement that “it’s known that the railway industry resources are limited when it comes to cybersecurity. Not only in financial budgets, but knowledgeable employees that can implement more mature cybersecurity regulations and modern approaches, like Zero Trust.”

“The requirement of network segmentation policies and controls will be quite a lift for railway operators, as many will have to re-design much of their control systems,” Warner added. “While this is certainly a step in the right direction for transportation, we will see some bumps in the road as the railway industry will have to modernize away from legacy systems and add in new access controls.”

Read More HERE.