Freight railroads will be required to report cyber incidents within 24 hours as part of a new Transportation Security Administration directive issued Thursday aimed at strengthening cybersecurity in the sector.
The directive, which takes effect Dec. 31, also mandates that all freight rail operators designate a cybersecurity coordinator, develop an incident response plan and conduct a vulnerability assessment. TSA also issued similar directives for passenger rail and public transit operators.
“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” Homeland Security Alejandro Mayorkas, who previewed the measure in October, said in a statement. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”
The Association of American Railroads said the final directive had addressed some of its most significant concerns. The association said the industry had already been taking cybersecurity security seriously.
“For the better part of two decades, railroads have thoughtfully coordinated with each other and government officials to enhance information security, which has proven to be an effective, responsive way of addressing evolving threats,” AAR President and CEO Ian Jefferies said in a statement.
“Let there be no mistake — railroads take these threats seriously and value our productive work with government partners to keep the network safe.”
The new cybersecurity requirements come as ransomware attacks continue to target companies across the country, sometimes with devastating impacts on operations.
While no U.S. freight railroad has experienced a catastrophic incident, CSX and short-line operator OmniTrax were targeted in ransomware attacks earlier this year.
