DHS says new security directive to come for ‘higher-risk’ railroads and transit agencies
A new security directive is expected to be issued this year for higher-risk railroad and rail transit networks designed to help strengthen their cybersecurity. The information came from Secretary of Homeland Security Alejandro N. Mayorkas during a keynote address to the 12th Annual Billington CyberSecurity Summit on Oct. 6.
The pending passenger rail and transit security mandate is based on directives issued by the Transportation Security Administration (TSA) to the pipeline industry following the Colonial Pipeline ransomware attack.
“Applying lessons learned from that experience, TSA is now laying the foundation for a more secure and resilient aviation and surface transportation sector,” said Secretary Mayorkas. “To strengthen the cybersecurity of our railroads and rail transit, TSA will issue a new security directive this year that will cover higher-risk railroad and rail transit entities and require them to identify a cybersecurity point person; report incidents to CISA; and put together a contingency and recovery plan in case they become a victim of malicious cyber activity. We are coordinating and consulting with industry as we develop all of these plans.”
Secretary Mayorkas says transit agencies and other surface transportation entities deemed to be lower risk will see their own directive that will encourage, but not require, the same steps be taken because “reducing cybersecurity risk is in every organization’s self-interest.”
TSA is also developing a longer-term rule to strengthen cybersecurity and resilience in the transportation sector and will issue an information circular recommending the completion of a cybersecurity self-assessment to maximize input and inform the rulemaking process.
“Taken together, these elements – a dedicated point of contact, cyber incident reporting and contingency planning – represent the bare minimum of today’s cybersecurity best practices,” said Secretary Mayorkas.
The Department of Homeland Security began a series of 60-day cybersecurity-focused “sprints” in six different sectors the department believes should be prioritized. The transportation sprint began in September and is the fourth in the series.
"In many respects, our transportation sprint – and our department-wide efforts – are a microcosm of our administration’s whole-of-government approach to cybersecurity. And I have only just scratched the surface of what we are doing, as a department and as an administration, to meet this moment. Every day, we dive deeper into new and innovative ways to up our cyber game," said Secretary Mayorkas.
A collaborative effort from the federal government was one of the recommendations researchers from the Mineta Transportation Institute (MTI) made in an August 2020 report looking at cyber preparedness of the transit industry.
The report, Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendation to Enhance Surface Transit Cyber Preparedness, found more than 80 percent of agencies reported feeling prepared for a cybersecurity threat, but only 60 percent have a cybersecurity program in place.
The report’s authors also included information and tools the transit industry can access to support a cybersecurity program, including Transportation Systems Sector (TSS) Cybersecurity Framework Implementation Guidance and accompanying workbook. Additionally, TSA has a Surface Transportation Cybersecurity Toolkit on its website.
Mischa Wanek-Libman | Group Editorial Director
Mischa Wanek-Libman is director of communications with Transdev North America. She has more than 20 years of experience working in the transportation industry covering construction projects, engineering challenges, transit and rail operations and best practices.
Wanek-Libman has held top editorial positions at freight rail and public transportation business-to-business publications including as editor-in-chief and editorial director of Mass Transit from 2018-2024. She has been recognized for editorial excellence through her individual work, as well as for collaborative content.
She is an active member of the American Public Transportation Association's Marketing and Communications Committee and served 14 years as a Board Observer on the National Railroad Construction and Maintenance Association (NRC) Board of Directors.
She is a graduate of Drake University in Des Moines, Iowa, where she earned a Bachelor of Arts degree in Journalism and Mass Communication.