DHS says new security directive to come for ‘higher-risk’ railroads and transit agencies

Oct. 8, 2021
The directive is part of the department’s transportation ‘sprint,’ which is a 60-day focused action plan aimed at strengthening cybersecurity among certain sectors.

A new security directive is expected to be issued this year for higher-risk railroad and rail transit networks designed to help strengthen their cybersecurity. The information came from Secretary of Homeland Security Alejandro N. Mayorkas during a keynote address to the 12th Annual Billington CyberSecurity Summit on Oct. 6.

The pending passenger rail and transit security mandate is based on directives issued by the Transportation Security Administration (TSA) to the pipeline industry following the Colonial Pipeline ransomware attack.

“Applying lessons learned from that experience, TSA is now laying the foundation for a more secure and resilient aviation and surface transportation sector,” said Secretary Mayorkas. “To strengthen the cybersecurity of our railroads and rail transit, TSA will issue a new security directive this year that will cover higher-risk railroad and rail transit entities and require them to identify a cybersecurity point person; report incidents to CISA; and put together a contingency and recovery plan in case they become a victim of malicious cyber activity. We are coordinating and consulting with industry as we develop all of these plans.”

Secretary Mayorkas says transit agencies and other surface transportation entities deemed to be lower risk will see their own directive that will encourage, but not require, the same steps be taken because “reducing cybersecurity risk is in every organization’s self-interest.”

TSA is also developing a longer-term rule to strengthen cybersecurity and resilience in the transportation sector and will issue an information circular recommending the completion of a cybersecurity self-assessment to maximize input and inform the rulemaking process.

“Taken together, these elements – a dedicated point of contact, cyber incident reporting and contingency planning – represent the bare minimum of today’s cybersecurity best practices,” said Secretary Mayorkas.

The Department of Homeland Security began a series of 60-day cybersecurity-focused “sprints” in six different sectors the department believes should be prioritized. The transportation sprint began in September and is the fourth in the series.

"In many respects, our transportation sprint – and our department-wide efforts – are a microcosm of our administration’s whole-of-government approach to cybersecurity. And I have only just scratched the surface of what we are doing, as a department and as an administration, to meet this moment. Every day, we dive deeper into new and innovative ways to up our cyber game," said Secretary Mayorkas. 

A collaborative effort from the federal government was one of the recommendations researchers from the Mineta Transportation Institute (MTI) made in an August 2020 report looking at cyber preparedness of the transit industry.

The report, Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendation to Enhance Surface Transit Cyber Preparedness, found more than 80 percent of agencies reported feeling prepared for a cybersecurity threat, but only 60 percent have a cybersecurity program in place.

The report’s authors also included information and tools the transit industry can access to support a cybersecurity program, including Transportation Systems Sector (TSS) Cybersecurity Framework Implementation Guidance and accompanying workbook. Additionally, TSA has a Surface Transportation Cybersecurity Toolkit on its website.

About the Author

Mischa Wanek-Libman | Editor in Chief

Mischa Wanek-Libman serves as editor in chief of Mass Transit magazine. She is responsible for developing and maintaining the magazine’s editorial direction and is based in the western suburbs of Chicago.

Wanek-Libman has spent more than 20 years covering transportation issues including construction projects and engineering challenges for various commuter railroads and transit agencies. She has been recognized for editorial excellence through her individual work, as well as for collaborative content. 

She is an active member of the American Public Transportation Association's Marketing and Communications Committee and serves as a Board Observer on the National Railroad Construction and Maintenance Association (NRC) Board of Directors.  

She is a graduate of Drake University, where she earned a Bachelor of Arts degree in Journalism and Mass Communication with a major in magazine journalism and a minor in business management.