The Biden administration on Tuesday released a directive requiring freight railroad owners and operators to tighten their security in the face of hacking threats from criminals and foreign governments.
It’s the latest move by US officials to use their policy authorities to try to boost cybersecurity in key sectors following the damaging ransomware attack on a major pipeline last year.
The new directive from the Transportation Security Administration requires rail companies to report hacking incidents to the Department of Homeland Security, and to have a plan to keep a cybersecurity incident from hampering their operations.
Rail operators, like other sectors, have to contend with a variety of hacking threats. In 2016, a ransomware attack affected the San Francisco Municipal Transportation Agency, forcing authorities to turn off ticketing machines and turnstiles for metro stations for a weekend.
Americans saw the disruptive potential of a cyber incident last year when a pipeline company – which delivers some 45% of the fuel consumed on the East Coast – halted operations for days following a ransomware attack. The incident led to long lines at gas stations in multiple states.
In July, the TSA issued updated cybersecurity requirements for big US pipeline operators that give them more flexibility over the defensive measures they take. The revision came after criticism from the oil and gas industry claiming that the TSA’s initial requirements were too rigid and unrealistic.
The directive focuses on achieving key cybersecurity outcomes rather than dictating to pipelines how to achieve them. It also requires certain pipeline operators to maintain security controls that would allow industrial equipment to keep operating if IT systems were hacked. Pipeline operators are also required to have an incident response plan outlining how they would recover from a major cyberattack.
Frustrated by lax security practices from some critical infrastructure firms, the Biden administration has issued a series of cybersecurity policy directives to get a better sense of which sectors were vulnerable and how often they were being hacked.
US officials are also working on cybersecurity requirements for the communications sector, including emergency warning systems, and standards for the water and health care sectors, senior White House official Anne Neuberger said last week.