← Back to all briefings

Cybersecurity · Credibility 91/100 · · 2 min read

TSA Tightens Rail Cybersecurity Directives — October 25, 2022

The U.S. Transportation Security Administration issued enhanced cybersecurity requirements for passenger and freight rail carriers, adding network segmentation, access control, and incident response testing mandates.

Executive briefing: On the Transportation Security Administration (TSA) issued new security directives for passenger and freight railroads. The requirements mandate network segmentation, continuous monitoring, access control, and incident response drills to strengthen critical transportation infrastructure against ransomware and nation-state attacks.

Directive highlights

  • Segmentation and access control. Carriers must segment operational technology systems, restrict remote access, and enforce multi-factor authentication for critical accounts.
  • Continuous monitoring. Railroads must deploy detection capabilities that identify anomalies and ensure 24/7 operations or equivalent coverage.
  • Plan validation. Operators must develop cybersecurity implementation plans, conduct annual tabletop exercises, and submit effectiveness assessments to TSA.

Immediate actions for carriers

  • Update implementation plans to capture the new segmentation architecture, detection tooling, and MFA coverage required by the directives.
  • Coordinate with third-party service providers supporting signaling, dispatch, and maintenance systems to ensure controls extend to outsourced environments.
  • Schedule annual exercises that include TSA participation and document remediation of identified weaknesses.

Sector considerations

  • Regulatory harmonisation. Align TSA directives with CISA’s performance goals and FRA safety requirements to avoid conflicting controls.
  • Asset inventory. Maintain comprehensive inventories of OT components and remote access pathways to evidence segmentation effectiveness.
  • Information sharing. Participate in the Surface Transportation ISAC and report significant incidents to TSA and CISA within prescribed timelines.

TSA’s rail directives remain active following Transportation Security Oversight Board ratification in June 2023, and DHS is now pursuing a surface cybersecurity rulemaking to translate the directives into permanent regulation.

Sources

Zeph Tech is integrating TSA directive controls into rail cybersecurity roadmaps so operators can document compliance during TSA inspections.

  • Transportation
  • Operational technology
  • Incident response
  • Critical infrastructure
Back to curated briefings