January 4, 2023 By Jennifer Gregory 2 min read

Recently, the U.S. government has focused on increasing cybersecurity in industries that are vital to the country. After the Colonial Pipeline ransomware attack shut down a critical fuel pipeline, which led to significant gas shortages, officials realized the importance of protecting the U.S. infrastructure. In response to the growing threat, leaders put the spotlight on fortifying the security of those industries.

President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022. The Act affects agencies, organizations and businesses whose service disruption would impact economic security or public health and safety. Railways are one industry included in critical infrastructure.

Railways targeted by cyberattacks in recent years

Railways have been the target of large attacks in recent years, including a data breach at China Railways (CR) in 2019. Other key attacks include a breach of 146 million records in the database of Network Rail and the service provider C3UK, and a malware attack on Sadler, a railway equipment manufacturer. In October, President Biden released the Enhancing Rail Cybersecurity Directive from the Transportation Security Administration for critical infrastructure with directives to railway companies.

TSA administrator David Pekoske said, “The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack.”

Requirements of the enhancing rail cybersecurity directive

The new directive has four main requirements:

  1. Designate a cybersecurity coordinator – This role implements cybersecurity practices, manages cybersecurity incidents and serves as a liaison between the railway and both TSA and the Cybersecurity and Infrastructure Security Agency (CISA) regarding cybersecurity. Because the coordinator must be available 24/7, railways must also designate a backup coordinator. All cybersecurity coordinators must be U.S. citizens and eligible for security clearance.
  2. Report cybersecurity incidents to CISA – All cybersecurity incidents, including unauthorized access, malicious software and DoS attacks, must be reported to CISA within 24 hours of the event. In addition to all relevant information about what occurred, the railway must report the impact on the railway and the railway’s response to the incident.
  3. Develop a cybersecurity incident response plan – The plan must include how the railway will prompt identification, isolation and segregation of the infected systems as well as security of backed-up data. The plan also establishes capability and governance for isolating the systems. Railways must adopt their plan within 180 days of the directive and must also conduct regular testing of the plan.
  4. Assess cybersecurity vulnerability – The assessment must identify gaps and document remediation measures. Railways need to complete the assessment within 90 days of the directive.

The U.S. depends on transportation services, including railways, as a cornerstone of its economy. In addition to tourism, transportation services play a critical role in the supply chain. By requiring additional cybersecurity measures for railways, the U.S. reduces the risk of disruption resulting from an attack on the country’s critical infrastructure.

More from News

Insights from CISA’s red team findings and the evolution of EDR

3 min read - A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections. These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings? EDR’s double-edged sword A cornerstone of cyber resilience strategy, EDR solutions are prized for…

DHS: Guidance for AI in critical infrastructure

4 min read - At the end of 2024, we've reached a moment in artificial intelligence (AI) development where government involvement can help shape the trajectory of this extremely pervasive technology. In the most recent example, the Department of Homeland Security (DHS) has released what it calls a "first-of-its-kind" framework designed to ensure the safe and secure deployment of AI across critical infrastructure sectors. The framework could be the catalyst for what could become a comprehensive set of regulatory measures, as it brings into…

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today