Recently, the U.S. government has focused on increasing cybersecurity in industries that are vital to the country. After the Colonial Pipeline ransomware attack shut down a critical fuel pipeline, which led to significant gas shortages, officials realized the importance of protecting the U.S. infrastructure. In response to the growing threat, leaders put the spotlight on fortifying the security of those industries.

President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022. The Act affects agencies, organizations and businesses whose service disruption would impact economic security or public health and safety. Railways are one industry included in critical infrastructure.

Railways targeted by cyberattacks in recent years

Railways have been the target of large attacks in recent years, including a data breach at China Railways (CR) in 2019. Other key attacks include a breach of 146 million records in the database of Network Rail and the service provider C3UK, and a malware attack on Sadler, a railway equipment manufacturer. In October, President Biden released the Enhancing Rail Cybersecurity Directive from the Transportation Security Administration for critical infrastructure with directives to railway companies.

TSA administrator David Pekoske said, “The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack.”

Requirements of the enhancing rail cybersecurity directive

The new directive has four main requirements:

  1. Designate a cybersecurity coordinator – This role implements cybersecurity practices, manages cybersecurity incidents and serves as a liaison between the railway and both TSA and the Cybersecurity and Infrastructure Security Agency (CISA) regarding cybersecurity. Because the coordinator must be available 24/7, railways must also designate a backup coordinator. All cybersecurity coordinators must be U.S. citizens and eligible for security clearance.
  2. Report cybersecurity incidents to CISA – All cybersecurity incidents, including unauthorized access, malicious software and DoS attacks, must be reported to CISA within 24 hours of the event. In addition to all relevant information about what occurred, the railway must report the impact on the railway and the railway’s response to the incident.
  3. Develop a cybersecurity incident response plan – The plan must include how the railway will prompt identification, isolation and segregation of the infected systems as well as security of backed-up data. The plan also establishes capability and governance for isolating the systems. Railways must adopt their plan within 180 days of the directive and must also conduct regular testing of the plan.
  4. Assess cybersecurity vulnerability – The assessment must identify gaps and document remediation measures. Railways need to complete the assessment within 90 days of the directive.

The U.S. depends on transportation services, including railways, as a cornerstone of its economy. In addition to tourism, transportation services play a critical role in the supply chain. By requiring additional cybersecurity measures for railways, the U.S. reduces the risk of disruption resulting from an attack on the country’s critical infrastructure.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…