BlogLine

ALL ABOARD: TSA ISSUES NEW SECURITY DIRECTIVE TO TRACK  CYBERSECURITY EFFORTS BY THE RAIL INDUSTRY

10/25/22

By: Nicholas Jajko and Nicholas Hubner

SECURITY DIRECTIVE: 1580/82-2022-01 

EFFECTIVE DATE: October 24, 2022 

Working with the Cybersecurity and Infrastructure Security Agency (“CISA”), TSA issued a new Security Directive to protect against malicious cyber-intrusions affecting the nation’s railroads and to ensure the system keeps rolling even if computer systems are breached. Issued under authority of 49 U.S.C. 114(l)(2)(A), this Directive is in addition to, and builds upon, S.D. 1880-21-01 “Enhancing Rail Cybersecurity” effective Dec. 31. 2021. The goal is to reduce cybersecurity risks through implementation of layered cybersecurity measures.  

The Directive is appliable to all Class I, passenger, railroads transporting security-sensitive materials in a High Threat Urban Area (“HTUA”), and additional passenger and freight railroads notified by TSA based on risk determination. In sum, railroad owners/operators, including many Freeman Mathis & Gary clients, will need to update their existing cyber incident response plans, to incorporate 1) “network segmentation”, 2) access control measures, 3) continuous monitoring and detection, and 4) risk-based patch management programs. Rail Owners and Operators, no later than 120 days after the effective date, i.e., by February 21, 2023, must submit a Cybersecurity Implementation Plan to SurfOps-SD@tsa.dhs.gov for TSA approval. Full link to measure of proposed plan’s requirements here: TSA Security Directive Announcement.  

All information that must be reported or submitted to TSA pursuant to this Directive is Sensitive Security Information subject to the protections of part 1520 of title 49, Code of Federal Regulations. TSA will seek review and ratification of this Directive by the Transportation Security Oversight Board. The TSOB is statutorily required to “review and ratify or disapprove” emergency security directives like this under 49 U.S.C. 114(l)(2).  

If Owner/Operators determine they have no Critical Cyber Systems, they must notify TSA in writing within 60 days of the effective date, i.e., by December 23, 2022. Moreover, reevaluation is required if Owner/Operator’s method of operation changes. 

Use of previous plans, assessments, tests, and evaluations is permitted for submission. Owner/Operators must include an index of the records and their location organized in the same sequence as required by the Directive. Records must be stored and transmitted in accordance with 49 CFR part 1520, at a minimum.  

Amendments to Cybersecurity Implementation Plan require TSA approval and must be submitted no later than 50 days after the permanent change (a change intended to be in effect more than 45 days) takes effect. 

The cybersecurity and transportation lawyers of Freeman Mathis & Gary LLP are experienced in representing Class I railroads, passenger rail operators, and other critical infrastructure and understand the nuances of their record retention and complexities protecting privilege for the rail industry. Likewise, FMG’s Data Security, Privacy & Technology practice section also regularly provides cybersecurity compliance advice and can leverage its network of its forensic partners for consulting assistance. Together, FMG’s lawyers are equipped to evaluate and advise on current plans to assist its current, and new, Class I railroad clients remain compliant with the most recent TSA Security Directive and move full steam ahead in the changing cybersecurity landscape. 

If you have any questions, please contact Nicholas J. Hubner at nicholas.hubner@fmglaw.com or Nicholas Jajko at nicholas.jajko@fmglaw.com.