U.S. Imposes First Cybersecurity Rules For Rail Transit, Despite Industry Pushback

The federal government imposed two cybersecurity mandates on "higher-risk'' railroad and rail transit systems, despite industry efforts to beat back regulations.

The new security measures will order critical passenger and freight railways to take these actions: 

1. Report cyber incidents to the federal government within 24 hours 
2. Appoint a cybersecurity point-person available 24/7 to liaison with federal agencies
3. Develop an incident response plan 
4. Conduct a vulnerability assessment to address cybersecurity gaps.

The directives, published by the Department of Homeland Security and Transportation Security Administration Wednesday, expand on pipeline regulations imposed earlier this year that are designed to shore up the nation's critical infrastructure, following a number of ransomware attacks.

"These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats," DHS Secretary Alejandro Mayorkas said in a statement. But officials representing rail and transit sectors complained to Congress last month that the reporting requirements were too broad and extensive.

"Mandating a prescriptive 24-hour reporting requirement in a security directive could negatively affect cyber response and mitigation by diverting personnel and resources to reporting when incident response is most critical," Paul Skoutelas, president and CEO of the American Public Transportation Association (APTA) wrote in an October letter to key lawmakers. The nonprofit group represents approximately 1,500 public and private sector stakeholders.

"[T]he additional personnel and resources needed to comply with the requirements will add significant compliance costs just as transit agencies are working to recover from the COVID-19 pandemic," the letter continued.

TSA Deputy Assistant Administrator Victoria Newhouse addressed the industry's concerns. "These are very tight deadlines, and [stakeholders] have communicated dutifully with us. They were very direct and frankly vocal with us when they met challenges," Newhouse said.

One of those challenges, Newhouse said, is ascertaining what kinds of a cybersecurity incidents need to be reported. "We have taken steps and a great deal of feedback to modify that definition to not include all potential incidents."

The government and industry must strike a balance between reporting incidents the government needs to know about, "while also making sure that we don't request every incident and get drowned out by the noise," a senior homeland security official told CBS News.Wednesday's announcement comes on the heels of months-long Congressional debate over mandatory cyber incident rules, with competing proposals vying for inclusion in the 2022 defense policy package.

Major cyber incidents this year resulted in a days-long fuel shortage on the East Coast, temporary shutdown of one of America's largest beef suppliers and a supply chain attack crippling thousands of businesses over the July 4 weekend.

The new rules will apply to passenger rail companies including Amtrak, as well as subway systems like New York's MTA, though industry leaders say rail and transit sectors have steered clear of the kind of massive breaches that demand emergency action.

 "We have not been apprised of any imminent or elevated threat to railroads or rail transit agencies as a justification for this emergency action, nor are our railroads seeing the sort of activity that would be indicative of an elevated, specific, persistent threat," Thomas Farmer, the assistant vice president of security at the Association of American Railroads, said in testimony before Congress.

But last summer, the Southeastern Pennsylvania Transportation Authority, powering Philadelphia's transit network, did fall victim to a ransomware attack. And in spring of 2021, a China-linked hacker group gained initial entry to MTA computers systems, though cybercriminals fell short of accessing networks controlling train cars within the New York City subway system — America's largest — and left little to no damage.

Chief Technology Officer with the New York City Metropolitan Transportation Authority Rafail Portnoy, told CBS News in a statement, "The MTA has multilayered cybersecurity systems, is constantly vigilant against this global threat, and will ensure compliance with any TSA regulations."

First published on December 2, 2021 / 3:35 PM

© 2021 CBS Interactive Inc. All Rights Reserved.