Annie Fixler & Johanna Yang
The Transportation Security Administration (TSA) published a proposed cybersecurity rule on November 6 that would “require the establishment of pipeline and railroad cyber risk management programs,” solidifying prior security directives. The rule is a positive step, but implementing it within the rail subsector will require continued collaboration between the federal government and private companies.
Large and Small Railroads Need Cyber Risk Management
The proposed rule consolidates separate directives the TSA had issued for mass transit, freight rail, and pipelines over the past three years into a single set of cybersecurity requirements. Under the new rule, Washington requires companies to establish and maintain a cyber risk management program; complete annual cybersecurity self-assessments; have a cyber incident response plan; and report physical and cyber incidents to the TSA and the Cybersecurity and Infrastructure Security Agency, respectively.
Of the more than 600 freight rail companies in the United States, only about 70 are covered under the new rule. The six largest freight rail companies, which account for more than 90 percent of industry revenue, are all subject to this rule. The remaining railroads are much smaller but provide critical ligature between the larger railroads, including serving as essential movers of military equipment, troops, and supplies. A cybersecurity incident at these smaller railroads would have a “significant impact on rail transportation, national security, and economic security,” the TSA noted.
No comments:
Post a Comment