December 2, 2021 5:30 PM, EST

US Unveils New Cyber Mandates for Passenger, Freight Rail Carriers

Railroad Carolyn Broussard/Getty Images

[Stay on top of transportation news: Get TTNews in your inbox.]

Major passenger and freight railroads will soon be required to report cybersecurity breaches quickly and review how susceptible they are to cyberattack, senior officials at the U.S. Department of Homeland Security said Dec. 2.

The requirements, which take effect Dec. 31, come as the Biden administration has put increasing pressure on the private sector to protect the nation’s critical infrastructure from hackers. That follows a series of devastating hacks that infiltrated federal agencies and major businesses, including the May ransomware attack on Colonial Pipeline Co. that temporarily curtailed fuel supplies along the East Coast.

The new directives from the Transportation Security Administration require that most railroads designate a cybersecurity coordinator, report hacking incidents within 24 hours, conduct a vulnerability assessment and develop an incident-response plan for breaches. Senior officials said Dec. 2 that Congress gave the government the authority to issue new directives that bypass the typical notice-and-comment period for federal regulations, although officials said they consulted with industry.

RELATED: House Transportation Policymakers Recommend Additional Pipeline Security

TSA recently updated its aviation security programs to require that airport and airline operators identify a cybersecurity coordinator and report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency, known as CISA. TSA intends to expand the requirements for the aviation sector and issue guidance to smaller operators.

“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” said Homeland Security Secretary Alejandro Mayorkas, in a statement. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”


Big rig braking  is an engineering marvel. Host Michael Freeze finds out more about the advanced technology that halts 18-wheelers, no matter the weight, instantaneously. Hear a snippet above, and get the full program by going to

The Department of Transportation, which regulates aviation and rail, has already imposed various anti-hacking protections on such things as aircraft computer designs, but hasn’t created the kind of rules announced by DHS.

The DHS requirements are designed to add a new layer of protection on the transportation sector.

After originally expressing pushback, the Association of American Railroads said many of its major concerns were resolved in the final directives. But the group, which represents North American freight railroads, added that it is still working with TSA on an outstanding issue with the appointment of cybersecurity coordinators by Canadian railroads.

“Railroads take these threats seriously and value our productive work with government partners to keep the network safe,” AAR President and CEO Ian Jefferies said in a statement Dec. 2.

In November, CISA began requiring federal agencies to fix cybersecurity flaws within specific time frames. That order applied to all software and hardware on federal information systems, including those managed by a government agency or hosted by third parties.

Want more news? Listen to today's daily briefing below or go here for more info: