Biden Administration to Impose Cyber Requirements on ‘High-Risk’ Rail- Transit Systems

The mandates are the latest indication the Biden administration intends to rely on rules and regulations to coerce companies to adopt stronger cybersecurity practices rather than a strategy of voluntary standards typically taken by the Trump, Obama and George W. Bush administrations.

“Our freight rail system is essential not only to our economic well-being, but also to the ability of our military to move equipment from ‘fort to port’ when needed,” Department of Homeland Security Secretary Alejandro Mayorkas said.

New mandates from the Transportation Security Administration take effect later this year and apply to “higher-risk” railroads, Mr. Mayorkas said. The new security directive will require affected rail and transit systems to have a contingency and recovery plan in place in the event of a major cybersecurity attack, require reporting of cyber incidents to DHS, and require identification of a cybersecurity point person with whom the government can communicate.

The TSA also will issue separate guidance for lower-risk surface-transit systems to encourage them to take the same steps, Mr. Mayorkas said during remarks at the Billington CyberSecurity Summit.

Separately, the agency plans to update the requirements for airport, passenger-aircraft and cargo-aircraft operators to include designating a cybersecurity coordinator and reporting of cyber incidents to DHS.

It wasn’t immediately clear what would qualify a transit system as higher-risk. A U.S. official familiar with the security directive said it would include passenger-rail companies such as Amtrak and large subway systems, including those in New York City and the Washington, D.C., metropolitan area.

Jessica Kahanek, a spokeswoman for the Association of American Railroads, which represents Amtrak and large freight railroads, said the rail industry had only had three business days to review and comment on a draft of the security directive. The planned requirements largely duplicate practices long in place in the industry, Ms. Kahanek said.

“Railroads have consistently reported to federal security agencies on cybersecurity intelligence and incidents for several years,” she said.

A DHS spokeswoman said while voluntary actions from industry had been helpful, “more needs to be done to ensure the transportation sector as a whole is prepared and resilient.”

The new requirements are the second set of cyber mandates issued by TSA in recent months. In July, the agency announced first-of-its-kind requirements for U.S. pipeline operators intended to help guard against ransomware and other forms of disruptive hacking.

Those requirements were announced months after a Russia-based criminal hacking group forced a major fuel conduit on the East Coast to shut down for nearly a week. That followed an earlier TSA directive in May that required pipelines to notify federal authorities when they are targets or victims of cyberattacks.

Wednesday’s announcement of new requirements follows cyberattacks over the past year that have hobbled surface-transportation systems, including a ransomware attack on the Philadelphia regional rail service that created months of complications and a breach of New York’s Metropolitan Transportation Authority, which didn’t impact service.

In his speech, Mr. Mayorkas said the new requirements “represent the bare minimum of today’s cybersecurity best practices.” He said he intended to work with the private sector to find other areas to increase cybersecurity baselines. Some senior Biden administration officials have said in recent months they would consider imposing more aggressive mandates on companies that operate critical infrastructure, but that Congress may need to pass legislation in order for them to do so effectively.

Write to Dustin Volz at [email protected]