The first directive, “Enhancing Public Transportation and Passenger Railroad Cybersecurity,” applies to owners or operators of passenger railroad or rail-transit systems, while the second directive, “Enhancing Rail Cybersecurity,” applies to freight railroad carriers. Both directives require owners and operators to undertake the following four critical actions:
- Cybersecurity Coordinator. Within seven days (i.e., on or before January 7, 2022) owners and operators must designate a primary Cybersecurity Coordinator (and at least one alternate) to coordinate implementation of cybersecurity practices, manage cybersecurity incidents, and serve as the principal point of contact with TSA and CISA. The Cybersecurity Coordinator must be available to TSA and CISA on a 24-hour/7-days-per-week basis.
- Reporting. Owners and operators must report cybersecurity incidents (which are broadly defined within the directives) to CISA “as soon as practicable, but no later than 24 hours” after identifying an incident. This requirement extends to incidents occurring on owners/operators’ Information Technology (IT) or Operational Technology (OT) networks or systems, and the directives also outline detailed reporting requirements.
- Cybersecurity Incident Response Plan. Owners and operators must develop and implement within 180 days (i.e., on or before June 29, 2022) a Cybersecurity Incident Response Plan to reduce the risk of operational disruption should a cybersecurity breach affect their IT or OT systems. The directives outline specific content requirements for the plan.
- Cybersecurity Vulnerability Assessment. Owners and operators must conduct and submit to TSA within 90 days (i.e., on or before March 31, 2022) a cybersecurity vulnerability assessment to: evaluate current practices and activities to address cyber risks; identify gaps in current cybersecurity measures; and identify remediation measures and a plan to address any identified vulnerabilities and gaps.
Pursuant to the directives, any information submitted by owners and operators may be shared among TSA, CISA, the National Response Center, and other agencies, as appropriate. TSA also issued an Information Circular recommending (but not requiring) that owners and operators not covered by either of the Security Directives take the same actions to enhance cybersecurity.
As companies continue to take a hard look at their own cybersecurity readiness, TSA has turned its focus to the rail sector to make sure it is up to the task. The TSA’s cybersecurity focus on the transportation sector is an outgrowth of the Colonial Pipeline ransomware incident, which underscored potential cybersecurity vulnerabilities in the nation’s critical infrastructure. TSA’s recent efforts to increase cybersecurity-readiness for the pipeline sector have resulted in new compliance initiatives that have led to numerous pipeline companies spending thousands of hours and millions of dollars upgrading, updating, and upscaling their cybersecurity protections.
Hogan Lovells — through its industry-focused, intermodal, and well-fused teams of multi-disciplined practitioners — has been helping clients navigate TSA's new cybersecurity directives since before they were released. To date, Hogan Lovells has assisted numerous large and small infrastructure clients to overcome compliance challenges. Hogan Lovells lawyers are well-positioned to do so because they have one-on-one connections with TSA as well as other key government actors (including in law enforcement and cyber leadership) and know the world of cybersecurity intimately. From circuits to servers, from nation-state attacks to ransomware, and from workstation protections to tabletop exercises to board-level decisions, Hogan Lovells lawyers have extensive experience with cybersecurity issues and TSA's cyber regime. And we know the transportation sector and how it works. We can bring that experience to assist our rail clients tackle the latest cybersecurity challenges and anticipated regulations.
Authored by Emily Kimball, Andrew Lillie, Sophie Baum, and Paul Otto.