Railroads Must Get On Track With New Cybersecurity Rules

To say that cybersecurity worries have breached every industry would hardly be an exaggeration — and the broadening threats mean new cybersecurity regulations for industries that previously were on the periphery of such concerns.

Last year’s Colonial Pipeline ransomware attack provided a glaring example of the risks. One compromised password led to a hack that crippled the nation’s largest fuel pipeline and prompted a $4.4 million ransom payment (Bloomberg). 

The scare prompted rapid government action. Pipeline owners and operators faced regulations almost immediately. The Coast Guard is incorporating cyber risk management into maritime transportation system security. For railways, the Transportation Security Administration has set deadlines throughout the first half of this year, urging companies toward better security measures to protect surface transportation systems and associated infrastructure. 

Two requirements already took effect for higher-risk freight railroads, passenger rail and rail transit: Covered owners and operators of real systems must report certain cybersecurity incidents within 24 hours of identifying them, and each company must appoint an approved cybersecurity coordinator, as well as an alternate, so someone is available at all times.

By March 30, the companies must complete cybersecurity vulnerability assessments and report the results to the TSA.

Following up on those assessments, they must develop and submit cybersecurity incident response plans to the TSA by June 28.

These requirements represent “the bare minimum of today’s cybersecurity best practices,” Secretary of Homeland Security Alejandro Mayorkas said in an October speech.

Yet they’re noteworthy. Tech companies, financial services firms and online retailers have long faced concerns about data security, but it’s a newer arena for industries that rely more on physical operations. 

Efforts to beef up cybersecurity are likely to spread throughout the transportation sector. Lower-risk surface entities will be encouraged to take additional security steps through guidance, as opposed to requirements. 

“Reducing cybersecurity risk is in every organization’s self-interest, especially considering the indiscriminate nature of ransomware,” Mayorkas said.

Some of these companies may be starting on the ground floor of cybersecurity. That’s complicated on many levels, not the least of which is the shortage of cybersecurity experts nationwide. 

There’s debate as to whether these regulations are too much or too little, or just early in the process. But apart from government requirements, companies face real threats to their bottom lines. Ransomware attacks hit 37 percent of businesses last year, with nearly a third of victims paying a ransom demand, according to a compilation by Cloudwards. The compilation also noted that Cybersecurity Ventures predicted ransomware would cost the world $265 billion in 2031, compared with $20 billion last year.

Suffice it to say, the problem isn’t going away anytime soon. 
If you need help with cybersecurity, start with Digital Silence’s team of experts. In addition to assessing your security systems in a variety of ways, we can help you craft a common-sense plan to mitigate risks. Contact us for world-class cybersecurity experts who know how to talk about real-world concerns.

Are you experiencing a
Security Incident?

We are here to help 24/7. In addition to providing immediate assistance, Digital Silence offers a suite of remediation services designed to help organizations get back to business.