U.S. unveils new cyber measures for passenger and freight rail carriers
Updated: Dec 14, 2021
Coming into effect on December 31st, these measures are part of increasing pressure by the Biden administration to secure the nation’s critical infrastructures from cyber attacks

Senior officials from the U.S. Department of Homeland Security (DHS) announced last month that major passenger and freight railroads would soon be compelled to report cybersecurity breaches swiftly and assess their vulnerability to cyberattacks.
The measures, which go into effect on December 31, 2021, come as the Biden administration puts more pressure on the private sector to secure the nation's critical infrastructure from hackers, following an increasing number of cyberattacks on federal institutions and large corporations, including the Colonial Pipeline ransomware attack in May, which briefly halted fuel shipments throughout the East Coast.
According to the Transportation Security Administration's new rules, most railroads must designate a cybersecurity coordinator, disclose hacking events within 24 hours, undertake a vulnerability assessment, and prepare an incident-response strategy for intrusions.
The Transportation Security Administration (TSA) has revised its aviation security programs to require airport and airline operators to designate a cybersecurity coordinator and report cybersecurity events to the Cybersecurity and Infrastructure Security Agency, or CISA. In addition, the TSA seeks to broaden the criteria for the aviation industry and provide guidelines to smaller operators. The DHS standards are intended to provide an additional layer of security to the transportation sector.
DHS Secretary Alejandro Mayorkas stated that "These new cybersecurity criteria and recommendations will help keep the traveling public safe and defend our vital infrastructure from emerging threats."
Despite its initial opposition, the Association of American Railroads (AAR) stated that many of its primary issues were addressed in the final directives. However, the association, which represents North American freight railroads, said they are still working with TSA on a pending problem with Canadian railroads' selection of cybersecurity coordinators.
The AAR President and Chief Executive Officer Ian Jefferies stated, "Railroads take these threats seriously and cherish our productive collaboration with government partners to keep the network safe."
CISA began mandating government entities to remedy cybersecurity weaknesses within specific timeframes in November 2021. This mandate covered all software and hardware on federal information systems, whether administered by the government or hosted by third parties.