Railroads and Cybersecurity Risk Management Requirements: Preparing for Implementation of TSA’s 2024 NPRM

This CLE webinar will discuss the Transportation Security Administration's (TSA) Notice of Proposed Rulemaking (NPRM) entitled Enhancing Surface Cyber Risk Management. The program will help those who counsel transportation entities subject to the regulations, including railroad owners, operators, and suppliers, to assess gaps between the rule's requirements and their current cybersecurity programs so they can plan how to meet the new standards.

The rail industry has become increasingly digital and interconnected, which opens the door for hackers to exploit vulnerabilities in railroad systems as well as through suppliers and vendors to the industry. Beginning after the 2021 Colonial Pipeline ransomware incident, TSA used its emergency powers to issue, without notice and comment, a series of mandatory "directives" requiring railroad and other infrastructure entities to implement various cybersecurity measures. Then on Nov. 6, 2024, TSA issued an NPRM to permanently codify and expand the five previous directives.

When final, the rule is expected to impact almost 300 transportation entities: 73 freight railroads that move 94% of the rail freight in the U.S., 34 rail transit and passenger railroads, including Amtrak, and certain pipeline and over-the-road bus (OTRB) operations.

The proposed rule includes cybersecurity requirements developed by the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency. Higher risk entities, among other things, must establish and maintain a comprehensive cyber risk management program, have enhanced record-keeping and incident reporting obligations, perform continuous cybersecurity monitoring, and designate a physical security coordinator.

Listen as our renowned panel breaks down the NPRM and offers guidance to counsel for railroads and other transit entities on implementing these measures.