Getting on track with TSA cybersecurity rules for public transit

Public transit agencies, freight and passenger rail operators, and over-the-road bus owner/operators constantly face cybersecurity threats just as any business does today. The added risk for this sector is that a cybersecurity failure in their systems could affect not only their operations but also public infrastructure critical to businesses and individuals throughout a region or even the nation.

As a result, regulatory bodies continue to introduce new directives and related guidance that establish guidelines on how these agencies and businesses should protect against and respond to the persistent and ever-evolving cyberthreats to surface transportation systems and associated infrastructure.

Depending on the nature and size of a covered public transit agency, compliance with these guidelines could be mandatory or, for now, they could serve as recommended best practices for cybersecurity. Either way, transit leaders and key stakeholders need to be aware of these security directives and take action to implement them in their agencies. Even smaller agencies that may not be subject to the mandate at this time could find themselves required to comply under a future expansion of the rules. Here are three tips for getting your transit agency on track for compliance.

Become familiar with evolving TSA cybersecurity directives for transit

Effective Dec. 31, 2021, the Transportation Security Administration (TSA) issued a directive to strengthen cybersecurity for higher-risk public transportation agencies, freight railroads, passenger rail, rail transit, and over-the-road-bus owner/operators to protect transportation security. The directive requires owners and operators of critical rail agencies to:

1. Designate a cybersecurity coordinator.
2. Report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours.
3. Develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption.
4. Complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.

While cybersecurity actions like these are currently voluntary for most lower-risk transit agencies, they’ve now become mandated requirements for higher-risk critical transit agencies. Effective Oct. 24, 2023, a more recent TSA security directive now requires that the higher-risk groups listed above document a formal cybersecurity implementation plan, assess the effectiveness of that plan, and report results/updates annually to the TSA. At this time, these measures are still merely recommended for most transit agencies that don’t fall into the high-risk group, but it seems likely that they’ll become requirements in the not-too-distant future.

Public transit agencies face an additional wrinkle when it comes to complying with these directives, as they typically depend heavily on services from external vendors. The 2023 directives make clear that when an owner/operator delegates cybersecurity responsibilities to a “managed security service provider,” the owner/operator “retains sole responsibility under this security directive for ensuring compliance with the TSA-approved Cybersecurity Implementation Plan and the Security Directive.” In short, if a public transit agency is affected by a cybersecurity incident in a process that it contracted out to a security service provider, the TSA will still hold the transit agency’s leaders responsible for compliance with the directive.

Be prepared — create a cybersecurity plan

If your agency doesn’t have a cybersecurity incident response plan in place yet, it’s not alone. While some transit agencies are aware of cybersecurity risk and have implemented countermeasures, most agencies don’t have basic policies and procedures in place to respond in the event of a cyber incident. According to the Mineta Transportation Institute, 42% don’t have an incident response plan in place, while 53% don’t have a continuity of operations plan and 58% lack a continuity of business plan.

If your agency doesn’t have a cybersecurity incident response plan in place yet, it’s not alone.

Luckily, there are tools available to assist organizations in performing a self-assessment. The TSA’s Surface Transportation Cybersecurity Resource Toolkit provides standard cybersecurity frameworks and functional tools to perform a self-assessment of your cybersecurity program. At the same time, this resource includes a wide variety of tools with varying degrees of relevance to different public transit agencies. Many agencies have found it helpful to work with an outside cybersecurity consultant to better understand the specific implications of these directives on their operations and to assess their cybersecurity vulnerabilities and develop a customized incident response plan.

Make sure leadership is on board

Given the increasing level of cyber risk to the transit sector, leaders must take proper steps to ensure the safety and security of their systems. Collaboration from the top down is essential to addressing vulnerabilities and risks and complying with regulations — cybersecurity isn’t just an IT responsibility. Agency and cybersecurity leaders must work together to address new and evolving requirements, assess the risks, and prioritize cybersecurity across the organization. Does your agency have adequate talent and bandwidth to proactively address these concerns?

Collaboration from the top down is essential to addressing vulnerabilities and risks and complying with regulations.

Don’t let your organization get caught off guard by new and evolving cybersecurity reporting requirements. If you have questions about the TSA regulations and creating a plan for your agency, feel free to reach out to us.