EO 14028 Rolls on - Enhancing Rail Cybersecurity - TSA Directive

Read ahead: Effective, Oct 24, 2022 TSA directs freight railroad carriers (Owner/Operators) to take four critical (straightforward) actions.?

Background: Executive Order 14028, Improving the Nation’s Cybersecurity, will continue to have a cascading (positive) impact throughout the US government, regulated industries, and (indirectly), private sector. It started by tasking the National Institute of Standards and Technology (NIST, under the Dept of Commerce) to solicit private sector and academia to release standards for “critical software”, which turned out to be pretty useful. Simultaneously, the Cybersecurity Infrastructure and Security Agency (CISA, under DHS), operationalizes cyber capabilities for the federal government and is making significant resources available to the private sector. At #mwise conference, CISA director Jen Easterly said that “water, hospitals, and K-12 schools” will be the focus of the next year.?She also teased "cybersecurity performance goals" based on the NIST Cybersecurity Framework (CSF) and highlighted that we currently "put the burden on the lease capable partners".

We’re seeing methodical, consistent direction in regulated industries. This should look very similar to TSA directives to Oil Pipeline (Owner/Operators).?I expect to see guidance to Water and Wastewater next.

Guidance: See the directive for more detail.

1. Designate a cybersecurity coordinator to work with TSA and CISA. This is a security clearance eligible US citizen, who will be designated in writing and “accessible 24/7”.
2. Report cybersecurity incidents (unauthorized access, malicious software, denial of service, or disruption incidents) to CISA within 24 hours in a specific way.
3. Develop a Cybersecurity Incident Response Plan. Specifics provided.?
4. Conduct a Cybersecurity Vulnerability Assessment with remediation plan and report to CISA. Functions and categories are based on CSF.?

Is this helpful to the rail industry? Is it welcome to additional industries? Please share your thoughts in the comments below.