Explore All Blog Posts

Increased pressure on the private sector to protect critical infrastructure extends to the rails.

The Biden administration's latest directive puts the rail systems under the microscope. Following the recent trend of previous months, the federal government is involving itself directly in the cybersecurity affairs of critical infrastructure operators.

As of December 31st, 2021, major passenger and freight railroads will be required to adhere to stricter cyber procedures and regulations. The orders will affect about 90% of passenger rail systems in the U.S. and 80% of vital freight rail systems that have significant impact on economic and national security.

These new directives from the Transportation Security Administration require that most railroads designate a cybersecurity coordinator, report hacking incidents to the Department of Homeland Security within 24 hours, conduct a vulnerability assessment, and develop an incident-response plan for attacks. The goal is to keep public transportation safe and protect critical infrastructure from evolving threats nationwide.

Cybercrime is finally being recognized as a priority threat to national security.

The rules follow expand on mandates stemming from the Colonial Pipeline ransomware attack that shut down one of the largest fuel systems in the country earlier this year. The Department of Transportation, which regulates aviation and rail, has already imposed various anti-hacking protections on such things as aircraft computer designs, but nothing as thorough as these new regulations.

TSA recently updated its aviation security programs to require that airport and airline operators identify a cybersecurity coordinator and report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA). In November, CISA began requiring federal agencies to fix cybersecurity flaws within specific time frames. That order applies to all software and hardware on federal information systems, including those managed by a government agency or hosted by third parties.

Early on in the process, officials representing rail and transit sectors complained to Congress last month that the reporting requirements were too broad and extensive. Among other complaints, the redirection of resources and personnel was one of their most pressing concerns. However, it seems most of the major reservations the Association of American Railroads had initially seem have been resolved with the final directives. 

This move is a major step in the right direction. Private industries cannot remain unregulated when the threat is so near and the potential damage so devastating. As cybercriminals and enemy nation states evolve, so must the measures we take to protect ourselves. Shoring up critical infrastructure seems a good place to start. 


Cylera is the next-generation in IoT and medical device security, with enhanced intelligence. We deliver richer data, stronger security and faster reaction times in order to safeguard what matters most: people, data and privacy. Unlike others who use “first-generation” approaches that fall short, Cylera's Platform is next-generation, patented technology, with unique IoT Device Emulation/digital twin that has zero disruption and can assess true risk within IoT and medical devices with clinical workflow context. Cylera's insights and recommendations simplify response playbooks when incidents arise, decrease time to remediate, and enable informed decision-making. Aligned with the NIST Cybersecurity Framework, ISO 27001, HIPAA, NIS and others, Cylera addresses IoT risks to patient care and safety. 



Recent Related Stories