Shift5 Helps Rail Owners & Operators Comply with TSA Cybersecurity Directives

Shift5 Team December 3, 2021

Yesterday, the U.S. Transportation Security Administration released official regulations directed to rail and rail transit groups designed to bolster cybersecurity risk management. The regulations will go into effect December 31, 2021, following a year marked by a series of cyberattacks targeting the rail industry. New York’s Metropolitan Transportation Authority, The Port of Houston — one of the largest depositories of airline passenger records, and global railroads each faced targeted attacks. The risk of cyberattacks is becoming more evident, and in response, the TSA is directing rail operators to take four immediate actions: 

  1. Designate a cybersecurity coordinator
  2. Report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of detection 
  3. Complete vulnerability assessments to address risks both within Information (IT) and Operational (OT) technology systems
  4. Develop a cybersecurity incident response plan based on security issues discovered

According to The Hill, “Owners and operators will have 90 days to conduct a cybersecurity vulnerability assessment and 180 days to implement a cybersecurity incident response plan.”

Read on for an explanation of each requirement and show how Shift5 can help.

Designate A Cybersecurity Coordinator

The cybersecurity coordinator serves as the point of contact for all cyber-related incidents, activities, and communication between the rail organization and TSA / CISA. In addition to being accessible 24/7 to the TSA and CISA, the cybersecurity coordinator is responsible for conducting proper cybersecurity practices and procedures internally in the rail organization. They must have awareness and understanding of the cyber situation on all of their rail assets at all times, and for that they will need real-time data and the right tools. We provide those tools and data.

Once the individual (as well as an alternate) have been identified, your company must provide their names, titles, and email addresses in writing to the TSA by January 6th, 2022 (seven days after effective date).

Email to be sent to:

Report Cybersecurity Incidents to CISA within 24 hours

Rail industry professionals are actively debating the type of incidents to report and to what extent a disruption to service and/or operations is deemed a “cyber incident.” According to the TSA, a cybersecurity incident involves one of the following:

Unauthorized access of an IT or OT system

Discovery of malicious software on an IT or OT system

Activity resulting in denial of service to any IT or OT system

Any other incident that results in:

  • Disruption of operations to the railroad carrier’s IT or OT systems 
  • Potential to cause impact to large number of customers or passengers, critical infrastructure or core government functions, or impacts national security, economic security or public health and safety

These incidents must be reported to CISA within 24 hours after a cyber incident has been identified and can be done through their online reporting system.

How Shift5 Can Help → In order to report any type of incident, rail organizations must gain full visibility into their systems and networks both in IT and OT. Shift5 specializes in OT cybersecurity of rolling stock and can implement a real-time cyber visibility solution across an entire rail fleet to help ensure nothing slips through the cracks. Once our hardware is installed, we can capture all data on your OT networks, monitor your cyber health, and immediately alert you to potential threats and incidents. 

Complete A Vulnerability Assessment

By March 31st, 2022 (90 days after the effective date) your organization must complete a cybersecurity vulnerability assessment for both IT and OT systems and identify gaps using a form provided by TSA (to be sent directly to you). This assessment should include an assessment of current practices and activities to both IT and OT systems and identify remediation measures to address any identified vulnerabilities and gaps. 

How Shift5 Can Help → Vulnerability Assessments are nothing new in the world of IT, but in the rail industry, OT cybersecurity for trains is fundamentally different. In general, you cannot use IT tools to perform OT vulnerability assessments.  Trains are increasingly filled with digital OT components, which makes them more vulnerable than ever to cyberattack. As part of a cyber vulnerability assessment for your rail organization, Shift5 conducts an interactive and dynamic process designed to find vulnerabilities in OT hardware, software, and networks. We will produce a report that details vulnerability findings and recommended actions to reduce risk and inform an incident response plan. Shift5 is one of the few companies on the market that specializes in and has significant experience in performing vulnerability assessments on OT networks.

Develop Incident Response Plan

Within 180 days of the effective date (unless otherwise directed), your organization must develop and adopt a Cybersecurity Incident Response Plan to reduce the risk of operational disruption, should you experience a cybersecurity incident. This plan must include the following:

  • Prompt identification, isolation and segregation of the infected systems from the uninfected systems, networks, and devices
  • Security and integrity of backed up data
  • Established capability and governance for isolating the IT and/or OT systems in the event of a cybersecurity incident arises
  • Annual situational exercises to test effectiveness

How Shift5 Can Help → The information gleaned during the cyber vulnerability assessment for your rail organization can be used to develop an incident response plan that meets the requirements of the directive. Shift5 can also simulate cyber intrusions during your assessment to test effectiveness of your plan. Furthermore, we provide intrusion detection and the alerting that can help operators and maintenance personnel take action to mitigate or eliminate cybersecurity threats in the long term.

The U.S. Department of Homeland Security designated the Transportation System Sector as one of 16 critical infrastructure sectors, whose disruption would have a debilitating effect on our nation’s security. The stakes for transportation infrastructure cybersecurity are high, and recent cyberattacks demonstrate risk has moved from a hypothetical to a reality. Shift5 can help Rail industry owners and operators meet TSA requirements to keep trains running in a contested cyber environment.

What to do next

  1. Download the official directive from TSA (Freight, Passenger)
  2. Schedule a call now to learn more about how Shift5 can help your organization meet the requirements of Security Directives 1580-21-01 and 1582-21-01

About Shift5
Shift5 is the OT cybersecurity company that protects the world’s transportation infrastructure and weapons systems from cyberattacks. Created by founding members of the U.S. Army Cyber Command who pioneered modern weapons system cyber assessments, Shift5 defends military platforms and commercial transportation systems against malicious actors and operational failures. Customers rely on Shift5 to detect threats and maintain the resilience of a wide variety of operational technology systems, including aviation, rail and metro, defense, helicopters, and other heavy fleet machinery. For more information, visit