TSA issues ‘performance-based’ cyber directive for rail operators, calling for security implementation plans

The Transportation Security Administration today issued an updated directive requiring major rail operators to develop cybersecurity plans including policies on network segmentation, access controls, continuous monitoring and patching, under what TSA is calling a collaborative and “performance-based” approach to cyber.

The seven-page directive, taking effect on Oct. 24 and good for one year, requires operators to “establish and implement a TSA-approved Cybersecurity Implementation Plan,” and to establish a cyber assessment program.

The “TSA-specified passenger and freight railroad carriers” must:...