TSA’s new rail-cybersecurity directives are unnecessary, AAR’s Farmer tells Congress


The rail industry supports President Biden’s emphasis on government-industry collaboration on cybersecurity, but an industry proposal on the matter that was submitted to the U.S. Transportation Security Administration (TSA) this summer went unanswered, the Association of American Railroads’ (AAR) cybersecurity expert told a House committee yesterday. 

In response to a national security memorandum on cybersecurity concerns for the nation’s critical infrastructure, the rail industry came up with a detailed proposal for how government and industry can together strengthen cybersecurity for all modes of transportation, said Thomas Farmer, AAR’s assistant vice president of security, in testimony before the U.S. House Transportation and Infrastructure Committee. 

“Work on this initiative began over two months earlier in the wake of the Colonial Pipeline cyberattack. In early June 2021, AAR’s security lead joined his colleague at the American Public Transportation Association (APTA) to propose a ‘strategic concept’ for enhancing cybersecurity in the transportation sector. Over the next couple of months, the rail industry took the lead in drafting this strategic concept,” Farmer said, according to a written transcript of his testimony. 

The committee’s Nov. 4 hearing was titled, “The Evolving Cybersecurity Landscape: Industry Perspectives on Securing the Nation’s Infrastructure.” Farmer has been critical of the TSA’s directives, saying they are unnecessary because they replicate efforts the rail industry is already pursuing on the cybersecurity front. 

The TSA directives came out after Homeland Security Secretary Alejandro Mayorkas announced about a month ago that TSA would issue the cybersecurity measures for railroads. 

Thomas Farmer “Policymakers should build upon the collaborative approach ... that has worked effectively for years.” — Thomas Farmer

“Railroads and industry organizations certainly agree that the cybersecurity threat merits priority attention — as demonstrated by the rail industry’s rigorous attention to this issue for more than 20 years. Significantly, each of the actions the secretary said will be covered by TSA security directives for railroads and rail transit agencies is already covered by the rail industry’s August 2021 proposal,” Farmer told the panel. 

He also noted the TSA exercised an “emergency authority” to issue the directives, which means they must be implemented immediately to protect security.  

“Railroads and rail industry organizations have not been advised by federal officials of any prevailing emergency conditions that justify use of this authority,” Farmer said. 

Moreover, the directives could undermine a 20-year effort by the industry to develop and share cybersecurity information between each other and government, which could lead to private stakeholders being “reluctant to share the information” through the industry's established network.  

He also told the panel the federal government’s announcement of the pending directives has led to “erroneous perceptions” that railroads and transit-rail agencies haven’t been fighting cybersecurity threats. That false impression could cause rail shippers and passengers to lose confidence in the industry, Farmer said. 

Specifically, the rail industry’s concerns about the mandated security directives are as follows:  

  • The requirement that the appointed primary and alternate cybersecurity coordinators be U.S. citizens will make compliance by CN and Canadian Pacific, which also have substantial U.S. operations, extremely difficult. 
  • The mandate to report a “cybersecurity incident” is overly broad and will result in high volumes of reports on matters that are not significant from a cybersecurity perspective. 
  • The inflexibility of an overriding government mandate of risk-based determinations on preparedness and response planning, protective measures, and implementing capabilities. 

“Policymakers should build upon the collaborative approach ... that has worked effectively for years, rather than implementing mandates that would needlessly disrupt existing organizational structures and practices that prove their value daily,” Farmer testified. 

To read Farmer’s entire testimony, click here:   

And to learn more about the rail industry’s cybersecurity efforts, read this Oct. 18 RailPrime article