Transportation Security Administration Administrator David Pekoske said the agency has extended the deadlines outlined in its forthcoming security directive for railroad operators following consultation with the industry.
TSA pushed the deadline for railroad operators to report any potential and confirmed cyber incidents from 12 to 24 hours and the deadline to develop a cybersecurity contingency plan from 60 days to six months, Federal News Network reported Tuesday.
The security directive scheduled to be released by the end of the year will require critical transport and railroad companies to designate a cybersecurity coordinator, submit cyber incident reports to the Cybersecurity and Infrastructure Security Agency, conduct a cyber vulnerability assessment and prepare an incident response plan.
“We’re looking at the entities that transport the largest number of passengers and the largest volume of cargo through the nation’s most populated metropolitan areas,” Pekoske said.
He added that TSA will issue an information circular providing similar recommendations for the remaining rail, public transportation and bus operators.
Earlier in May, TSA instructed pipeline systems operators to owners and operators of U.S. pipeline systems to submit cyber incident reports to CISA following the ransomware attack against Colonial Pipeline.
Unlike the pipeline security directives, the rail transit and railroad directives will be available to the public, according to Pekoske.