RT&S Special Report: Railroad Cybersecurity – an interview with AAR

Written by David C. Lester, Editor-in-Chief
image description
Cybersecurity remains a threat to the safety of the U.S. rail network.
David C. Lester

During the past several months, RT&S News has reported on concerns about cybersecurity in the industry. These concerns are not new, as they have been the subjects of numerous articles, speeches and conferences for years. Simply put, the increasingly sophisticated information technology and control systems have brought incredible efficiencies and safety improvements to the industry. However, as these systems become more critical to the daily operations of the railroads, the need to protect them from intruders or hackers grows concurrently.

Upon completion of our cybersecurity reports to date, we decided to dig deeper into how well prepared the industry is to deal with cybersecurity threats. We turned to Tom Farmer, who is the Assistant Vice President for Security at the American Association of Railroads.

Tom told RT&S that the key team working on rail cybersecurity is the Rail Information Security Committee (RISC), which was founded in 1999 as a response to concerns about Y2K. After Y2K passed without incident, the railroads thought the group was so productive, they decided to keep it. “We knew that the future of railroads would involve technology,” Farmer said. He adds that the work of RISC is a proactive effort, especially through assessments of cybersecurity posture and sharing of information on cybersecurity concerns and effective practices for risk mitigation. Members of RISC meet virtually twice per month, and in-person twice each year, although the pandemic may postpone the personal meetings for the foreseeable future. Members of RISC include:

  • Class 1 railroads
  • Amtrak
  • Genesee & Wyoming
  • Virginia Railway Express, representing commuter rail interests and priorities
  • The American Short Line & Regional Railroad Association (ALSRRA)
  • Association of American Railroads (AAR)
  • Railinc

Bolstering these efforts, railroads and industry organizations hold exercises, drills, and tests to evaluate the effectiveness of cybersecurity plans and practices. Each year, the Committee prepares for and conducts an industry-level exercise, with participation by its members and numerous short line and commuter railroads in the United States and Canada. The government agencies participating are:

  • Transportation Security Administration (TSA)
  • Federal Railroad Administration (FRA
  • Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)
  • The Federal Bureau of Investigation’s (FBI) Rail Security Program and Cybersecurity Division
  • Transport Canada

Cyber threat intelligence and security information sharing occurs on two levels. First, within the industry through the Rail Information Security Committee members, and, second, in partnership with the government through TSA, DHS/CISA, U.S. Department of Transportation (DOT), the Department of Defense, the FBI, and Transport Canada.

While managing and anticipating security threats is a daily task, these organizations and agencies work together to ensure that the North American rail network is as secure as possible.

Many thanks to the AAR’s Tom Farmer and Jessica Kahanek for discussing this critical subject with Railway Track & Structures.

For the latest railroad news, please visit rtands.com.

Tags: , , ,