Cybersecurity Resources for Transit Agencies
FTA provides financial support for some grant recipients’ cybersecurity activities and supports the U.S. Department of Homeland Security (DHS) in promoting enhanced security for transit agencies. Additionally, as a condition of federal assistance, under 49 U.S.C. 5323(v), rail transit operators must certify that they have a process to develop, maintain, and execute a plan for identifying and reducing cybersecurity risks.
FTA has aggregated cybersecurity resources below to support transit agencies as they prepare for, mitigate, and respond to cybersecurity issues. The resources on this page are presented for informational purposes only.
Transportation Security Administration
The Transportation Security (TSA) is seeking input regarding ways to strengthen cybersecurity and resiliency in the pipeline and rail (including freight, passenger, and transit rail) sectors. This ANPRM offers an opportunity for interested individuals and organizations, particularly owners/operators of higher-risk pipeline and rail operations, to help TSA develop a comprehensive and forward-looking approach to cybersecurity requirements. TSA is also interested in input from the industry associations representing these owners/operators, third-party cybersecurity subject matter experts, and insurers and underwriters for cybersecurity risks for these transportation sectors. Comments must be submitted by January 17, 2023.
Cybersecurity & Infrastructure Security Agency Alert
In January 2022, the Cybersecurity & Infrastructure Security Agency (CISA) issued a “Shields-Up” message to U.S. organizations. Cyber-attacks could potentially target communications and navigation systems, power grids, and various elements of the transportation sector to disrupt the nation’s ability to command and control operations.
The National Cyber Awareness System alerts provide timely information about current security issues, vulnerabilities, and exploits. Sign up to receive these technical alerts in your inbox or subscribe to our RSS feed.
Some FTA grant programs can support cybersecurity activities, including FTA’s Urbanized Area Formula Program, the Formula Grants for Rural Areas Program, and State of Good Repair Program.
- Urbanized Area Formula Program: Program Guidance and Application Instructions
- Formula Grants for Rural Areas: Program Guidance and Application Instructions
- State of Good Repair Grant Program: Guidance and Application Instructions
Costs related to cybersecurity that may be eligible for federal reimbursement include:
- Staff salaries for personnel involved with security, contracts for security services, and other operating activities intended to increase the security of an existing or planned public transportation system.
- Capital costs to support equipment including computer hardware and software to address cybersecurity.
- The Urbanized Area Formula Program (49 U.S.C. 5307) makes federal resources available to urbanized areas and governors for transit capital and operating assistance and for transportation-related planning in urbanized areas. A recipient must spend at least 1 percent of its 5307 funds on security projects, unless it determines this is not necessary.
The DHS Transit Security Grant Program provides competitive grants to transit agencies for security-related projects.
Cybersecurity Preparedness and Reporting Incidents, Phishing, Malware or Vulnerabilities
National Institute of Standards and Technology Cybersecurity Framework
The voluntary National Institute of Standards and Technology (NIST) Cybersecurity Framework provides standards, guidelines and best practices to manage cybersecurity risk. It focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes.
TSA Surface Transportation Cybersecurity Toolkit
The Surface Transportation Cybersecurity Resource Toolkit is a collection of documents designed to provide cyber risk management information to surface transportation operators with fewer than 1,000 employees.
TSA Security Directive and Information Circulars
TSA issued Security Directive 1582-21-01, “Enhancing Public Transportation and Passenger Railroad Cybersecurity” on December 31, 2021. The Security Directive, which applies to all public passenger rail owners and operators identified in 49 CFR 1582.101, requires four critical actions:
- Designate a cybersecurity coordinator who is required to be available to TSA and the DHS's CISA at all times (all hours/all days) to coordinate implementation of cybersecurity practices, and manage of security incidents, and serve as a principal point of contact with TSA and CISA for cybersecurity-related matters;
- Report cybersecurity incidents to CISA;
- Develop a Cybersecurity Incident Response Plan to reduce the risk of operational disruption should their Information and/or operational technology systems be affected by a cybersecurity incident; and
- Conduct a cybersecurity vulnerability assessment using the form provided by TSA and submit the form to TSA. The vulnerability assessment will include an assessment of current practices and activities to address cyber risks to information and operational technology systems, identify gaps in current cybersecurity measures, and identify remediation measures and a plan for the owner/operator to implement the remediation measures to address any vulnerabilities and gaps.
TSA issued IC-2021-01, “Enhancing Surface Transportation Cybersecurity”, dated December 31, 2021, which applies to each passenger railroad, public transportation agency, or rail transit system owner/operator identified in 49 CFR 1582.1. This circular provides the same four recommendations for enhancing cybersecurity practices listed above. While this document is guidance and does not impose any mandatory requirements, TSA strongly recommends the adoption of the measures set forth in the circular.
CISA Cybersecurity Reporting
CISA provides secure means for constituents and partners to report incidents, phishing attempts, malware, and vulnerabilities. Federal incident notification guidelines, including definitions and reporting timeframes, can be found at http://www.us-cert.gov/incident-notification-guidelines. To submit a report, please select the appropriate method from below:
- Attempts to gain unauthorized access to a system or its data,
- Unwanted disruption or denial of service, or
- Abuse or misuse of a system or data in violation of policy.
Share indicators and defensive measures: submit cyber threat indicators and defensive measures with DHS and the federal government (including sharing under the Cybersecurity Information Sharing Act of 2015).
Report phishing: an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques, typically via emails containing links to fraudulent websites.
Report malware: malicious code (e.g., viruses, worms, bots) that disrupts service, steals sensitive information, gains access to private computer systems, etc.
TSA 5N5 Cybersecurity Workshop Series
These workshops provide awareness of federal cybersecurity support programs and the many resources available to transportation owners and operators to learn about DHS resources and programs available to them, as well as non-technical policy or procedural actions that can enhance their company or agency’s cybersecurity. It focuses on transit, passenger rail, trucking, over-the-road buses, school buses, freight rail, and pipeline modes of transportation.
Federal Virtual Training Environment
The Federal Virtual Training Environment (FedVTE) provides free online cybersecurity training for all proficiency levels containing more than 800 hours of training on topics such as ethical hacking and surveillance, risk management, and malware analysis, as well as certification prep courses for certified information security managers and certified information systems security professionals.
- Regional Offices
- Report Incidents, Phishing, Malware, or Vulnerabilities
- CISA Ransomware
- Cyber Hygiene (CyHy) Services
- Cyber Information Sharing and Collaboration Program (CISCP)
- Joint Cyber Defense Collaborative (JCDC)
- Cybersecurity Guidance and Training Resources
- Cyber Essentials Starter Kit–The Basics for Building a Culture of Cyber Readiness
- Cyber Essentials Toolkits
- CISA Cybersecurity Workforce Training Guide
- Federal Virtual Training Environment (FedVTE)
- CISA FedVTE Online Cybersecurity Training Courses
- CISA Training Available for Industrial Control Systems (ICS) Cybersecurity