Railroad can’t avoid costly TSA-ordered cybersecurity measures: Court

The Transportation Security Administration did not violate regulatory requirements when it used emergency procedures to impose cybersecurity requirements on U.S. railroads that could cost $100 million, a federal appeals court ruled.

The TSA introduced the Rail Cybersecurity Mitigation Actions Testing directive in 2022, and renewed it annually, stating that increased threats from foreign governments demanded tighter security.

But U.S. units of Montreal-based CN argued that the TSA bypassed notice and comment requirements, did not conduct a required cost-benefit analysis and the ongoing threat of cyberattacks does not constitute an emergency.

In Grand Trunk Corp. and Illinois Central Railroad Co. v. Transportation Security Administration, the 7th U.S. Circuit Court of Appeals in Chicago ruled Thursday that under federal law, the TSA has “significant discretion” to establish emergency cybersecurity rules.

The directive requires high-risk railroads and operators, including those carrying explosives, toxic gases, hazardous liquids and radioactive materials, to implement cybersecurity plans.

Among other things, the plans require network segmentation policies, ongoing cybersecurity monitoring and timely security patch updates. The railroads must also develop cybersecurity assessment plans and submit annual updates for TSA approval.

The TSA argued that the directive was necessary because of “significant threats from foreign adversaries like Russia, China, and independent cybercriminals,” the ruling says.

And the court has no reason to distrust the government’s regularly updated intelligence reports on cyber threats, the ruling states.

“Given the broad statutory language empowering TSA with significant discretion, the historical precedent under analogous statutes that emergencies may last many years, the tradition of national security deference … and the Transportation Security Oversight Board’s ratifications, we accept TSA’s determination that immediate action was required and notice and comment was not,” the court ruled.

CN said Friday that it had “no comment at this time.”