February 5, 2025
Acting Administrator
Transportation Security Administration
6595 Springfield Center Drive
Springfield, VA 20598
RE: Enhancing Surface Cyber Risk Management
Docket No. TSA-2022-0001
Acting Administrator:
On behalf of the Transportation Trades Department, AFL-CIO (TTD), I am pleased to respond to the Transportation Security Administration’s (TSA) notice of proposed rulemaking (NPRM) regarding surface cyber risk management. TTD consists of 37 affiliated unions representing the totality of rail labor, including both passenger and freight rail workers.[1] Our affiliated unions represent the workers who operate, maintain, and dispatch trains; inspect and maintain signal systems, switches, and track; and perform a host of other safety-critical tasks in the rail sector. Not only do these workers bear the greatest risk exposure associated with cyber threats, but they are the eyes and ears of our rail systems and should be considered instrumental to the implementation of cyber risk management and reporting of cyber threats.
In its NPRM, the TSA is proposing to impose cyber risk management (CRM) requirements on certain pipeline and rail owner/operators to report cybersecurity incidents. The patchwork system of cybersecurity programs that currently exists is woefully insufficient to address the needs of today’s cybersecurity landscape. Railroad operations alone rely on many critical cyber systems, including but not limited to: the PTC system, Trip Optimizer or Electronic Train Management System (ETMS), computerized train dispatching systems, and remote switching operation systems. The rail network also plays a key role in maintaining the country’s electrical and energy infrastructure. Given the number of crucial roles that rail serves on a daily basis, securing our country’s rail infrastructure cannot be delayed. TTD therefore applauds the TSA for initiating this rulemaking to create mandatory CRM program standards for railroads that will protect their workers and the public.
We are encouraged to see that the TSA has delineated training requirements in the final version of this proposed rule. Specifically, the TSA noted in the preamble to the NPRM, “Regular training helps employees recognize their role in cybersecurity and how they serve as an additional ‘sensor’ to detect an incident, regardless of their technical expertise.”[2] TTD previously commented on the TSA’s advanced notice of proposed rulemaking on this issue that workers, particularly those who are operating or dispatching trains that can weigh more than 16,000 tons and exceed five miles, should be trained to recognize suspicious activity and implement procedures for reporting and responding to incidents.[3] Investments in and a focus on training directly correlate to employee and public safety. We appreciate that the TSA recognizes the essential role frontline workers play in preventing cybersecurity incidents and urge the agency to maintain robust training requirements in its finalized rule.
TTD welcomes the TSA’s cybersecurity rulemaking and appreciates the opportunity to comment on this docket. The frontline workers on the ground are in the best position to identify and respond quickly to cybersecurity vulnerabilities and we are glad to see that the TSA recognizes this reality. We look forward to working with the TSA on this important issue in the future.
Sincerely,
Greg Regan
President
[1] Attached is a complete list of the unions affiliated with TTD.
[2] https://downloads.regulations.gov/TSA-2022-0001-0040/content.pdf
[3] https://ttd.org/policy/federal-comments/ttd-calls-on-tsa-to-secure-critical-rail-infrastructure/