If the U.S. ever goes to war with a major adversary, one of the first waves of cyberattacks will likely target infrastructure that rarely comes up in discussions about digital threats: railroads.
Americans understand that power, water and healthcare systems face constant and sometimes sophisticated hacks from foreign governments and criminal gangs. But the U.S. pays far less attention to vulnerabilities in its rail system — even though the consequences of stalled or crashed trains could be disastrous.
“We can't live without rail,” said Tom VanNorman, senior vice president at the industrial cybersecurity firm GRIMM.
Until recently, the government left it up to railroad operators to decide how to protect themselves. But in 2022, the Transportation Security Administration issued the first-ever federal cyber regulations for railroads, ordering freight and passenger carriers and public-transit systems to implement basic security measures and report incidents when they occur.
Over the past two years, rail operators have made progress in adopting the required protections and deepening ties with the TSA. But interviews with experts suggest that the rail industry still lags behind other major infrastructure sectors in understanding the severity of the threats it faces and marshaling resources accordingly.