Seventh Circuit Upholds TSA Rail Cybersecurity Directives
On August 21, 2025, the U.S. Court of Appeals for the Seventh Circuit issued a significant decision in Grand Trunk Railroad v. Transportation Security Administration, upholding the Transportation Security Administration’s (TSA) authority to impose mandatory cybersecurity directives on higher-risk railroads. The case marks the first appellate ruling on TSA’s rail cybersecurity program and signals a strong judicial endorsement of the agency’s broad discretion to address persistent national security threats in the transportation sector.
The Security Directives
The case arose after TSA issued a series of “Rail Cybersecurity—Mitigation Actions and Testing” Security Directives (SDs) following the Colonial Pipeline ransomware attack. These directives required higher-risk and STRACNET railroads to implement technical controls such as network segmentation, continuous monitoring, timely patching of critical cyber systems, and the submission of TSA-approved Cybersecurity Implementation and Assessment Plans.
The Railroads’ Challenge
Grand Trunk and Illinois Central challenged the directives by direct petition to the Seventh Circuit, arguing that TSA exceeded its statutory authority and improperly bypassed notice-and-comment rulemaking procedures. The railroads advanced several arguments. First, they claimed that TSA could not rely on its “emergency” authority under 49 U.S.C. § 114(l)(2) to issue repeated directives addressing an ongoing cyber risk, as the statute should be limited to sudden and unforeseen threats. Second, they asserted that TSA lacked substantive authority to regulate private railroads’ cybersecurity obligations through directives, contending that the cited provisions govern only the agency’s internal operations. Finally, they criticized TSA’s failure to conduct a cost-benefit analysis and assess the impact of the directives on smaller carriers, alleging violations of the Regulatory Flexibility Act.
The Opinion
The Seventh Circuit rejected each of these arguments. The court held that TSA reasonably treated persistent and evolving cyber threats from nation-state adversaries as an “emergency” justifying immediate action. The court emphasized that the Transportation Security Oversight Board had repeatedly ratified the directives and that TSA simultaneously pursued permanent rulemaking to codify similar requirements. The court also found that § 114 provides TSA with broad substantive authority to regulate security across all modes of transportation, including cybersecurity measures for railroads. Finally, the court concluded that cost-benefit analysis requirements apply to regulations, not emergency directives, and that Congress deliberately distinguished between the two.
Key Takeaways
For railroads, the decision has both immediate and long-term consequences. In the short term, higher-risk carriers must continue to comply with the directives, which mandate annual updates to cybersecurity plans and ongoing implementation of technical safeguards. Looking forward, TSA’s pending rulemaking—published as a Notice of Proposed Rulemaking in November 2024—aims to formalize these requirements into permanent regulations, with industry-wide costs projected at approximately $100 million per year. The court’s decision signals that procedural challenges to these measures are unlikely to succeed, shifting the industry’s focus to compliance strategies and cost management.
As TSA moves from emergency directives to codified regulations, rail carriers and their supply-chain partners should expect heightened scrutiny and align their cybersecurity investments with long-term regulatory expectations.
