Ben Lane, CIPRNA event manager, met Janet St. John, Director Cyber Security at Association of American Railroads (AAR).
Operating over a private, 140,000-mile network stretching across the far reaches of North America, AAR members include the major freight railroads in the United States, Canada and Mexico, as well as Amtrak. Working with elected officials and leaders in Washington, D.C. on critical transportation and related issues, AAR ensures that the freight rail industry will continue to meet America’s transportation needs today and tomorrow.
This is a transcript of their conversation.
Ben Lane:
Janet, thanks for joining us today and we’re pleased to announce you’re going to be joining us in CIPRNA in Houston (March 11-13) as one of our speakers on the Transport Sector Symposium: https://ciprna-expo.com/session/transport-sector-symposium/
We are very much looking forward to seeing you there. Let’s start off with a quick question about you, and your career to date.
Janet St. John:
I really appreciate the opportunity to speak to you, and I’m also very much looking forward to the speaking engagement in Houston. I’m the director of cybersecurity at the Association of American Railroads. I have worked in the transportation sector, focused on both physical and cybersecurity for going on 25 years.
I started out as a geographic information systems crime analyst and then made my way to working within transportation, and the highway sector. And then working with the information sharing and analysis centers that we have through our National Council of ISACs. And then I made my way to the AAR, where I have been employed as their director for around six years.
I get to work with some fantastic people. I manage one of the committees through the AAR, which is the Rail Information Security Committee, that is comprised of our CISOs and their senior leadership within their information technology and OT departments. We get together bi-weekly to discuss cybersecurity issues, whether it be the threat actors that we’re monitoring or best practices, but there’s collaboration and cooperation in keeping our industry safe from cyber threats that I’m going to be very happy to talk about in Houston.
Ben Lane:
A key point of the conference is to bring parties together, particularly with the incidents we talked about earlier about the horrific air incident in America (January 29, 2025). It’s at times like this that collaboration and cooperation come to the front, even more so. We’re thinking about everyone involved in that horrific incident and our condolences go out to everyone.
Where and what does the AAR see as the challenges for security on the railroads and in terms of resilience? What are the main challenges you are seeing?
Janet St. John:
Well, right now with a change in administration there have been challenges impacting on what I think is a very, very important component, which is our public-private partnerships that we have worked on and put together for decades now. Since 9/11, there has been a lot of collaboration and a lot of trust built between the critical infrastructure, key resource community, and with DHS, Department of Homeland Security, and Federal Bureau of Investigation.
These components have worked very hard to build up this trust that allows for a robust information sharing collaboration, and we’re worried about where this is going to go, and that is one of our concerns. As far as the industry is concerned, we have a very robust security program that we manage through the AAR, that consists of not just our members of the Class 1 railroads, but Amtrak, our passenger rail and regional railroads, and also our short lines and regional railroads through the American Short Line and Regional Railroad Association.
And within the security program, we have the rail security working committee, which is our DHS liaisons, our law enforcement, and the focus there is on physical security within the railroads. They have been around for over 20 years. And within those committees we have a broader security program that is managed with an overall industry-wide security plan.
We also operate a common operating environment where we can share security information, not just within the rail industry, railroad to railroad, but also with our government partners. And that’s one of the things that we have worked on and that we want to see continue and to grow, is that collaboration with our government partners. So, we focus on areas of where the threat is, what are our vulnerabilities, what is the risk, and we assess our risk all the time through the AAR and through these committees.
Ben Lane:
Yes, and “collaboration” was a key word I took out from that. And again, we’re back on that idea of collaboration and without that or without effective collaboration, the system won’t work.
You have a large area to cover and different environments across this area. How is this managed from an economic point of view?
Janet St. John:
First, railroads are mindful of all antitrust laws when it comes to information that could create a competitive advantage, and we begin each meeting of the Rail Information Security Committee with a statement of our obligations under those laws. When it comes to cyber threat information sharing to enhance security, the public has a vested interest in railroad collaboration across carriers to share best practices and evolving threats.
Collaboration is important because freight trains move across the country, and may travel across lines owned by different railroads between origin and destination. So a train that is owned and operated by Norfolk Southern, for example, may use track that is owned by BNSF and vice versa. And then we have Amtrak that shares some of those tracks as well. So, there’s certain collaboration and cross-pollination involved in being able to get goods from point A to point B.
As far as our economic impact, we’re very important to the supply chain in the United States and in Canada and Mexico. There are a lot of commodities that railroads transport that other modes of transportation cannot or have a very limited space in that area. We are also a military transport of personnel and equipment. Therefore, there is a lot of focus on the railroad industry for our economic importance to the United States, our consumers, our citizens, and our role that we play in national security.
Ben Lane:
One question I would like to add, just to get a bit of personal insight. What keeps you awake at night?
Janet St. John:
Railroads understand and take seriously our responsibility to our people and the communities we serve. One thing that we don’t want to see is the aviation accident that happened last night (January 29, 2025) here in Washington, DC where many people perished. It’s those type of accidents that keep us up at night. We are also concerned with and keep monitoring a lot of the geopolitical aspects, because in some ways those do impact our security, whether it be the protests that might spill over into or onto our railroad tracks or within the ports against military shipments. So geopolitical events have an impact on all critical infrastructure and so that is something that we are very keen to keep an eye on.
Ben Lane:
Thank you so much and we look forward to seeing you in Houston giving your talk at our Transport Sector Symposium.
Janet St. John:
Thank you. I look forward to the opportunity.