Attacks and Vulnerabilities
Critical infrastructure
Industry
News
Regulation, Standards and Compliance
Transportation

TSA issues security directives for surface transportation systems, associated infrastructure

December 03, 2021
surface transportation

The U.S. Department of Homeland Security’s Transportation Security Administration (TSA) division announced on Thursday two new security directives and additional guidance for voluntary measures for surface transportation systems and associated infrastructure. These initiatives aim to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to the infrastructure.

The TSA security directives require owners and operators to designate a cybersecurity coordinator, report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours and develop and implement a cybersecurity incident response plan to reduce the risk of operational disruption. Owners and operators of ​​surface transportation systems and associated infrastructure will also have to complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems, in line with the new provisions.

These security directives are aimed at​​ high-risk freight railroads, passenger rail, and rail transit, based on a determination that these requirements need to be issued immediately to protect transportation security. 

TSA also released guidance recommending that all other lower-risk surface transportation owners and operators voluntarily implement the same measures.  Further, TSA recently updated its aviation security programs to require that airport and airline operators implement the first two security directives. TSA intends to expand the requirements for the aviation sector and issue guidance to smaller operators. TSA also expects to initiate a rule-making process for certain surface transportation entities to increase their cybersecurity resiliency.

To arrive at its new security directives, TSA sought input from industry stakeholders and federal partners, including CISA, which provided expert guidance on cybersecurity threats to the transportation network and countermeasures to defend against them.

“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” Secretary of Homeland Security Alejandro N. Mayorkas, said in a media statement.  “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”

The first security directive that focuses on enhancing rail cybersecurity will be applicable until Dec.31, 2022, and the TSA said that in order to avoid duplicate reporting, the information provided to CISA in line with the security directive will be shared between the TSA and CISA, and may also be shared with the National Response Center and other agencies, as appropriate. 

The TSA and CISA will use the information submitted for vulnerability identification, trend analysis, or to generate anonymized indicators of compromise or other cybersecurity products to prevent other cybersecurity incidents.

The second security directive released on Thursday works towards enhancing public transportation and passenger railroad cybersecurity. Like the first directive, the second directive will also be applicable till the end of next year, and the agencies will carry out information sharing.   

In its guidance, the TSA offers recommendations for enhancing cybersecurity practices. It recommends the designation of a Cybersecurity Coordinator who would be available to TSA and CISA at all times (all hours/all days) to coordinate the implementation of cybersecurity practices, manage security incidents, and serve as a principal point of contact with TSA and CISA for cybersecurity-related matters. 

It also advises reporting cybersecurity incidents to CISA, and developing a cybersecurity incident response plan that will work towards decreasing the risk of operational disruption should information and/or OT (operational technology) systems be affected by a cybersecurity incident. The agency also recommends conducting cybersecurity vulnerability assessment using the form provided by TSA. 

The vulnerability assessment includes an assessment of current practices and activities to address cyber risks to IT and OT systems, identify gaps in current cybersecurity measures, and point out remediation measures.

“While this document is guidance and does not impose requirements on any person or company, TSA most strongly recommends the adoption of the measures herein. Nothing in this document shall supersede federal statutory or regulatory requirements,” it added.

Cyberattacks against transportation infrastructure have been increasing and are emerging as a key challenge, due to the prevalence of remote and anonymous connectivity to a system or network, and the capability to affect a physical consequence through virtual means.

Cybersecurity threats to the surface transportation domain are persistent and evolving threats as the industry continues its dependence on the convenience, efficiencies, connectivity, and the converging of information and operational technology systems. Railroads, public transportation agencies, and over-the-road bus operators all have technology that needs to be appropriately secured. 

Earlier this week, the TSA appointed six new surface transportation industry leaders to serve on the Surface Transportation Security Advisory Committee (STSAC).    

“These new members bring significant experience in surface transportation and add particular expertise in pipeline operations and cybersecurity to the committee,” David Pekoske, TSA administrator, said in a media statement. “As an agency, we work to remain steps ahead of evolving threats, and I anticipate the experience these professionals bring to the committee will help us.”

Following the Colonial Pipeline ransomware attack that hit in May, the TSA issued two security directives in May and July, designed to strengthen the security of the country’s pipelines. The TSA had called upon pipeline owners and operators to designate a cybersecurity coordinator, report cyber incidents to CISA within 12 hours, implement a number of basic security hygiene measures, develop contingency plans in the event of a cyberattack, and subject their systems to robust vulnerability testing.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base