Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Features
Regulation, Standards and Compliance

TSA cybersecurity mandates put onus on freight railroad carriers to meet compliance, boost operational resilience

October 31, 2022
TSA cybersecurity mandates put onus on freight railroad carriers to meet compliance, boost operational resilience

With the release of the new Security Directive by the U.S. Transportation Security Administration (TSA), designated passenger and freight railroad carriers must establish and implement a TSA-approved cybersecurity implementation plan and set up a cybersecurity assessment program with an annual plan submitted to the transport agency. Clearly, the federal government is working towards raising the bar on meeting cybersecurity compliance while also pushing organizations to enhance cybersecurity resilience by focusing on performance-based measures.

freight railroad

Effective for a year from Oct. 24, the TSA’s security directive comes following extensive input from industry stakeholders and consultations with the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense, and the Department of Transportation. Rail industry owners and operators must designate a cybersecurity coordinator who is required to be available to both the TSA and the CISA at all times, coordinate the implementation of cybersecurity practices and management of security incidents, and serve as a principal point of contact with the agencies for cybersecurity-related matters. 

freight railroad

These freight railroad carriers must also report cybersecurity incidents to CISA involving systems that operate and/or maintain including unauthorized access to an IT or operational technology (OT) system, the discovery of malicious software on an IT or OT system, and activity resulting in a denial of service to any IT or OT systems. Additionally, carriers must report any other cybersecurity incident that results in operational disruption to the freight railroad carrier’s IT or OT systems, or an incident that has the potential to cause an impact on a large number of customers or passengers, critical infrastructure, or core government functions, or impacts national security, economic security or public health and safety.

The latest cybersecurity requirements also require that the owners and operators within the rail industry develop a cybersecurity incident response plan that will reduce the risk of operational disruption should their IT and/or OT systems be affected by a cybersecurity incident. Additionally, owners and operators must conduct a cybersecurity vulnerability assessment using the form provided by TSA and submit the form to TSA. 

The TSA-approved cybersecurity implementation plan seeks to bring in access control measures to secure and prevent unauthorized access to critical cyber systems, and implement continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations. Furthermore, the plan intends to reduce the risk of exploitation of unpatched systems by applying security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems promptly using a risk-based methodology.

The vulnerability assessment will include an assessment of current practices and activities of the freight railroad carriers to address cyber risks to IT and OT systems, identify gaps in current cybersecurity measures, and identify remediation measures and a plan for the owner/operator to implement the remediation measures to address any identified vulnerabilities and gaps.  

freight railroad

The new directive further requires freight railroad carriers to develop network segmentation policies and controls that separate OT systems from other IT systems in case of compromise. It also proposes to reduce the risk that cybersecurity threats pose to critical railroad operations and facilities by implementing layered cybersecurity measures that provide defense-in-depth mechanisms. 

Carriers also must create access control measures, build out detection policies for cyber threats, and implement timely patching or updating processes for operating systems, applications, drivers, and firmware. All of these requirements must be included in a cybersecurity implementation plan that must be submitted to TSA by Feb. 21, 2023, which TSA has to approve – and the agency may ask clarifying questions or require revisions before granting such approval. 

The latest TSA security directive reflects the agency’s evolving approach to imposing prescriptive and granular cybersecurity requirements on critical infrastructure entities within its jurisdiction. 

While the TSA mandates for freight railroad carriers are similar to the July 2022 security directive that covers pipeline systems or facilities, that directive revised TSA’s prior approach to directly imposing specific cybersecurity requirements rather than asking covered entities to submit proposed approaches to meeting those requirements in a cybersecurity implementation plan for approval. Furthermore, once TSA approves the plan, it will set the security measures and requirements against which TSA will inspect for compliance.

Christopher Carney, a senior policy advisor at Nossaman
Christopher Carney, a senior policy advisor at Nossaman

Christopher Carney, a senior policy advisor at Nossaman, wrote in a Mondaq post that the security directive is quite specific as to the responsibilities of the rail systems and clearly identifies what rail systems must do. “While this could be taken to suggest rail owner/operators will face increased litigation risk if they are found to be non-compliant when an incident occurs, the directive does not identify any penalties for non-compliance,” he adds.

Industrial Cyber reached out to industry experts to estimate how prepared and capable freight railroad carriers are to bring in the cybersecurity requirements of the latest security directive. They also provide a snapshot of the challenges that they anticipate railroad owners and operators could face as they implement the provisions of the security directive. 

Rail owners and operators have been under the attention of the U.S. government following the cyberattack on Colonial Pipeline in 2021, Josh Lospinoso, co-founder and CEO at Shift5, told Industrial Cyber. “The original TSA requirements for rail operators came ten months ago, and last month, the White House held closed-door briefings for rail owners/operators on targeted cybersecurity threats. These should be considered indications that the US government is aware of the rising risk profile of the industry at large.”

Josh Lospinoso, CEO and co-founder at Shift5
Josh Lospinoso, CEO and co-founder at Shift5

“In fact, we know rail is a target for malicious actors,” Lospinoso said. “Consider the recent attack on the NYMTA’s computer systems by hackers with suspected ties to China; the ransomware attack on the Santa Clara Valley Transportation Authority’s computer systems, leaving them inoperable for several days; and the incident facing US rail operator CSX that resulted in a data security incident in which the ransomware gang posted internal company files to a leak site.” 

The reality is that rail owners and operators must be ready to defend their networks and assets from cyberattack – everything from the IT systems and applications in use in the back office to wayside infrastructure, and the OT onboard locomotives, Lospinoso pointed out. “Transportation is a segment of US critical infrastructure – a cyberattack that could result in degradation or destruction of the rail operations could have a negative impact on national economic security, and national public health or safety. The time for rail to double down on cybersecurity is now,” he adds.

“Overall freight railroad carriers appear to be quite prepared and capable of implementing the latest requirements outlined in the new TSA Security Directive (SD),” Amir Levintal, CEO and co-founder at Cylus, told Industrial Cyber. “Cylus is directly aware of many of the railroad carriers that are actively exploring or evaluating potential ways of implementing provisions to address these SD requirements. Further, the TSA says it worked closely with rail operators in developing these new SDs, so many anticipated these requirements and have been preparing for some time.”

Amir Levintal, CEO of Cylus
Amir Levintal, CEO of Cylus

Levintal said that one of the biggest challenges or concerns rail operators have as they deploy security solutions is how to do so without interfering with the safety standards and requirements currently in use. “Fortunately, rail-specific cybersecurity solutions, like our CylusOne security platform, help address these SD requirements and are non-intrusive and easy to deploy in the train control environments,” he adds.

The latest TSA security directive is more automated and less human-dependent, increasing calls for greater automation and raising cyber risks. Greater automation heightens cyber risks, where the consequences of a cyber event can be damaging and deadly. 

Addressing whether the freight railroad carriers (owners/operators) will be able to balance enhanced risks, or if will there be more cybersecurity concerns as they move on implementing the requirements of the security directive, Levintal said that having worked together on the development of the new TSA SDs, both the TSA and rail operators agree that more security automation is a step in the right direction as far as cybersecurity requirements go in the railroad industry. “Additionally, there seems to be agreement that the outcomes-based approach used in the new SDs is a positive development in lieu of prescriptive security measures,” he adds.

“However, as we have learned, there are always new cybersecurity concerns arising due to the dynamic nature of cybersecurity and the increasing pace and sophistication of attacks from adversaries,” Levintal said. “Thus, I expect there will be a need to continuously revisit security requirements in order to keep our railroad infrastructure secure,” he adds.

Looking into how capable freight railroad carriers can reduce the risk of exploitation of unpatched systems ‘using a risk-based methodology,’ Lospinoso said that patching software is critical in keeping all rail systems resilient against malicious actors. “But while most IT system defenders have the IT patching process down to a science, patching OT systems is a more complex challenge for rail owners/operators, given the potential impacts on rail operations uptime,” he adds. 

freight railroad

“In addition, the rail cybersecurity directive mandates that if the owner/Operator cannot apply patches and updates on specific Operational Technology systems without causing severe degradation of operational capability to meet necessary capacity, the patch management strategy must include a description and timeline of additional mitigations that address the risk created by not installing the patch or update,” Lospinoso points out.

Lospinoso recommends, at a minimum, that rail owners/operators develop a strategy and implement solutions that can safeguard onboard systems while keeping operations running safely and smoothly. “They should also implement solutions that can mitigate risks effectively, whether or not software patches can or will ever get deployed on affected OT systems. And continuously educating staff responsible for securing critical systems and developing a culture of cybersecurity beyond IT to include OT can add tremendous value to an owner/operator’s security strategies,” he adds.

“The railroad owners/operators that Cylus is working with are already doing this to one extent or another,” Levintal said. “Perhaps the biggest ‘unknown’ right now is what standard risk methodology rail carriers and the TSA will agree upon for categorizing and determining the criticality of patches and updates.” 

Another important question is what mitigations will be deemed acceptable for vulnerabilities that cannot be safely patched or updated, Levintal adds.

Owners and operators must also establish a cybersecurity assessment program and submit an annual plan to TSA that describes how the owner/operator will proactively and regularly assess the effectiveness of cybersecurity measures and identify and resolve device, network, and/or system vulnerabilities. The assessment program will proactively evaluate critical cyber systems to ascertain cybersecurity measures’ effectiveness and identify and resolve device, network, and/or system vulnerabilities. 

Within two months of the agency’s approval of the freight railroad owners/operators’ cybersecurity implementation plan, they must submit the annual plan for their cybersecurity assessment program. 

Estimating the issues that railroad carriers could face as they implement continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations, Lospinoso highlights an important clarification to this requirement is for owners/operators to continuously collect and analyze data for potential intrusions and anomalous behavior on critical cyber systems and other IT and OT systems that directly connect with them. 

“Critical cyber systems include those responsible for safe, reliable operations, such as digitally-controlled braking and throttling systems,” Lospinoso said. “This data must also be maintained for sufficient periods to enable cybersecurity incident investigation. Data collected from onboard OT systems can also provide invaluable information about operational conditions that could affect the availability and safety of an operator’s assets.” 

However, traditional, trusted IT security solutions cannot monitor traffic coming from onboard OT components, according to Lospinoso. “That means rail owners/operators face a blind spot in monitoring and detecting OT-level traffic to determine the resilience of their onboard systems. Detection and monitoring are cornerstones of a modern cybersecurity strategy. As such, I recommend owners/operators ensure they have visibility into all parts of their locomotives and rail networks and actively monitor and log activity for real-time alerting and future threat response and investigation,” he adds.

Levintal said that the railroad industry, like all other critical infrastructure industries, is working diligently to evolve from a culture of physical safety to one based on both safety and security. “Implementing continuous monitoring and threat detection policies will not be difficult for most rail operators – especially for those that select solutions specifically designed to secure train control network environments.”

“Rather, the challenge is ensuring alignment both internally and externally when it comes to threat response, having clear rail specific threat response playbooks that guide both security and operations teams, and continually evaluating and exercising teams on existing incident response plans,” Levintal concludes.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved