CISA
Critical infrastructure
News
Regulation, Standards and Compliance
Threat Landscape
Transportation

TSA renews cybersecurity requirements to reduce threats posed to railroad operations, facilities

October 24, 2023
TSA renews cybersecurity requirements to reduce threats posed to railroad operations, facilities

The U.S. Transportation Security Administration (TSA) announced Monday updates to three security directives (SD) regulating passenger and freight railroad carriers. The move comes in a continued effort to enhance the cybersecurity of surface transportation systems and associated infrastructure, as asset owners and operators seek to reduce the risk cybersecurity threats pose to critical railroad operations and facilities. These updated directives, which were due to expire on Oct. 24, have been extended for another year and now contain modifications aimed at bolstering the sector’s cyberattack defenses.

Developed with comprehensive input from industry stakeholders and federal partners, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation’s Federal Railroad Administration (FRA), the three SDs further enhance cybersecurity preparedness and resilience for the nation’s critical railroad operations. It requires TSA-specified passenger and freight railroad carriers to take action to prevent disruption and degradation to their infrastructure with a flexible, performance-based approach, consistent with TSA’s requirements for pipeline operators.

The goal of the SD is to reduce the risk that cybersecurity threats pose to critical railroad operations and facilities through the implementation of layered cybersecurity measures that provide defense-in-depth. Recent and evolving intelligence emphasizes growing sophistication of nefarious persons, organizations, and governments, highlighting vulnerabilities, and intensifies the urgency of implementing the requirements of the latest SD.  

The substantive revisions in the SD maintain TSA’s performance-based cybersecurity requirements, which were first issued in October 2022. The latest SD includes a new section clarifying that if an owner/operator has delegated or shared responsibility to a managed security service provider (MSSP), wholly or in part, for security measures in the owner/operators CIP, the owner/operator retains sole responsibility under this security directive for ensuring compliance with the TSA-approved cybersecurity implementation plan and the SD.

Another section included new language to inform owner/operators that TSA will notify them if the agency disagrees with the owner/operator’s determination and may require the owner/operator to provide additional information regarding the methodologies or rationale used to identify critical cyber systems. If applicable, the owners/operators need to notify TSA within 60 days of the change in operations to determine the schedule for complying with the requirements of this SD. 

The revised SDs, Enhancing Rail Cybersecurity, and the revised SD series, Enhancing Public Transportation and Passenger Railroad Cybersecurity, include a requirement for covered owners and operators to test a minimum of two objectives in their Cybersecurity Incident Response Plan every year. They also require employees who have been identified by their positions as active participants in these exercises.

The revised SD series, Rail Cybersecurity Mitigation Actions and Testing, mandates that railroad owners and operators annually submit an updated Cybersecurity Assessment Plan to TSA for review and approval. They must also report the results from the previous year using a schedule for assessing and auditing specific cybersecurity measures for effectiveness, ensuring that all cybersecurity measures are assessed within a three-year period.

“The renewal is the right thing to do to keep the nation’s railroad systems secure against cyber threats, and these updates sustain the strong cybersecurity measures already in place for the railroad industry,” David Pekoske, TSA administrator, said in a media statement. “TSA’s partnerships with CISA, FRA and the railroad industry have been, and will continue to be, instrumental in our work towards strengthening resilience and preventing harm.”

The latest SD maintains the same performance-based cybersecurity measures initially issued by TSA in October 2022. These necessary actions remain crucial for safeguarding the national security, economy, and public health and safety of the U.S. and its citizens from the impacts of malicious cyber-intrusions targeting the nation’s railroads. 

Even minor disruptions in critical rail systems have the potential to cause temporary product shortages, posing significant risks to national security. Prolonged interruptions in commodity flow could trigger widespread supply chain disruptions, creating ripple effects across the economy and affecting industries reliant on the commodities transported by the nation’s railroads.

To protect against the ongoing threat to national and economic security, the latest SD mandates that these railroad owners/operators implement the following cybersecurity measures to prevent disruptions to their infrastructure and/or operations. 

Specifically, owners/operators must establish and implement a TSA-approved cybersecurity implementation plan that describes the specific measures employed and the schedule for implementing network segmentation policies and controls to ensure that the OT (operational technology) system can continue to safely operate in the event that an IT system has been compromised. 

They must implement access control measures to secure and prevent unauthorized access to critical cyber systems; bring in continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology. 

The SD also prescribed that owners and operators must develop a cybersecurity assessment plan and submit an annual update, for approval, that describes how the owner/operator will proactively and regularly assess the effectiveness of cybersecurity measures, and identify and resolve device, network, and/or system vulnerabilities. They must also submit an annual report that provides cybersecurity assessment plan results from the previous year. 

TSA identified that the revision retains the transition to a more flexible, performance-based approach requiring all owners/operators to submit a cybersecurity implementation plan for TSA approval. All currently-identified railroad owners/operators have submitted a cybersecurity implementation plan and are awaiting TSA approval or have a TSA-approved cybersecurity implementation plan in place. The outline sets the security measures and requirements against which TSA inspects for compliance.

In June, David P. Pekoske, a representative of the TSA, testified before the House Homeland Security Subcommittee on Transportation and Maritime Security that the agency is working on a rulemaking to permanently codify crucial cybersecurity requirements for pipeline and rail transportation. The hearing comes in a hearing on the U.S. administration’s TSA Fiscal Year 2024 Budget request.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation