TSA seeks feedback on improving surface cyber risk management across transportation systems

The U.S. Department of Homeland Security (DHS) is through its Transportation Security Administration (TSA) division seeking input regarding ways to strengthen cybersecurity and resiliency in the pipeline and rail (including freight, passenger, and transit rail) sectors. The agency is interested in input on improving surface cyber risk management across transportation systems from the industry associations representing these owners/operators, third-party cybersecurity subject matter experts, and insurers and underwriters for cybersecurity risks for these transportation sectors. 

On Wednesday, the agency published in the Federal Register an advance notice of proposed rulemaking (ANPRM) that offers an opportunity for interested individuals and organizations, particularly owner/operators of higher-risk pipeline and rail operations, to help TSA develop a comprehensive and forward-looking approach to cybersecurity requirements. 

The notice added that although the TSA will review and consider all comments submitted, “we are specifically interested in responses to the questions posed in this ANPRM. Input received in response to this ANPRM will assist TSA in better understanding how the pipeline and rail sectors implement cyber risk management (CRM) in their operations and will support us in achieving objectives related to the enhancement of pipeline and rail cybersecurity,” it added. 

Interested stakeholders must submit comments to the TSA by Jan. 17, 2023. The TSA said in the ANPRM notice that although it will review and consider all comments submitted, it is specifically interested in responses to the questions posed in the notice. Input received in response to this ANPRM will assist TSA in better understanding how the pipeline and rail sectors implement cyber risk management in their operations and will support the agency in achieving objectives related to the enhancement of pipeline and rail cybersecurity.

Apart from input on cyber risk management and general operational issues, TSA is interested in understanding cost implications. Such input on costs is critical for understanding the potential impacts of regulation, and specifically to inform proper accounting of associated costs and benefits.

The ​​TSA is issuing this ANPRM to solicit input to ensure that its rulemaking effort will adequately address assessing and improving the current baseline of operational resilience and incident response, maximizing the ability for owner/operators to be self-adaptive to meet evolving threats and technologies, and identifying opportunities for third-party experts to support compliance. It also looks at accounting for the differentiated cybersecurity maturity across the surface sector and regulated owner/operators, incentivizing cybersecurity adoption and compliance, bringing about measurable outcomes and regulatory harmonization.

The notice outlined that hackers have demonstrated their willingness to engage in cyber intrusions and conduct cyber-attacks against critical infrastructure by exploiting the vulnerability of OT (operational technology) and IT systems. Pipeline and rail systems, and associated facilities, are vulnerable to cyber-attacks due to legacy ICS (industrial control system) that lack updated security controls and the dispersed nature of pipeline and rail networks spanning urban and outlying areas.

As pipeline and rail owners/operators begin integrating IT and OT systems into their ICS environment to further improve safety, enable efficiencies, and/or increase automation, the ICS environment increasingly becomes more vulnerable to new and evolving cyber threats. A successful cyber-intrusion could affect the safe operation and reliability of OT systems, including SCADA (supervisory control and data acquisition) systems, process control systems, distributed control systems, safety control systems, measurement systems, and telemetry systems.

From a design perspective, some pipeline and rail assets are more attractive to cyber-attack because of the transported commodity and the impact an attack would have on national security and commerce, the notice identified. “Minor pipeline and rail system disruptions may result in commodity price increases, while prolonged pipeline and rail disruptions could lead to widespread energy shortages and disruption of critical supply lines. Short- and long-term disruptions and delays may affect other domestic critical infrastructure and industries that depend on pipeline and rail system commodities, such as our national defense system,” it added.

Focus on cybersecurity requirements of the nation’s transportation systems began last May with the DarkSide ransomware group, which was responsible for the compromise of the Colonial Pipeline networks, which led the company to take certain systems offline to contain the threat. Apart from this incident, there have been other ransomware attacks that have demonstrated the necessity of ensuring that critical infrastructure owners/operators are proactively deploying cyber risk management measures. 

Evidently, there exists a growing need to take urgent action to mitigate the threats facing domestic critical infrastructure, which have important implications for national and economic security, including enhancing the pipeline and rail industry’s current cybersecurity risk management posture, which is further highlighted by recent warnings about Russian, Chinese, and Iranian state-sponsored cyber espionage campaigns to develop capabilities to disrupt U.S. critical infrastructure to include the transportation sector.

The TSA issued security directives in 2021 and 2022 in response to the cybersecurity threat to surface transportation systems and associated infrastructure to protect against the significant harm to the national and economic security of the U.S. that could result from the ‘degradation, destruction, or malfunction of systems that control this infrastructure.’ 

Following the Colonial Pipeline ransomware attack that hit last May, the TSA issued two security directives in May and July, designed to strengthen the security of the country’s pipelines. By December, the TSA rolled out two new security directives and additional guidance for voluntary measures for surface transportation systems and associated infrastructure. These initiatives aim to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to the infrastructure.

In July this year, the TSA revised and re-issued its security directive concerning cybersecurity to oil and natural gas pipeline owners and operators. The directive also extends cybersecurity requirements for another year and focuses on performance-based rather than prescriptive measures to achieve critical cybersecurity outcomes.

In March this year, the Department of Justice unsealed indictments of three Russian Federal Security Service (FSB) officers and employees of a State Research Center of the Russian Federation (FGUP) Central Scientific Research Institute of Chemistry and Mechanics (also known as TsNIIKhM) for their involvement in intrusion campaigns against the U.S. and international oil refineries, nuclear facilities, and energy companies. Documents revealed that the FSB conducted a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data. 

The TSA ANPRM notice said that certain sectors have taken significant steps to protect either their IT or OT systems, depending on which is considered most critical for their business needs. Ransomware attacks targeting critical infrastructure threaten both IT and OT systems and exploit the connections between these systems. “Given the importance of critical infrastructure to national and economic security and America’s way of life, accessible OT systems and their connected assets and control structures are an attractive target for malicious cyber actors seeking to disrupt critical infrastructure for profit or to further other objectives,” the notice added. 

As the Cybersecurity and Infrastructure Security Agency (CISA) recently noted, recent cybersecurity incidents demonstrate that intrusions affecting IT systems can also affect critical operational processes even if the intrusion does not directly impact an OT system. For example, business operations on the IT system sometimes are used to orchestrate OT system operations. As a result, when there is a compromise of the IT system, there is a risk of unaffected OT systems being impacted by the loss of operational directives and accounting functions.

Additionally, the DHS, the Department of Energy (DOE), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have urged the private sector to implement a layered, ‘defense-in-depth’ cybersecurity posture, the TSA ANPRM notice said. “For example, ensuring that OT and IT systems are separate and segregated will help protect against intrusions that can exploit vulnerabilities from one system to infect another. A stand-alone, unconnected (air-gapped) OT system is safer from outside threats than an OT system connected to one or more enterprise IT systems with external connectivity (no matter how secure the outside connections are thought to be),” it added.

By implementing a layered approach, owners/operators and their network administrators will enhance the defensive cybersecurity posture of their OT and IT systems, reducing the risk of compromise or severe operational degradation if their system is compromised by malicious cyber actors.

The TSA’s consideration of cybersecurity risks includes consideration of threat information, emerging intelligence, the need to mitigate the consequences of a cyber-attack, and the inherent vulnerabilities of transportation systems and operations to cybersecurity incidents.

The cybersecurity risks to the transportation sector encompass vulnerabilities related to the secure and safe operation of vital systems and the consequences of a direct attack or ancillary failure or shutdown of a system due to an inability to isolate and control the impact of a cyber-attack. Existing cyber risk management standards address the identification, assessment, and mitigation of risk from a variety of sources. Strong cyber risk management generally enhances both security and safety, while facilitating operations, protecting the sector’s entities, and delivering resiliency to these critical sectors.

“AGA welcomes TSA’s focus on the formal pipeline cybersecurity rulemaking process,” Kimberly Denbow, vice president for security and operations at the American Gas Association, said in an emailed statement. “In May 2021, AGA’s Board of Directors called for reasonable cybersecurity regulation. TSA’s pursuit of a risk-based approach to regulation will enable companies to adapt security strategies accordingly to the constantly changing cybersecurity landscape.” 

Denbow added that the recently reissued pipeline security directives demonstrated a commitment by TSA to not just collect data, but to incorporate real-time industry input, a critical element as companies are ultimately the responsible party. “The natural gas industry will respond to the ANPRM with a focus on cybersecurity risk management policy priorities and core elements.”

Commenting on the TSA notice, Roie Onn, co-founder and CEO of rail cybersecurity company, Cervello said that while cyber threats have always been a hovering reality when considering the security of critical infrastructure, the sophistication of cyber events against the oil and gas, energy, and rail sectors since the pandemic have catalyzed the sudden federal push to harden cybersecurity practices in these industries. 

“President Biden recently expressed his concern with the looming risk of a rail strike due to the significant impact it can have on the economy and the country’s supply chain,” Onn wrote in an emailed statement. “The same is true about a cyberattack against rail. We’re seeing the US take pivotal steps to improve the cybersecurity posture of railroads; however, it remains crucial that the government turn to organizations, experts, and industry leaders that deeply understand each respective industry, and who’s solutions take into consideration the specific sensitivities, complexities, and interests of these industries. It is essential that a key industry such as rail maintains the highest levels of security, resilience, and reliability.“

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.