New TSA security directive for railroad carriers focuses on performance-based measures

October 28, 2022

The U.S. Transportation Security Administration (TSA) issued Tuesday a cybersecurity security directive regulating designated passenger and freight railroad carriers to enhance cybersecurity resilience by focusing on performance-based measures. The security directive will further enhance cybersecurity preparedness and resilience for the nation’s railroad operations and build on the agency’s work to strengthen defenses in other transportation modes.

Effective on Oct. 24 for one year, the seven-page security directive titled “Enhancing Rail Cybersecurity – SD 1580/82-2022-01” lays down cybersecurity requirements for passenger and freight railroad carriers. These guidelines have been developed following extensive input from industry stakeholders and federal partners, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation’s Federal Railroad Administration (FRA).

The security directive calls upon freight railroad carriers (owners/operators) and other TSA-designated freight railroads to designate a cybersecurity coordinator who is required to be available to TSA and the CISA at all times. The coordinator will coordinate the implementation of cybersecurity practices and management of security incidents and serve as a principal point of contact with TSA and CISA for cybersecurity-related matters.

Additionally, freight railroad carriers must report cybersecurity incidents to CISA and develop a cybersecurity incident response plan to reduce the risk of operational disruption should their Information and/or OT (operational technology) systems be affected by a cybersecurity incident.

Railroad carriers must also conduct a cybersecurity vulnerability assessment using the form provided by TSA and submit the form to TSA. The vulnerability assessment will include an assessment of current practices and activities to address cyber risks to IT and OT systems, identify gaps in current cybersecurity measures, and identify remediation measures and a plan for the owners/operators to implement the remediation measures to address any identified vulnerabilities and gaps.

Through the security directive, TSA continues to take steps to protect transportation infrastructure in the current threat environment. The transport agency also intends to begin a rulemaking process, establishing regulatory requirements for the rail sector following a public comment period.

The security directive aims to reduce the risk of cybersecurity threats to critical railroad operations and facilities by implementing layered cybersecurity measures that provide defense-in-depth. Recent and evolving intelligence emphasizes the growing sophistication of nefarious persons, organizations, and governments; highlights vulnerabilities; and intensifies the urgency of implementing the requirements of the security directive.

In addition to the security directive, the TSA released a 14-page document covering rail cybersecurity mitigation actions and testing. The security directive requires owners/operators to submit a cybersecurity implementation plan for TSA approval. Once approved by TSA, the plan will set the security measures and requirements against which TSA will inspect for compliance.

Furthermore, owners/operators must provide additional documentation and access to TSA as necessary to establish compliance. In developing their cybersecurity implementation plan, owners/operators may use previous risk or vulnerability assessments to identify critical cyber systems and prioritize cybersecurity measures associated with the security directive.

“The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack,” David Pekoske, TSA administrator, said in a media statement. “We are encouraged by the significant collaboration between TSA, FRA, CISA, and the railroad industry in the development of this security directive.

In addition to the security directives, passenger and freight railroad carriers also have access to the Surface Transportation Cybersecurity Resource toolkit, a collection of documents designed to provide cyber risk management information to surface transportation operators who have fewer than 1,000 employees.

The materials are drawn from three primary sources, including the National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cybersecurity, Stop.Think.Connect, a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online, and the U.S. Computer Emergency Readiness Team, which is responsible for improving the nation’s cybersecurity posture, coordinating cyber information sharing and managing cyber risks. 

Commenting on the new cybersecurity requirements for passenger and freight railroad carriers, Chris Warner, senior OT cybersecurity consultant at GuidePoint Security, wrote in an emailed statement that “it’s known that the railway industry resources are limited when it comes to cybersecurity. Not only in financial budgets, but knowledgeable employees that can implement more mature cybersecurity regulations and modern approaches, like Zero Trust.”

“The requirement of network segmentation policies and controls will be quite a lift for railway operators, as many will have to re-design much of their control systems,” Warner added. “While this is certainly a step in the right direction for transportation, we will see some bumps in the road as the railway industry will have to modernize away from legacy systems and add in new access controls.”

In July, the TSA revised and re-issued its Security Directive concerning cybersecurity to oil and natural gas pipeline owners and operators. The directive also extends cybersecurity requirements for another year and focuses on performance-based rather than prescriptive measures to achieve critical cybersecurity outcomes. The revised directive will continue the effort to build cybersecurity resiliency for the nation’s critical pipelines.

Source: “New TSA security directive for railroad carriers focuses on performance-based measures” by Anna Ribeiro