The Transportation Security Administration (TSA) unveiled new cybersecurity regulations for passenger and freight railroad carriers this week, expanding its list of critical infrastructure industries given specific guidelines for how to protect their systems.
The rules take effect on October 24 and will last one year. In the meantime, TSA is beginning a process to “establish regulatory requirements for the rail sector following a public comment period.”
Carriers are now mandated to develop network segmentation policies and controls that separate operational technology systems from other IT systems in case of compromise.
The new directives also order carriers to create access control measures, build out detection policies for cyber threats and implement timely patching or updating processes for operating systems, applications, drivers, and firmware.
Organizations in the industry will need to establish TSA-approved cybersecurity implementation plans that describe “specific cybersecurity measures the passenger and freight rail carriers are utilizing to achieve the security outcomes set forth in the security directive.”
TSA also wants carriers to create cybersecurity assessment programs that allow officials to “proactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks, and systems.”
TSA Administrator David Pekoske said the agency worked closely on the new rules with multiple stakeholders in the railroad industry, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Railroad Administration.
“The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack,” Pekoske said.
Several operational technology experts focused on the network segmentation aspect of the new regulations as something that may be difficult for the rail industry.
GuidePoint Security’s Chris Warner said resources in the railway industry are limited when it comes to cybersecurity, not only in terms of financial budgets but also a shortage of knowledgable employees who can implement mature cybersecurity regulations and modern approaches.
“The requirement of network segmentation policies and controls will be quite a lift for railway operators, as many will have to re-design much of their control systems,” he said.
“While this is certainly a step in the right direction for transportation, we will see some bumps in the road as the railway industry will have to modernize away from legacy systems and add in new access controls.”
Others, like Shift5 CEO Josh Lospinoso, threw cold water on the effort, calling the idea of “air gapping” systems – or separating them from IT systems – a “myth in the era of converged IT/OT [operational technology] within infrastructure.”
“No longer can we consider critical operational technology components like brake controls on locomotives segmented away from IT,” Lospinoso explained. “With such interconnectivity, network segmentation policies should be implemented, but not used as the last-line of defense.”
Cybersecurity professionals have been calling for the other regulatory components of the directive for years, according to Nozomi Networks security research evangelist Roya Gordon.
Gordon noted that as the rail industry continues to become more automated, cyber risks have increased – making the potential consequences of a cyber event “damaging and deadly.”
“The TSA directive isn’t holding the rail industry to some new unattainable and overly complex standard,” Gordon told The Record. “Finally the government is listening. Industry is listening. This is a great win for critical infrastructure security.”
The rail industry has seen its fair share of cyberattacks in recent years. In April 2021, the New York City’s Metropolitan Transportation Authority – one of the largest transportation systems in the world – was hacked by a group based in China.
While the attack did not cause any damage and no riders were put at risk, city officials raised alarms in a report because the attackers could have reached critical systems and may have left backdoors in the system.
Last year, Homeland Security Secretary Alejandro Mayorkas announced new cybersecurity regulations for U.S. railroad operators requiring them to disclose any hacks, create cyberattack recovery programs and name a chief cyber official. Those regulations expire in December and TSA did not respond to requests for comment about whether they will be renewed.
Anne Neuberger, White House deputy national security adviser for cyber and emerging technology, hosted a group of railroad executives in August for a classified briefing about the cyber threats posed by nation states like Russia and China.
Last week, she said cybersecurity regulations for the rail industry would be coming as the Biden administration works to increase the baseline cybersecurity measures around pipelines, airlines, water systems and more.
Former U.S. Defense Department cybersecurity advisor Padraic O’Reilly said that while the gradual rollout of cybersecurity rules to the sectors that are under voluntary guidance has been criticized, he noted that the inclusion of CISA and others in the development process was the right approach.
In June, TSA was forced to change some cybersecurity regulations for the pipeline industry after significant backlash from industry experts who felt the rules were too prescriptive.
O’Reilly, now chief product officer for CyberSaint Security, said the particulars of the latest proposed directive seemed to avoid “the conspicuous mistakes that TSA made with the pipeline” industry and are less prescriptive with respect to operational technology.
“I am also pleased to see the phrase ‘using a risk-based methodology,’ as I am in risk management and this is really the only way to rationally approach patch management across both IT and OT systems,” he said.
“If I had to guess, I would say that many of the passenger carriers have some maturity with respect to the proposed practices, particularly around the creation of ‘access control measures to secure and prevent unauthorized access to critical cyber systems.’”
The most difficult part for rail operators will be around continuous monitoring and detection, O’Reilly explained, adding that even “highly mature” companies struggle with this.
Doing it properly with an operations and command infrastructure can be capital intensive, he said.
“Broadly speaking, none of the requirements are unreasonable for a critical infrastructure concern to implement. The Association of American Railroads (AAR) has indicated that the directive effectively codifies the voluntary guidance that they have been providing for years. I will be very interested to see how this advances to rulemaking through the comments process,” he said.