Newsletter

TSA Takes Steps to Protect Rail Cybersecurity

Empowered

December 14, 2022

As cyberattack threats rise around the globe, malicious actors are increasingly setting their sights on exploiting critical infrastructure. The Transportation Security Administration (TSA), tasked with safeguarding land-based transportation modes such as pipelines, mass transit, and freight rail, is the latest US agency to develop mandatory cybersecurity regulations.

The current geopolitical climate underscores the grave risks a cyberattack on critical infrastructure can pose to a nation’s economy or, more importantly, to health and human safety. Against this backdrop, the US government continues to ramp up its efforts to combat the threat. The Biden administration has kicked off numerous 100-day sprints focused on susceptible industry sectors. And in a notable shift from previous practice, mandatory cybersecurity regulations are also emerging as key components of the federal government's cybersecurity strategy.

Rail Security Directive

On October 18, 2022, the TSA issued Security Directive 1580/82-2022-01, its long-awaited cybersecurity rules for railroads. The rail security directive applies to freight railroad carriers and other TSA-designated freight and passenger railroads, and reflects the TSA's continued expansion of its mandatory cybersecurity regulations across surface transportation modes.

The rail security directive is based on the same cybersecurity compliance framework that the TSA quickly developed for the pipeline sector following a May 2021 ransomware attack on a major pipeline operator.

The rail security directive requires owners and operators to take the following actions to protect their most operationally sensitive infrastructure against cyberattacks:

  • Identify key systems that, if compromised or exploited, could result in operational disruption
  • Develop network segmentation policies and controls to ensure that operational technology (OT) systems can continue to safely operate in the event that information technology (IT) systems are compromised, and vice versa
  • Create access control measures to secure and prevent unauthorized access to key systems
  • Implement continuous monitoring and detection policies and procedures to detect cybersecurity threats
  • Implement a risk-based security patch management strategy

Implementation

Many of the measures in the rail security directive are identical to those in Security Directive Pipeline-2021-02C, which applies to designated owners and operators of hazardous liquid and natural gas pipelines and liquefied natural gas facilities. The agency has revised the pipeline security directive several times in refining its own compliance approach and responding to significant industry pushback. These changes are also apparent in the rail security directive.

In particular, the rail security directive reflects the TSA's transition away from the prescriptive framework that beleaguered earlier iterations of the pipeline security directive, and toward a more flexible, performance-based approach that relies on the regulated entity presenting its compliance plan to the agency for approval. Such compliance plans, known as cybersecurity implementation plans, are a core pillar of the rail security directive. They place the onus on owners and operators to explain to the TSA how they achieve—or will achieve in the future—the rail security directive's mandatory security outcomes.

Lessons from Pipeline Industry

The similarities between the TSA's pipeline security directive and its rail security directive mean that railroad owners and operators can benefit from the pipeline industry's experience grappling with fundamental interpretation issues. Chief among these issues is determining the scope of the rail security directive.

Earlier iterations of the TSA's pipeline security directive staggered compliance deadlines differently for IT and OT systems. The agency largely abandoned that approach for the rail security directive, and instead made its controls applicable to what the directive calls critical cyber systems: any IT or OT system that, if compromised or exploited, could create an operational disruption.

Owners and operators will need to carefully evaluate what constitutes an operational disruption, as defined in the rail security directive and in the context of their own operations, to ensure it will be in compliance for the rollout of the directive's mandatory controls. Failure to do so could have significant cost impacts if an owner or operator needs to invest in additional security tools or extend its implementation workplans. Additionally, owners and operators will need to consider critical data and business services supporting critical functions as they design their cybersecurity implementation plans.

Decision Points

The rail security directive also presents owners and operators with key decision points on the implementation of various security tools and strategies. For example, the directive makes specific reference to the deployment of multifactor authentication (MFA). MFA is a security approach that requires users to authenticate themselves using two or more independent authentication factors, e.g., a physical badge, personal identification number, and biometric scan.

The federal government has been a proponent of MFA—President Joseph Biden even mandated MFA adoption for federal government systems in Executive Order No. 14028—but some critical infrastructure owners have been wary of introducing added complexity to OT environments that have traditionally been secured through other means.

The rail security directive provides owners and operators with the flexibility to either deploy MFA to critical cyber systems, if not already in place, or propose other controls commensurate with MFA. Thus, owners and operators who are not already compliant with the MFA requirement will need to balance the security benefits of adopting MFA against the costs and potential operational effects of doing so in sensitive OT environments.

Owners and operators will need to carefully evaluate these decision points, and others like them, in preparing their cybersecurity implementation plans. And beyond implementation, owners and operators should plan how they will keep compliance records. Although the particulars around regulatory assessment and enforcement are unclear, we expect that the TSA will eventually begin comprehensive auditing of owner and operator compliance with the rail security directive. Keeping the audit trail in mind at an early stage can better prepare owners and operators to align their evidence with their cybersecurity implementation plans.

Next Steps

Rail owners and operators' cybersecurity implementation plans are due to the TSA by February 21, 2023, i.e., 120 days after the effective date of the rail security directive. Owners and operators that are unable to comply with all of the directive's mandatory measures by then will have the opportunity to propose compliance timelines in their cybersecurity implementation plans.

When its cybersecurity implementation plan is approved by the TSA, the owner or operator will have 60 days to submit a plan to assess and audit its effectiveness in implementing the rail security directive's measures.

Separately, owners and operators should remain engaged with the TSA's administrative process. The rail security directive is time limited because it was issued pursuant to the TSA’s emergency authority. However, on November 30, 2022, the TSA issued an advance notice of proposed rulemaking (ANPRM) that seeks public comment on more comprehensive, formal cybersecurity regulations for both the pipeline and rail industries. Comments on the ANPRM are due by January 17, 2023.