TSA Issues New Cybersecurity Requirements for Rail SectorIncludes 24-Hour Window to Report Incidents, Appointment of a Cyber Coordinator
The U.S. Transportation Security Administration on Thursday issued two new security directives for higher-risk freight railroads, passenger rail, and rail transit that it says will strengthen cybersecurity across the transportation sector in response to growing threats to critical infrastructure.
The directives require eligible railway owners and operators to:
- Designate a cybersecurity coordinator;
- Report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours;
- Develop and implement a cybersecurity incident response plan within 180 days;
- Complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities.
"These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats," says Alejandro Mayorkas, secretary of the Department of Homeland Security, which houses TSA. "DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide."
'A Regulatory Nudge'
Agency officials say the directives were developed "based on a determination that [they] need to be issued immediately to protect transportation security."
DHS also says that in developing its strategy, it has sought input from industry stakeholders and federal partners, including CISA, which it said provided expert guidance on threats and countermeasures.
TSA also released guidance recommending that lower-risk surface transportation owners and operators voluntarily implement the same measures.
"We have not witnessed a rail industry event on the level of Colonial Pipeline, but a ransomware disruption, let alone a targeted attack, is a plausible scenario," says John Dickson, vice president of the cloud security firm Coalfire, which provides services to DHS and other federal agencies. He says that without "a regulatory nudge," the rail industry, particularly the freight portion, is not likely to improve its cybersecurity hygiene on its own.
Other experts say TSA could get overwhelmed in reporting what they call noise.
"At a high level, the directives seem completely reasonable, but as always, the devil is in the details," says Jake Williams, a former member of the NSA's elite hacking team. "Taken at face value, railway operators would have to report every piece of commodity malware that is discovered in the environment, even if antivirus or EDR prevented that malware from ever executing."
Williams, who is the co-founder and CTO of the security firm BreachQuest, says, "It is likely that TSA will miss significant reports buried in the noise. It is [also] likely the onerous reporting requirements will actually reduce railway security, at least in the short term, as understaffed teams dedicate resources to reporting rather than network security."
TSA says it recently updated its aviation security programs to require airport and airline operators to designate a cybersecurity coordinator and report incidents to CISA within 24 hours. It intends to expand these requirements and issue additional guidance for smaller operators.
But private organizations and industry trade groups have expressed concern about the directives, including the level of consultation with industry and related requirements.
For instance, in October, Paul Skoutelas, president and CEO of the American Transportation Association, or APTA, which represents all modes of public transportation, wrote in a letter to lawmakers, saying that a 24-hour reporting requirement would "negatively affect cyber response and mitigation by diverting personnel and resources to reporting when incident response is most critical."
The new railway directives now apply to the Metropolitan Transportation Authority, or MTA, which is responsible for public transportation in New York City. Earlier this year, a hacking group linked to China gained entry into MTA's network but was unable to access systems controlling subway trains.
In a statement shared with ISMG, MTA CTO Rafail Portnoy says, "The MTA has multilayered cybersecurity systems, is constantly vigilant against this global threat, and will ensure compliance with any TSA regulations."
These developments come in the wake of the May ransomware attack on Colonial Pipeline Co. at the hands of the Russia-linked DarkSide gang. The incident delayed fuel delivery along the East Coast and spurred panic-buying. (see: FBI: DarkSide Ransomware Used in Colonial Pipeline Attack).
Following that incident, TSA issued two security directives for pipeline providers. In May, it required pipelines to report confirmed and potential cybersecurity incidents to CISA within 12 hours, a move officials said relates to the criticality of pipeline operations. It also required them to designate a cybersecurity coordinator, review current practices and identify gaps and remediation measures to address risks (see: DHS Unveils New Cybersecurity Requirements for Pipelines).
In July, TSA's follow-up required pipelines to implement certain mitigation controls, develop a recovery plan and conduct an architecture design review (see: TSA Issues Cybersecurity Requirements for Pipelines).
GOP lawmakers have been critical of TSA's directives. Sen. Rob Portman, R-Ohio, and other Republican colleagues have asked DHS' Office of the Inspector General to investigate the development of the pipeline requirements, calling them "too inflexible."
Testifying before the House Committee on Transportation and Infrastructure on Thursday, TSA Deputy Assistant Administrator Victoria Newhouse said the private sector has "communicated dutifully" on related challenges with the directives, including the definition of reportable incidents for pipelines. She said TSA has "taken steps and a great deal of feedback" to modify that definition - which will soon also apply to rail and aviation operators (see: Cyber Officials Outline Critical Infrastructure Protections).
Pipeline Standards Body Proposed
Rep. Bobby L. Rush, D-Ill., is pushing for the creation of an organization run through the Federal Energy Regulatory Commission, or FERC, that would develop pipeline cybersecurity and reliability standards, according to new legislation introduced this week.
If passed, the bill would create an Energy Product Reliability Organization, or EPRO, comprised largely of private industry, though it would be run through FERC, which regulates interstate energy transmission.
Rush's Energy Product Reliability Act calls for an EPRO to establish and enforce cybersecurity and physical security standards. It would also have the authority to penalize noncompliant entities and would consult with the Department of Energy and TSA, according to the bill.
"It's long past time that we had enforceable reliability standards for energy pipelines, just as we do for the electric grid," Rush said in a statement shared with ISMG. "[This act] is a necessary and prudent response to the … cybersecurity disasters that have highlighted the dire need for standards for our fuel system."
Some security experts believe a new organization could add more bureaucracy to the federal cybersecurity system.
"In most cases, there is already an organization in existence that has the mandate to do that task," says Adam Flatley, a member of the U.S. Ransomware Task Force and a former technical lead for the National Security Agency.
Flatley, who is currently the director of threat intelligence for the security firm [redacted], says, "Creating new organizations can often just add more bureaucracy, turf wars and unnecessary complexity."
Nevertheless, the new organization could be an important step to ensuring incidents such as the Colonial Pipeline attack do not happen again, says Frank Downs, a former offensive analyst for the NSA and currently the director of proactive services for the security firm BlueVoyant. The caveat: It will need appropriate authorities, including oversight of pipelines' private and public partners, he says.