On December 2, 2021, the U.S Transportation Security Administration (TSA), an agency of the Department of Homeland Security (DHS), issued two new directives to strengthen cybersecurity in passenger and freight rail transit. These new regulations come less than a month after the U.S Homeland Security Secretary, Alejandro Mayorkas, announced that the DHS was formulating new rail cybersecurity guidelines -- part of a more substantial policy change led by the Biden Administration.
Both mandates come into effect on December 31, 2021. TSA openly states that the directives were issued “due to the ongoing cybersecurity threat to the national and economic security of the United States that could result from the degradation, destruction, or malfunction of systems that control this infrastructure.” This statement strongly aligns with our research, as rail-focused cyber-attacks have increased by 173% in the last five years, with a major cybersecurity incident identified every month on average. Based on this worrisome assessment, the TSA directives require four critical actions:
Appoint a Cybersecurity Coordinator
Every rail company is required to appoint a cybersecurity coordinator as the principal point of contact with TSA for risk management and other cybersecurity-related matters. This individual will serve as the liaison between the rail company, TSA, and CISA (Cybersecurity and Infrastructure Security Agency) and also must:
- Be a representative at the corporate level
- Be accessible to TSA and CISA 24/7
- Coordinate cybersecurity practices internally and externally
- Work closely with relevant law enforcement and emergency response agencies
Reporting Cybersecurity Incidents
Rail operators and owners are required to report any cybersecurity incident that disrupts critical IT or OT systems within 24 hours. Moreover, the directives request to register specific cybersecurity TTPs (Techniques, Tactics, and Practices) once discovered, including:
- Impersonation attacks or unauthorized access to critical IT or OT systems
- Malware on critical IT or OT systems
- Denial of Service (DOS) attacks
- Any other attack technique that results in operational disruption to the rail operator, or an incident with the potential to “cause impact to a large number of passengers, critical infrastructure, or core government functions.”
The report to TSA/CISA must include the name and personal information of the reporting individual, affected rail system, date of compromise, date of detection, relevant threat information, and a detailed description of the damage caused by the attack.
Developing an Incident Response Plan
Within 180 days from the effective date, rail operators/owners must develop and implement a comprehensive incident response plan for risk mitigation and functional degradation. The incident response plan is required to provide defensive measures that ensure the following objectives:
- Identifying, isolating, and segregating infected systems, in order to: (1) Limit the spread of autonomous malware in IT/OT networks; (2) Deny the attacker’s access to critical systems; (3) Damage control and identifying the extent of damage; (4) Evidence collection and preservation.
- Preserve the integrity of stored data, including emergency protocols to secure and maintain backups offline.
- Automatically segment OT systems from IT networks in the event of a significant cybersecurity incident.
- Perform annual exercises to test the effectiveness of the overall security posture and the incident response plan in particular.
Cybersecurity Vulnerability Assessment
Rail operators/owners are required to complete a vulnerability assessment of their entire rail network within 90 days. The assessment methodology must align with the National Institute of Standards and Technology (NIST) Cybersecurity Guidance Framework. Once all security gaps are identified, the rail operator/owner must develop remediation playbooks to address the vulnerabilities discovered in the assessment. At the end of the process, and no later than March 31, 2022, rail operators/owners are required to submit their vulnerability assessments in writing to TSA.
How CylusOne Helps You Comply With TSA Directives
CylusOne is a comprehensive rail cybersecurity solution developed to protect ROSs (Rail Operational Systems) both onboard and trackside. The solution’s core capabilities were designed to defend the most extensive and intricate rail networks while meeting the strictest standards. Here is how CylusOne can empower your security team and help them comply with the new TSA regulations:
Improved Incident Reporting Through Asset Monitoring and Threat Detection
Rail networks include many rail-specific assets and devices, typically manufactured by multiple vendors and geographically dispersed. Ongoing asset monitoring provides visibility that is crucial for effective incident reporting. CylusOne automatically discovers all assets for powerful inventory management and maximum control over mission-critical systems.
CylusOne’s machine learning-driven threat detection is also an important capability to help comply with the incident reporting requirement. The directives state that specific threats must be registered, such as unauthorized access, malware, DOS, and more. To this end, operators/owners need powerful detection capabilities to identify different types of attacks. CylusOne utilizes Deep Packet Inspection (DPI) to detect malicious code and threats. DPI payload analysis can classify various threats and create a typology.
More Control, More Robust Incident Response Plans
The CylusOne dashboard offers state-of-the-art visualization tools (e.g., Rail-Purdue Model) along with advanced threat analytics for bespoke reports, audits, and forensic investigations. These analytical tools empower security teams to build robust incident response plans and protocols to counter massive cyber-attacks. But more importantly, CylusOne enables rail operators/owners to virtually segment the rail network into security zones and conduits. This capability allows security teams to isolate impending threats and vulnerable assets, which is imperative to meeting the TSA requirement.
Mitigate Risk with Real-Time Vulnerability Assessments
Based on incoming data compared to a baseline model, CylusOne continuously performs vulnerability assessments of the network. When the solution discovers anomalies and CVEs, it generates real-time alerts, risk scores, and actionable remediation recommendations to keep risk levels in check.
Cylus also offers additional cybersecurity services such as onsite/remote vulnerability assessments, Red Team security exercises, security-by-design consulting, and training. So rail operators/owners can leverage Cylus’ unmatched expertise in rail cybersecurity to conduct the initial vulnerability assessment, even before the solution is deployed.
To learn more about how CylusOne can help you comply with TSA directives, please contact our team of cybersecurity experts.