In the first episode of Secure Tracks, Roark Pollock speaks with Dr. Mark Grant, a renowned rail cybersecurity leader who worked at CSX for 17 years, serving as the Chief Information Security Officer for 8 years. Mark discusses the three waves of digitalization in the rail industry and the impact of the most recent wave on operational rail technologies. The conversation touches upon government views and actions, including the recent TSA Security Directives and the upcoming rulemaking process.
About our guest:
Dr. Mark Grant is longtime cybersecurity leader, having worked at CSX in Jacksonville, Florida for 17 years. Grant served as the chief information security officer for eight years during his time with CSX. He is now working as a trusted advisor to help companies enhance IT, security, and business strategies.
Roark Pollock: Hi, I'm Roark Pollock, and this is the first season of the Secure Tracks podcast, where we host rail industry leaders to talk about operational rail technologies and cybersecurity. In this episode, we're talking about digitalization and its impact on the rail industry. I'm super excited about today's conversation because we have with us Dr. Mark Grant. Mark is a longtime cybersecurity leader, having worked at CSX in the United States, specifically in Jacksonville, Florida, for about 17 years. And Mark served as the chief information security officer for eight years during his time with CSX. Mark, welcome to the show, and thank you for joining us today.
Mark Grant: Well, thank you, Roark. It's great to have the opportunity this morning to talk a little bit about rail tech security.
Roark: Awesome. Well, Mark, I introduced you as Dr. Mark Grant, but your doctorate is not necessarily in a field I think most would expect. Why don't you tell us a little bit about your doctorate, how you got into the rail industry and how you got into cybersecurity?
Mark: Okay, yeah. So my PhD is actually in condensed matter physics, and that's from University of Florida. And, you know, my time there, interestingly enough, I spent a lot of time sort of programming. And back then we used to use Fortran, which is kind of what all the scientists use. And, you know, so I was either doing that or spending a lot of time hooking computers up to lab equipment and things like that. So the transition for me from sort of being a physics guy to a computer guy was actually fairly easily. And I was finishing up a postdoc in Texas at UTEP there and, you know, moved back to Jacksonville and ended up getting a job in the sort of computer industry. I thought it was going to be a bit of a temporary job, but, you know, it turned out that the work was extremely interesting and, you know, I was having some success there. So eventually I ended up working for the railroad and here in Jacksonville, where CSX is headquartered and then eventually, you know, moved into the CISO role. So it was, you know, certainly different work than academia, but challenging and rewarding work.
Roark: Well, not your typical career path, but Mark, you're making me feel a little old talking about Fortran. I remember my Fortran undergraduate course in engineering. Yeah, you know, it was the language that people use back then. It was fast and it was efficient and, you know, people are oftentimes we're doing a lot of, you know, number crunching and it was a good language for that. Yeah, it was good for that. Well, Mark, let's jump into our first topic and talk about the increases in digitalization in rail operations. I know when you and I spoke previous to the show, you mentioned this concept about how the rail industry or rail companies have gone through kind of three different waves of digitalization. And I was wondering if you could tell us a little bit more about your view there, how you see that and kind of how that has played out over your 17 year career with CSX.
Mark: Yeah, I definitely have seen that and, you know, having been there, you know, I guess I started there, you know, kind of late 90s. But, you know, I think the first way when you think aboutrailroads and railroads have been around for a long time, but you think about railroads, youknow, they used to be run on paper and, you know, people did all the work on paper. They were huge staffs that kind of handle all these papers and pass them around. And so the first wave, Ithink, of digitization was really about moving from a paper process to a computer based process. And they did that, you know, they were looking for efficiencies. So, you know, and that worked. I mean, they had, you know, huge staffs who were able to reduce clerical staff quite a bit. These were sort of mainframe based systems. If you're talking about the kind of 70s and on to the 80s, and those things ran for decades, you know, big consolidated systems, you know, big data centers, particularly as the industry consolidated more, when you think about the freight environment in the US. And, you know, they did what they were supposed to do. The second wave, as I think about it, was kind of about the time I started. And if you think about the dot-com era, and what you began to see was, you know, a move away from, you still had the mainframes, but you began to see things like internet connectivity. You began to see things like desktops on people's, you know, desks, laptops, even tablets a little bit later on. And you also began to see a lot more digitization of the actual operations, you got things like computer aided dispatching, you got digital controlled, you know, signals and switches, things that used to be relays and, and wires became, you know, sort of digitized. And, you know, the drive there from a business perspective, as I saw, it was all about continuing that automation. So but the automation was a little bit different wasn't just the clerical stuff, it was like, you know, tied to the core business and the transportation. So you got a lot more, you know, equipment in your in your data centers that was more directly connected to stuff in the field. And the third phase, I think, really, right now is what we're experiencing, is being driven primarily by this huge investment that railroads made in positive train control. Now, they sort of reluctantly made that investment, I think, at first, because it was a regulate regulation process that, you know, they were kind of, you know, forced to do that. But what that did was really instrumented the railroad more fully. So you got 10s of 1000s, you know, of additional points, you know, on the wayside, you had more onboard computers on locomotives. And, you know, what companies are doing now is right, figuring out how to leverage that investment. So now that you've got that instrumentation, what do you do, and the goal of this third phase, which we're really getting into now is about intelligent control. So it's about using the information that's there, and having the computer be more of an active process of decision making across the railroad. And again, that's going to, you know, there's huge opportunity there for enhancing efficiency, particularly for the large rail networks and, you know, the interconnectivity between networks, the touch points, the transfer points from one rail to the other.
Roark: Got it. So, Mark, how do you think about what that digitalization? I mean, how is it shaping or changing the operational part of the business? And what are the real benefits to the business?
Mark: Well, I think the primary thing is really about the flood of new information that you're getting from this this rail tech implementation. You know, now that you kind of have all of these points out there that are collecting information about your operations, the opportunity and the way it's changing the industry is, you know, people are busily trying to figure out how to use that. And this is information that is the most vital information to a railroad, which is about, you know, the operations. And if you think about the problem, you know, the really two things, I think when you think about the, you know, the opportunity and the, you know, I call it a problem. It's not really a problem. It's more of an opportunity. But, you know, the challenge of figuring out in a complex networked rail network, a complex networked environment, is how do you get all of the shipments that you have, you know, and they're all going different places. Right. How do you get from point A to point B with a given shipment in the most efficient manner? You know, what speed should the train go? You know, what route should it take? And you know, I'm talking here mainly about freight railroads. But that problem is, you know, I would say, you know, almost 100 percent solvable by technology. And, you know, it hasn't been solved completely. You know, the environment's complex. Things happen that you don't expect. You have a plan, you know, and then, say, a track gets washed out or you've got some kind of other operational issue. Maybe your locomotive isn't working like you want it to. That one event has a ripple effect across the entire railroad, potentially. And so this problem of efficiency is not just a, you know, hey, we figure out the plan and then we're done. It has to be continually adjusted and continually modified.
Roark: It has to be dynamic. Yeah, it's got to be dynamic. The Mike Tyson of the railroad industry, right? Everybody has a plan until they get hit in the face.
Mark: That's exactly right. And, you know, unfortunately, railroads, you know, they get hit in the face frequently with all sorts of things, you know. So, you know, that problem is a technology problem at the core, I think.
Roark: That makes sense.
Mark: Yeah. And, you know, the other problem you've got, and so you've got all this information now and, like, how do you leverage that to build an intelligent environment that can make those decisions for you instead of having a person looking at the disruption, looking at what's occurred and trying to sort of refactor what they should do. You want a system to be making some of those decisions because it's going to be faster and arguably better because that system is going to have a view of the entire network instead of the local environment of the people that are sometimes making the decisions now.
Roark: So, you know, it's just becoming more automated in some of the functions.
Mark: Yeah, yeah. And that drives, you know, that drives huge efficiencies across your rail network. And so the other piece is, you know, it's like how do you become easier to do business with? And again, you know, technology is going to be a big part of that solution. How do you provide additional visibility to your customers about the options for shipment? How do you give them a price that reflects, you know, your true costs of moving that freight? You know, how do you make it easier for them to, you know, to engage with you and become a customer? And that, again, is, you know, it's largely a collaboration problem, you know, problem with your customers. And that's, I think technology is a big, you know, part of that solution as well.
Roark: Certainly. That's a bigger issue for the passenger railroads, even in the freight railroads, I think.
Mark: Yeah, it's the same, you know, same challenge. It has to be, you know, it has to be easier. And if you look at some of the companies now that are largely digital companies, and there are plenty of examples, you know, they're operating in a manner that is super easy for people to engage.
Roark: Sure. Almost anything delivered to your house in 24 hours.
Mark: That's right. And that's a transportation, you know, challenge as well. But that's been, you know, people have solved that and someone will figure this out, you know, for the rail industry. And I think the time is going to be soon when that occurs. And they're going to have a huge advantage, you know, when they do that.
Roark: That makes sense. Well, Mark, you're talking about the digitalization that's happening in,
we've kind of described it as the operational rail technology environment. What you think of as the scope of that operational environment? What's included? What's in that? What's not part of
that scope? Is it everything within the rail company?
Mark: I mean, Well, you know, to me, I think, I mean, you know, clearly, railroads have a lot of different, you know, solutions that they use a lot of technology solutions. But to me, you know,
the most vital ones are those things that are sort of wired into the operations. You know, those are the critical core technologies that run railroads. And while we're talking about there, I think are, you know, sort of signaling systems, switching systems, dispatching environments, you know, train control type environments. And, you know, increasingly, you know, you're seeing, you know, clearly stuff on locomotives, there have been computers on locomotives for a long time, but there's more and more integration now that there's, you know, additional connectivity there because of the sort of positive train control investments that people have made, you know, those things are connected. And increasingly, you're even seeing now, you know, stuff on rail cars in the past, you know, this the way that you kept track of where your rail cars were on freight railroads anyway, was, you know, you had RFIDs on the cars, they all have them as an industry standard that passes up, you know, an RFID reader, and then you get an update on where your car's at. But, you know, you may go many miles until you pass one of those RFIDs, a lot of things can happen in between. So now you're, you know, you're starting to see things like GPS on every car and their initiatives to sort of get that out. And that's going to change, again, it's going to change the accuracy with which you can address, you know, the location and your planning systems. And it's also going to, you know, allow customers to have a better understanding of exactly where their stuff's at and when it's going to show up.
Roark: Yeah. Well, Mark, what do you think of as the long-term implications of all this digitalization?
Mark: I know where we are today, but where's the industry going, do you think? Well, I mean, you know, they're clearly chasing, you know, efficiencies, all the railroads, you know, closely watch their operating ratios. This is something that, you know, that, you know, that clearly the market is interested in, in terms of how, you know, how people think about their investments. But, you know, eventually, what's going to start to happen is you're going to have these environments where you're using intelligent systems to make decisions that's going to drive, you know, better operations. And it's also going to enable ultimately, you know, autonomous operations. So, you know, maybe it's not the whole network. There are clearly challenges still, you know, in getting there. But, you know, that's what folks, I think, are thinking of down the road. But, you know, again, it's just going to be increased, it's going to increase, you know, reliance on your systems, your computers, to make decisions versus operators, even from an operational standpoint.
Roark: Right. Well, we're starting to see in that every time I fly through Dallas, Fort Worth, there's nobody driving that train.
Mark: That's right. I mean, you already get it on some of the, you know, commuter lines and light rail, those systems are already in place. But in terms of the freight, you know, right now, you've always got people on the locomotive, you know, can argue one way or the other, whether it makes sense not to have someone there. But I think, you know, the technology is ultimately going to enable that. And, you know, you're seeing it on automobiles, clearly trucks are looking at the same thing. And the problem is a lot easier on a railroad than it is, you know, say a car or a truck because you have complete control of the network. It's a bit of a one-dimensional problem versus two-dimensional. So it's arguably easier to solve that issue on a railroad than it is any other mode of transportation.
Roark: That makes sense. Well, Mark, let's shift gears a little bit. Let's start talking a little bit more about cyber. We've talked about digitalization, we've talked about the railroads. You know, as I understand it, there's a lot of CISOs in the rail industry that are now perhaps for the first time being asked to take ownership of the cybersecurity risk in these operational rail technology or rail tech environments. If it's a first time that a CISO has now had to deal with these operational systems, how do they start to think about, you know, how do they think about getting their hands around the situation and starting to understand the associated risk that exists within these environments?
Mark: Yeah, I mean, it's a good question. I think that the CISOs in general, and, you know, I've worked quite a bit with a number of CISOs across the industry in my career, and I think they understand the risks. So it's not a question of the CISOs understanding the risks. But I do think, you know, in certain environments, there are challenges with getting cycles on the business side to talk to them about the risks and to make them more understand the cybersecurity risks. And, you know, it makes sense because, you know, the operations people have a difficult job. You know, they have challenges just on a day to day basis dealing with the things that occur and making sure that they're supporting the business in their roles. And so it's hard to talk to them about a hypothetical sort of bad thing that could happen when they have, you know, in some cases they have challenges, you know, every day that they're dealing with. And that's really where, you know, it I think is most challenging. How did the CISOs become sort of partners, you know, with their cohorts that are, you know, more directly responsible for real operations? And, you know, spending part of their job, you know, in my opinion, is sort of working with the business on challenges and, you know, having a supportive leadership, you know, is clearly helpful as well. So, you know, not just operations folks, you know, your CEO, even your board. I know that, you know, most CISOs, at least that I'm familiar with in the freight industry, spend a lot of time updating their boards. And, you know, that all is extremely helpful for sort of building that ecosystem of, you know, security. It's like, it can't be, you know, it can't be the CISO with sort of his finger in the dam, you know, protecting everybody. It's got to be everybody in the
company understanding, you know, they've got a role. They have to understand the risks and
they have to understand that they have a role in helping manage that.
Roark: Right. Mark, so I know that sometimes I've run into CISOs that perhaps cut their teeth
in other industries and they move into the rail industry. They're very experienced in operational security, perhaps in other industrial control systems-based industries. How do you think of what's different between the rail industry, perhaps, and other industrialized industries?
Mark: Yeah. So, I mean, I think I'll start by talking about kind of what's the same, you know, really, you know, at the fundamental level, some of the technologies are similar, you know, so, you know, Linux, you know, in the energy sector is going to look a lot like Linux in the rail sector. And so, you know, the attacks on those systems, you know, are likely going to look similar. The tools that the attackers use are going to be, you know, probably the same. But I think that what is critical and different about railroads and what sort of makes each sector or each industry a little bit different is, you know, it's the context. It's like the business context. So what, you know, understanding what are the important systems? What is the function of this, you know, Linux device? What's the function of the SCADA, you know, system and how is it important to the business? That's the part that sort of, you know, makes the different industries, differentiates, you know, the industries. And so, you know, it's like, you know, without that business context and without understanding the role of the device you're trying to protect, you know, you're missing, you know, a huge opportunity. You have to understand where to focus, what are the most important things to protect? And, you know, the protocols, you know, there may be a lot of similarities in the environment, but there are very specific protocols that are used, particularly in the rail industry, these things because of the interoperable nature of the environments. I mean, you know, railroads have had to be, had to have standards and had to have consistent processes for hundreds of years because, you know, a lot of shipments start on one railroad and end up on another railroad. So the way you manage that in an IT environment is you have to have standards on how those things are handed off. You have to have protocols that are understood, you know, across the environment. And it's that understanding of that protocol, I think, you know, does sort of make the rail tech a very specific type of technology and the way that you think about protecting it.
Roark: Yeah, I think the protocol is just the starting point. I think it's quite often, Mark, and as you talk about the context, I think it's much broader than just understanding the protocol. It's understanding the business case, the safety case that's involved, and the applications, whether it's signaling, interlocking systems, train control systems, those are all tend to be very unique to the rail industry.
Mark: So yeah, I think you hit on a key topic there about it's understanding that context and underlying what that particular device or machine means to the overall system. Yeah, and I mean, even recently I've worked with, you know, I've worked with companies, rail companies that, you know, had, you know, had people in their environment that were trying to work on security plans and trying to, you know, formulate strategies and, you know, trying to sort of apply a generic approach into an environment. And, you know, and you asked the question about, hey, you know, someone new to the industry, and in this case, it was someone, you know, new to the industry that was in charge of sort of, you know, managing this process. And, you know, they had to reach out to some rail people and say, hey, you know, we get the technology, but what we're struggling with is, you know, how do we translate the things that we know into a rail environment? So they had to go get some, you know, some additional rail expertise to help with that.
Roark: Right, right. Makes good sense. Well, Mark, we're talking a little bit about the risk side of the equation and some of the risks that perhaps exist, but how much of this is really a problem? I mean, I haven't heard, you don't hear much about high consequence cyber events in the rail industry, maybe not including a bit of, you know, outside of the situation in the war in Ukraine, but are there events that we just don't simply hear about? What's the true situation that exists as far as consequences?
Mark: Well, you know, let me sort of tackle the question.
Roark: Not to put you on the spot.
Mark: No, no. Yeah. So, I mean, I think it's fine. You know, there are the good news and very helpful news in terms of, you know, CISOs in the rail industry is that there is a fair amount of robust communication across the industry. And, you know, railroads, you know, clearly compete with each other. But when it comes to security, there have been, the industry has focused on, you know, communication channels, you know, best practice sharing. There's committees that run through the American Association of Railroads, you know, which share a lot of information about, you know, things that are going on. Right. And, you know, I can say, and I, you know, I have a good understanding of, you know, events that have happened over the years. And they're really, you know, it's not like there's a secret, you know, disruptive, you know, terrible cyber attacks that have been happening. And somehow everybody's just keeping that quiet. There really just hasn't been, you know, a lot that's impacted the rail industry in terms of significant consequences. Now, you know, the really, when people think about risk, though, in the rail industry, it's recognized that it's there. You know, it doesn't, just because there hasn't been a significant disruption doesn't mean that it can't happen. And so I think that that is really what the biggest risk is, is a disruption of, you know, and it'll probably, you know, the most damaging would be on those core operational technologies. But, you know, a prolonged, and, you know, and most railroads can take a hit as well. I mean, they can take a brief outage and these things happen sometimes, normally not because of cybersecurity events, just because
of other, you know, things that happen in the environment. But, you know, if it's short, and it's fixed, you know, quickly, you know, usually, you know, things are okay, but it's really those prolonged disruptions that would be days or, you know, even in some cases, weeks, if you talk about certain scenarios, those are the ones that are the biggest risk. And there, you know, there are safety potentially, you know, the processes and the system design for railroads in terms of safety are excellent. But, and, you know, and railroads have also done a lot of work, I know, because I've done some of it myself, you know, to try to look for cyber scenarios that, you know, could lead to safety issues, testing, and, you know, pen testing and other types of, you know, threat modeling type approaches. And the good news is, you know, there's a lot of sort of resilience built into the process. There's a lot of fail-safes in the system, you know, they had to be fail-safe before computers we've even run in railroads. So there hasn't been a lot demonstrated there that says, hey, look, this is the, this is kind of the big safety issue.
Roark: Well, it's good news, bad news, I guess you're saying is the good news is not much is happening. And that's great. And it's a good sign. The bad news is people are still worried about what could happen. Yeah. And trying to deal with those situations, I guess so.
Mark: Yeah. And so, you know, have we seen it? No. Is it possible? Yes, is the way I would summarize that. And, and probably yes, on the safety side, although, you know, we haven't seen those things demonstrated yet. But, you know, you got to think that, you know, there's a lot of moving parts, you got to think that some of that stuff's possible, and it's not easy, you know, so it's gonna, you know, in order to really get in there and cause issues from what I have seen, and my experiences, you know, it's going to be a have to be a sophisticated attack.
Roark: Right, right. Well, Mark, let's, let's talk a little bit about the the side of the CISO that that causes a little bit of heartburn, you know, what, what are those worst case situations that a rail CISO worries about in the, in this operational rail tech environment? I mean, is it? Is it the adversary that worries you most, or maybe high consequence safety events? Or, or are they mainly focused on or worried about service disruptions? You know, what gets the attention of the CISO the most, keeps them up at night, and maybe gets the most attention within the executive suite as well?
Mark: Yeah, I mean, I think it, to me, it's, it's probably service disruption, just because of the,
you know, I mean, we've seen that across a number of industries, particularly with, you know, with ransomware, sort of, you know, maybe it doesn't get into your control systems, but it impacts enough of your environment that really causes you issues. You know, even bleeds over into those environments in terms of the impacts, even if the ransomware doesn't make it there. So, you know, those, those, I think that's what people worry about. And, you know, the CISOs are very aware of those, of those critical systems, what they are, they have additional resiliency plans around those in terms of disaster recovery, everybody understands what those systems are. You know, in, you know, probably wouldn't make sense to name, you know, specifically name them, but, but they know what they are. It's like that system when, you know, when you get the call, you know, at 2 am, and it's from, you know, the operations, and they're like, “Hey, the system went down 10 minutes ago, and we're already delaying trains.” It's those, you know, it's those environments that CISOs worry about.
Roark: Well, and I assume from a safety standpoint, there's a lot of overlap between the safety cases that have been developed in cybersecurity cases. And so a lot of those have been dealt with in the past and have been built out pretty robustly already, I assume.
Mark: Yeah, I think that's true. You know, and there's just so much experience in the environment, you know, over, you know, using this system, seeing how they react, seeing how they fail. And I will say that, you know, in a cyber attack, an interesting twist is, you know, the system is probably or may not fail in a way that you expect it to. And that's, you know, normally these kind of failure modes that are understood are based on, yeah, this is the way the thing breaks. But, you know, if someone's in there actively manipulating the environment, it may fail in unexpected ways. So that, you know, there's a little bit of a, of a uncertainty ultimately about what the outcome could be when someone's in there, you know, messing around with it.
Roark: Yeah, understood. So Mark, are there systems or applications within the operational rail tech environment that CISOs worry more about than others, maybe given their vulnerability or perceived vulnerability or the possible consequences? I guess what I'm trying to get at is when you live in a world where you can't do everything at once, how do you think about prioritizing your efforts in some of these environments?
Mark: Yeah, I mean, there is, there is, I think, a tension between, you know, a decision process and sort of risk analysis that goes into all the security plans. And a tension between sort of the IT environment, which, you know, is typically where you see, you know, most security incidents happen. I mean, you've got people, you know, involved in there. You've got people potentially, you know, leveraging cloud services, you know, leveraging the internet, you know, reading emails, which is always a risky process. You know, you've got more activity there with more users that are doing all sorts of things, you know, to kind of complete their tasks for the day. You've got internet connectivity, you know, so there's this, and those are important systems too, from a business perspective, they're not the most critical for railroads, but they are important. And so, you know, to me, there's a, there's, there's a tension in terms of how much effort and resources do we devote to that environment where we see a lot more activity versus how much do we devote to sort of this operational technology world where we may not see nearly as much, you know, cyber activity, but it's also way more important, arguably, to the business. So, you know, that sort of risk analysis and thinking about the resources you have and how you use them, I think there's, you know, there are issues that come around, you know, the tension between those two environments.
Roark: Right. Mark, are you seeing a change in the balance between where the focus is being placed in those environments over the last, let's say, half a dozen years or so, and looking forward, do you expect that to continue to change?
Mark: Yeah, yeah, I think that there is a, there is a huge, has been a huge shift I've seen in the industry. And part of that has been, you know, we talked a little bit about this kind of third wave of digitization. What comes with that is, you know, you've got, you know, systems in your IT environment, systems in your OT environment, and you're finding that the information that you're getting out of the OT environment is so useful that you want to use that in other places. And so, you know, there's been additional sort of connectivity between those two environments. And I mean, traditionally those, you know, we're isolated sometimes even air gap, but they're still isolated. You know, they're choke points as I see it in most, most railroads between the environments, you know, a lot of filtering takes place, but there is more connectivity. And so that, you know, the CISOs are smart people. They say, they, you know, see connectivity and they're like, hey, that's an additional vector, you know, it's an additional attack surface. The attack surface is growing in the, in the operational technologies. And so there's more, there's more of them and, you know, increasingly they're more integrated with other environments.
Roark: Yeah. Well, Mark, let's, let's shift gears one more time to our last topic of the day. And I know that we'll, we'll talk a little bit about the involvement government has in some of the
regulatory things that have been coming down the pipe. Mark, I know you left CSX a couple of years ago, I think in 2021, and now you're working for yourself. You've got your own business
RiskSec Group, if I'm not mistaken. Tell us a little bit about the work you're doing.
Mark: Yeah. So the RiskSec Group, you know, we me and my partner and I, you know, we're,
we're focused in a couple of areas. You know, cybersecurity is one, you know, kind of like serving as a virtual CISO, which is interestingly enough is a new term I've seen pop up in the last several years. So we kind of offer, you know, services like that. And, and, you know, we also do sort of, you know, enterprise risk management audit, you know, we've got a bit of expertise in a lot of areas. So yeah, we've been helping, helping people, you know, with their IT strategies with certainly with cybersecurity and a lot of, a lot of time recently has been, been around some of the new TSA regulations. You know, if you're, if you're one of the big railroads, you know, you've got staffs of people, you have lawyers, you've got you know, cybersecurity teams and, and, you know, kind of been a decent place. You probably already have a lot of frameworks in place and a lot of policies that are necessary. You've been doing this for a while, but you know, some of the other railroads don't have as much, you know, resources, as much expertise on the cybersecurity and risk management side. And, you know, so they, you know, they're, they're get this TSA regulation. They're like, what the heck do we do with this? So, you know, we've been, we've actually spent a fair amount of time working with some of the short lines and, and, and others in the industry, you know, to kind of deal with those regulations.
Roark: That makes sense. So how, I know the TSA regulations or the security directives, I guess they had three different versions over the last, about 18 months. How is it playing out? Where are most of these companies in the process? And what are you seeing happening today?
Mark: Yeah, you know, so, you know, the TSA is, is actively, you know, writing regulation and, and they have invested, you can tell, I mean, you get a sense as you're kind of talked to the TSA that they have brought in people to run this process, you know, so they didn't, you know, particularly around railroads, they had the pipelines also that they started with and the railroads and looking at additional regulation now on, on the airlines, but, you know, they've geared up, they've got people who have experience in these matters, people that have been, you know, involved in regulations and other industries, and they've kind of put the resources against it to, to make sure they're following up on, on the rules that they're making. And so the railroads, you know, they're, you know, nobody likes regulation. I don't want to say nobody, but a lot of, a lot of people, maybe somebody out there who does, but a lot of people, you know, they struggle with, with, with the concept of being forced, you know, to apply their resources in certain areas versus, you know, taking the risk approach that they've taken in the past. So that's why people don't like the regulations. And, you know, so people don't like them, but, you know, I think the TSA has done an okay job, you know, of working with the industry, coming up with something, you know, they made some adjustments based on feedback. There was a lot of conversations. So, you know, they're doing an okay job when the railroads, you know, are doing what they can, you know, to comply. So they've got, you know, building the security plans and sort of, that's kind of where it's at now. It's like, Hey, here's what our security environment looks like. This is what we plan to do in the future. You know, that sort of thing is addressed in the regulation and, you know, just sort of getting ready for the next step, which is going to be, you know, the beginning of the sort of audits from the TSA and inspection process. And I do think, you know, we should think about this as a process. It's more of a process than it is an event. There's going to be, I think, ongoing dialogue back and forth in terms of getting this to a point that the TSA is happy, you know, with the additional protections that they're trying to make sure people have. And the railroads are happy.
Mark: Because, you know, it's adding value actually to their program. And most of the, you know, most of the big rails are doing the stuff already. They already have everything in place.
Roark: Certainly early days, I think still. And you mentioned it's a process. And in fact, you know, I know we've spoken about the fact that the TSA is now in the midst of a new rulemaking process as well and not just sticking with the security directives. In fact, they gave notice or advance notice of this proposed rulemaking back in November last year. What do you expect to come out of that process that rail CISOs might want to think about sooner rather than later? Do you think it'll be the same as the security directives or do you expect something different?
Mark: You know, I think it's going to be more of the same. I believe the direction, directionally, it's going to be like, we think, you know, and you hope that someone, you know, in government is doing an analysis of the adversaries and basing some of the regulations on, you know, kind of what they see happening. You know, what's the risk and how, you know, understanding the risk based on analysis of what's actually happened or what they see or what intelligence they have. So, you know, and the TSA talks about that. So you hope that, you know, fair amount of that is in there. But yeah, I mean, they've distributed, you know, the proposed rulemaking. The industry has responded and given feedback and, you know, in general, the feedback is, I think, you know, what you would expect. It's like, hey, don't paint us into a corner where we don't have options and we can't make decisions locally about our environment and how we protect it because, you know, and you have to, you know, it makes sense. You have to ask the question, like, who's in the best position to make those decisions? Is it the TSA or, you know, or is it the CISOs who have a good understanding of their environment and really what the risks are? So, you know, most of the comments I think appropriately are, hey, give us the flexibility to do what makes sense and what is right for our company.
Roark: Yeah, well, that makes perfect sense. Well, let's wrap this up, Mark. We'll wrap up a little bit here. I know in the work that you're now doing, you're working with different organizations as part of RiskSec Group. You know, what kind of, what last bit of advice would you leave for your rail CISO brothers and sisters out there?
Mark: Yeah, I mean, I think, you know, be careful would be, you know, the threat environment, I mean, because of the increasing use of technology in railroads and because of the sort of, you know, we always, I mean, it seems like for decades I've been talking about the increasing threat, you know, it's like, hey, the threat is evolving, it's getting worse, but that continues, unfortunately, it continues to be true. And, you know, so that, you know, I think that is just, you know, that would be the advice I would give. It's like, “Hey, you know, you can't be securing your environment for the things that you have experienced in the past. You really need to be looking, you know, forward-looking in terms of the way you think about risks and you want to be able to enable your business with your security program to do the things that they need to do, you know, to drive the business forward. You can't be, you know, you can't be the person that's holding it back because it's impossible to do because you can't secure it. You have to be out in front of that. You have to have the security there even before, you know, sort of the next business initiative comes along.” And then I think that's probably the most useful advice I could give based on my experience in the industry.
Roark: Yeah, that makes great sense. All right, well, Mark, we really appreciate you being on the show today. If someone wanted to get in contact with you, Mark, which one of the social media platforms are you active on or what's the best way to get in contact with you?
Mark: You know, I think the best way is probably just to use LinkedIn because, you know, it's easy to find me on there and, you know, to remember anything apart from my name and you can probably find, track me down there and if you send me a note, I'll respond to you.
Roark: All right, that's awesome, Mark. Thank you again. That's the end of today's show. Until next time, keep those tracks secure.