New TSA Railroad Directive Attempts to Derail Malicious Actors

The U.S. Transportation Security Administration (TSA) issued the Rail Cybersecurity Mitigation Actions and Testing directive in October, mandating Class I freight carriers, rail transporters of security-sensitive materials in high-threat urban areas, and railroads that host them to take certain cybersecurity actions to enhance cyber resilience. The directive emphasizes that the “ongoing cybersecurity threat to transportation systems and associated infrastructure” prompted the order.

Based on the directive, carriers need to:

• Implement a cybersecurity plan that allows for the isolation of infected systems from uninfected systems. The plan should enable Information Technology (IT) and Operational Technology (OT) isolation in case of cyberattacks.
• Designate a cybersecurity coordinator available to the TSA and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to be present all hours of the week to coordinate cybersecurity practices and serve as a point of contact with agencies.
• Report cybersecurity incidents to CISA and develop a cybersecurity incident response plan to address threats against IT and OT systems.
• Conduct vulnerability assessments using directives issued by the TSA, including assessments of cyber risks to OT and IT infrastructure.
• Report unauthorized access of IT and OT systems, and the discovery of malicious software and activity resulting in denial of service to IT or OT systems. Operators should report the incidents within 24 hours of identifying the breach.

The directive comes on the heels of a recent incident when a cyberattack stopped trains in Denmark last week. All trains operated by the country’s largest operator, DSB, were canceled for hours. The attack was not on OT systems, but on a third-party IT service provider, leading to a server shutdown. This led to a piece of software used by train drivers to cease working.

The new directive further builds on the December 31, 2021 Security Directive 1580-21-01, “Enhancing Rail Cybersecurity,” adding new freight and passenger carriers that the TSA determined were at high risk of attacks. The new directive is an indicator of the federal government exacting granular policies on critical industries it deems at risk of cyberattacks. All the requirements mentioned in the new directive should be included in carriers’ cybersecurity plans and must be submitted to the TSA by February 21, 2023. This means stakeholders will need to brief employees responsible for implementing both the plan and the security directive. The mandate to report breaches to the TSA, coupled with an annual report of cybersecurity vulnerability assessments, mean security teams will now have more requirements to meet, putting IT and OT security personnel under more strain with more obligations. Owners or rail operators should increase cybersecurity budgets or face fatigued security and IT personnel. Companies that lack a Chief Information Security Officer (CISO) could face challenges implementing cybersecurity plans, as they will have to rely on other departments of their organization, such as IT and executive leadership, to compensate. While the directive does not cite any penalties for non-compliance, companies that do not meet the requirements could face litigation costs or brand damage. The cyberattack reporting mandate of the directive means security breaches will be exposed and could lead to reputational risk for operators and cybersecurity vendors.

Carriers need to design strategies to separate OT and IT systems when one is compromised. Internet networks used by passengers should be air-gapped and separated from train and railway networks. Operators should particularly focus on monitoring and detection strategies at the OT level. OT traffic is the weak link in the industry because the usual IT solutions cannot adequately capture incoming data from OT components. Sharing relevant cyber data between industry players is an important strategy that can allow players throughout the industry to communicate insights and learn mitigation strategies from others.

As the rail industry increasingly embraces wireless and digital solutions, the threat surface of attacks will expand to include signaling systems, train controls, and station infrastructure. The long lifecycle of equipment in the industry, increased connectivity with digital systems, and the diversity of the supply chain in rail systems mean cybercriminals will find the sector an easier target to infiltrate compared to less connected and less diverse industries. The sector’s historical symbolism for activism and labor strikes mean hacktivists could target rail infrastructure to amplify social grievances as well.