How to Respond to TSA’s New Cybersecurity Reporting Standards for US Rail Operators
Last month, Congress passed H.R. 3684, also known as the “Infrastructure Investment and Jobs Act” or the “Infrastructure Bill,” which is set to allocate a $91 billion investment into rail and air infrastructure in the United States. Effectively, this will modernize routes and general transportation infrastructure in the US including transportation safety. With these infrastructure upgrades in mind, the Biden administration formally outlined plans to institute new cybersecurity reporting standards for US rail operators.
How Does This Affect Rail Customers?
This is good news! For customers traveling by rail, or companies rely on rail for transporting freight, it means an increased transparency in electronic attacks against US transportation infrastructure. Ultimately, this means safer transportation of travelers and freight. What it means for operators of these services is somewhat more complex.
What Do Rail Carriers Need to Know?
Specifically, this directive imposes the following requirements:
1 | Designate a cybersecurity coordinator.
2 | Report cybersecurity incidents to CISA within 24 hours.
3 | Develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption.
4 | Complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.
These four directives apply to all freight rail, passenger rail, and rail transit carriers in the United States. It should be noted that DHS is also requiring air operators to apply the first two directives to their operations as well, however DHS is not yet requiring air to meet the final two requirements at this time.
Where to Get Started in Assessing Compliance
Understanding where cybersecurity gaps exist can be tricky business, especially if you haven’t undertaken a dedicated vulnerability assessment or penetration test on a set of hardware before. When it comes to testing critical infrastructure like a locomotive there are many things to consider, such as:
- Are there any Common Vulnerabilities and Exposures (CVEs) available for any devices you may have onboard your locomotive?
- How much customization do you do to your rolling stock? Do you include any hardware that is not a part of the standard build-out from the manufacturer?
- Do you have any cybersecurity policies designed for your rolling stock?
Just like in enterprise Information Technology (IT), Operational Technology (OT) such as onboard locomotive networks should be governed by a set of company security policies to help guide decisions made for these systems. Without guiding documentation, it will be difficult for system owners to discover where the most pressing problems truly lie.
Another thing to consider is how these new requirements impact existing requirements from current federal mandates for train safety. Rail companies operating mandated technology should ensure any devices connected to systems are appropriately hardened to prevent initial compromise. This includes mandated technology like Positive Train Control (PTC) and devices connected to systems such as Wi-Fi and cellular modems as well as locomotive and back office technology.
Additionally, new technologies introduced into the operating environment may be leveraged by adversaries to compromise, or traverse to, key network terrain used to manage and interact with equipment under control. For example, would it be possible for an attacker to create conditions that would put elements of operational rail functionality at risk? If so, how might an attacker go about compromising office, communication, wayside, or onboard locomotive control systems to impact signaling, speed restrictions, locomotive braking, or PTC message interpretation?
Many of the onboard safety and operational systems inside of modern locomotives are computerized, and while the technology standards of the last decade aim to add specificity and redundancy to these components, the outcomes of failing to secure them may run afoul of more well-established safety norms.
How to Meet TSA Reporting Requirements
Another aspect rail-based system owners should consider is how they will meet reporting requirements outlined by the forthcoming TSA directive. What exactly is a “cybersecurity incident”, and how would you even know if you had one? The requirement for reporting cybersecurity incidents necessitates either an endpoint monitoring solution, a network monitoring solution, or a hybrid of the two. To meet this need, rail operators will need to consider strategies for monitoring network traffic onboard rolling stock.
Dragos typically recommends that any industrial system owners should invest in enterprise monitoring both in their corporate network, and in their operational network. For the rail industry this recommendation doesn’t translate proportionately, as the operating environment is typically broken into four major segments, each with its own set of technology requirements. However, of the four major segments of the operational PTC and Interoperable Electronic Train Management System (I-ETMS) networks, the Office Segment and Communication Segment represent key network terrain within the operational rail network that an attacker would most certainly have to compromise in order to affect equipment under control.
Dragos recommends monitoring sensors be deployed to either the Office Segment networks or within the Locomotive Segment network, onboard the locomotive itself. For practical reasons, the best solution to monitoring and data collection is within the Office Segment network where form factor and electricity limitations won’t constrain monitoring and collections efforts.
These solutions work best when they are well-architected with a skilled partner who can help guide system owners through the process of sensor placement and collection. These solutions are highly tailored and best done with an experienced vendor.
Choosing Your Ally in Compliance
Rail operators should know that they are not in this alone and can choose to work with the industrial cybersecurity expertise they require. Rail operators should seek out partners who can speak their language. Rail is a safety-intensive industry that requires a high degree of respect, particularly when assessing rolling stock in a rail yard.
Dragos has been working with rail operators in the United States for the past three years to help prepare for these challenges and has expertise in implementing TSA regulations. In 2021, Dragos tailored our Architecture Review services, to help owners and operators of critical pipelines and liquified natural gas facilities, implement their industry’s TSA regulation, Security Directive Pipeline-2021-02.
Dragos offers an Incident Response Plan (IRP) workshop for customers wishing to develop and implement a cybersecurity incident response plan and tabletop exercises for those wishing to test their IRPs and strengthen their internal communication strategies. One of our most requested services is penetration tests of critical infrastructure, and we have successfully brought this capability to rail networks on an ongoing basis. In the recent past, this has included penetration tests of critical operational components in and around railway operation.
Whomever you choose to contract with to help meet these new requirements, be sure to select an organization with a proven background in your particular industry.
Read next blog post
Ready to put your insights into action?
Take the next steps and contact our team today.