Recent Transportation Security Administration (TSA) Security Directive Establishes New Cybersecurity Measures for Railroad Carriers

On October 18, 2022, the Transportation Security Administration (TSA) announced a new cybersecurity security directive for owners and operators classified as designated passenger and freight railroad carriers.

This security objective has been designated as 1580/82-2022-01 and is an extension of Security Directive 1580-21-01 (effective December 31, 2021 – read Dragos’s blog posting on 1580-21-01). The objective of these directives is to “reduce the risk that cybersecurity threats pose to critical railroad operations and facilities through implementation of layered cybersecurity measures that provided defense-in-depth.”

In support of this objective, 1580/82-2022-01 builds upon the foundation established in 1580-21-01 and includes additional guidance for implementing cybersecurity measures and controls to segregate and secure both Information Technology (IT) and Operational Technology (OT) networks through implementation of technical (network segmentation, monitoring and detection, secure remote access, vulnerability management, et al.) and procedural (asset inventory procedures, access control policies, IT-OT inter-communication identification, patch management procedures, et al.) security controls. A requirement for development of a cybersecurity assessment program has also been added that includes the execution of a Cybersecurity Architecture Design Review (CADR) to validate that the network architecture effectively isolates critical OT cyber systems from potential threats.

In general, the security directive is applicable to the same railroads subject to the previously released Security Directive 1580-21-01 and additional freight and passenger railroads identified by the TSA based on risk determination.

Cybersecurity Measures Included In 1580/82-2022-01

This security directive has introduced the following security measures:

1. Establish and implement a TSA-approved Cybersecurity Implementation Plan
2. Establish a Cybersecurity Assessment Program

The Cybersecurity Implementation Plan must describe the specific measures implemented by owner/operators to prevent disruptions to their infrastructure and/or operations. The implementation plan must also include the schedule by which the owner/operators will follow to implement the controls defined in the plan.

The Cybersecurity Implementation Plan must (at a minimum) include technical and procedural controls and measures for the following:

• Network segmentation policies and controls that ensure the OT system can operate safely in the event of compromise on the IT network.
• Access control measures to prevent unauthorized local and remote access to critical cyber assets based on the principle of least privilege and utilizing multi-factor authentication where technically feasible.
• Implementation of continuous monitoring and anomaly detection for critical cyber systems.
• Implementation of a vulnerability management program to address patch management for critical cyber systems including Operating System, applications, drivers, and firmware on critical cyber systems.

The Cybersecurity Assessment Program must document how an owner/operator will proactively and regularly assess the effectiveness of the cybersecurity measures implemented as part of the Cybersecurity Implementation Plan. The assessment program must include the following:

• A Cybersecurity Architecture Design Review (CADR) that verifies and validates network traffic and systems logs against existing documentation and identifies vulnerabilities related to network design, electronic access control and inter-connectivity between IT and OT systems.
• Incorporate any additional assessment capabilities to support identification of system vulnerabilities (e.g., penetration testing to assess an adversary’s ability to compromise OT systems following a breach of the IT network).

Alignment with the 5 Critical Controls for ICS/OT Cybersecurity

The 5 Critical Controls for ICS/OT Cybersecurity identified by the SANS Institute uses scenarios based on real-world tactics, techniques, and procedures (TTPs) to design and improve cybersecurity defense and response. Aligning your security program with the five critical controls will help actively strengthen your OT cybersecurity defenses while meeting Security Directive 1580/82-2022-01 requirements.

#1 OT-Specific Incident Response Plan

The development of an OT-specific Incident Response Plan was included as a directive as part of 1580-21-01. OT-specific incident response plans developed under this directive must provide specific measures to ensure the following objectives:

• Prompt identification, isolation, and segregation of infected systems from un-infected systems.
• Security and integrity of system backups.
• Governance for effective isolation of IT and OT systems in the event of a cybersecurity incident.
• Identification of roles and responsibilities for implementing specific measures of the IRP including any additional resource requirements necessary.
• Execution of scenario-based exercises to test the effectiveness of the IRP (at least annually).

#2 A Defensible Architecture

Multiple aspects of the security directive work together to form the basis for a defensible architecture. The first is understanding what exists in the systems as part of an asset inventory and identifying critical assets. Another major aspect to a defensible architecture is network segmentation. With modern OT networks, there are often interdependencies between information technology (IT) and OT. These need to be understood and limited where possible. TSA also requires owners and operators to limit communications between zones. The following recommendations may be considered by owner/operators when developing a defensible architecture:

• Identification and inventory of critical OT cyber systems (crown jewels) at a minimum.
• Segmentation of the OT networks from IT networks and the internet.
• Limit the ingress and egress communications between OT and IT to only those required for critical business operations. Restrict communication flows to egress (initiated from within the OT network to the IT network) wherever feasible.
• Have the ability to isolate identified crown jewels from all other systems (including other OT network segments) not required during constrained operations such as during an incident.

#3 Visibility and Monitoring

One of the most common findings from engagements executed by the Dragos Professional Services team had been the inability of an organization to have visibility and monitoring capabilities within the ICS/OT environment. Visibility and monitoring technology are essential for detecting and responding to malicious activity and software in real-time. Under this security directive, owners and operators are required to implement continuous monitoring and detection to prevent, detect, and respond to cybersecurity threats and anomalies.

There are multiple technology solutions available, including the Dragos Platform, that automate ICS/OT network visibility and monitoring processes and can safely be integrated across all OT network segments. Given the effort required to manually maintain, review and update visibility and monitoring mechanisms, Dragos encourages owner/operator to consider such a solution to address this critical control. In general, the selected solution should accomplish the following at a minimum:

• Ability to visualize and analyze network traffic and systems communication of at least the identified crown jewels, but ideally all OT network segments.
• Ability to easily collect, store, and analyze logs from systems of value such as the HMIs and OT laptops.
• Centralized logging over manual collection and analysis.
• Asset identification, protocol dissection and deep packet inspection, especially of OT protocols used on the network.
• Threat detection through key threat behaviors and tactics, techniques, and procedures of adversaries.
• Monitoring for misconfigurations, rogue devices, and atrophy of other security controls.
  Additional capabilities to consider when implementing a solution is its ability to support an incident response investigation and validate the effectiveness of security controls within your defensible architecture.

#4 Secure Remote Access

The TSA recommends the use of multi-factor authentication mechanisms for all remote access connections to the OT network. To utilize multi-factor authentication (MFA) properly, an owner and/or operator must have previously incorporated several access control policies and procedures, including things such as credential management, least privileges, and individual accounts. The TSA understands that MFA is a difficult requirement to meet for many OT systems and expects compensating controls and/or alternate methods to meet the requirements around access controls. Where limitations exist, additional compensating controls that owner/operators may consider are as follows:

• Establish authentication mechanisms for the OT environment that are independent of existing IT-based authentication mechanisms (e.g., Dedicated Active Directory domain for OT with no domain trusts to external Active Directory Domains).
• Implement session terminations for remote sessions upon reaching pre-defined triggers such as:
  • Inactivity
  • Cryptographic key failures
  • Duplicate connections initiated from another gateway
• Enhanced logging and monitoring for all remote access sessions established to the OT network (e.g., Generation of an alert to OT operators when a remote access session is established).

#5 Risk-Based Vulnerability Management

An important aspect of vulnerability management for OT systems is patch management. It is vital for owners and operators to understand when new vulnerabilities are detected, identify older vulnerabilities that have not been mitigated, determine how the vendor has responded to the vulnerability by developing appropriate patches, and evaluate the potential consequences to either applying or not applying the patch. The owner and/or operator needs to make these risk-based decisions, understanding that TSA requires them to, at a minimum, acknowledge and document their approach to prioritizing different patches. The following guidance may be considered by owner/operators when developing processes for addressing risk-based vulnerability management:

• Establish a risk centric approach to identifying and managing vulnerabilities in the OT assets including -applications, security devices, databases, and vendor propriety products in use in the environment.
• Establish regular reviews of the asset inventory to identify outdated or end of life products/equipment.
• Prioritize vulnerability mitigations for systems that:
  • bridge IT/OT such as firewalls, historians, etc.
  • vulnerabilities that are network exploitable
  • vulnerabilities that have been actively exploited in the wild
  • vulnerabilities for which a public exploit is available online
• Subscribe to OT Security feeds for alerts, advisories, and threat intelligence reports from reputable sources such as Dragos, CISA ICS-CERT, InfraGard, and industry equipment vendors.
• Consider mitigations techniques other than applying patches, such as:
  • network segmentation (firewall rules, etc.)
  • focused network monitoring and alerts
  • physical switches preventing unplanned logic changes

Key Dates To Consider

Security Directive 1580/82-2022-01 had an effective date of October 24, 2022. There are several key dates that owner/operators must consider as part of this directive:

1. Exemption from the Security Directive – Friday, December 23, 2022: If an owner/operator determines that they have no critical cyber systems, they must notify TSA in writing within 60 days of the effective date.
2. Submission of Cybersecurity Implementation Plan – Tuesday, February 21, 2023: Owner/operators have a period of 120 days from the effective date to submit their Cybersecurity Implementation Plans for TSA approval.
3. Submission of Cybersecurity Assessment Program: Owner/operators have a period of 60 days after TSA approval of their Cybersecurity Implementation Plan to submit their Cybersecurity Assessment Program for TSA approval. Updates to the assessment program must be submitted annually following TSA approval.
4. Execution of Cybersecurity Architecture Design Review (CADR): Owner/operators must complete a CADR within 12 months of the approval of their Cybersecurity Implementation Plan and at least once every two years afterward

How Can Dragos Help

For further guidance or support in implementing an OT cybersecurity strategy based on Security Directive 1580/82-2022-01 and to learn how the Dragos Platform technology can help you effectively and efficiently reach compliance and security, connect with us at sales@dragos.com, reach out to your current account executive at Dragos, or use our contact us form.