Railroads have long been a critical part of the United States transportation infrastructure, and with advancing cyber threats, they are also a vital component of the nation's cybersecurity efforts. To help protect this critical sector, the Transportation Security Administration (TSA) has issued new rules for railroads regarding cybersecurity.
The new directive applies to all US freight and passenger rail carriers and replaces a previous security directive (1580 20-101). In response to the announcement of the new rules, Association of American Railroads (AAR) President and CEO, Ian Jefferies, issued a statement applauding the TSA for its efforts and emphasizing the importance of the safety and security of the national railroad network. We have it on good intel that they solicited input from some true experts in the industry, which hopefully contributed to the new rules being practical and on point.
Below, we expand on the scope and objectives of the directive and discuss four of the most critical actions railroads need to take to comply with TSA's new regulations.
Who Must Follow This Security Directive?
The new security directive applies to all freight railroad carriers (owners or operators) as defined in 49 CFR 1580.101, as well as other TSA-designated freight railroads. Railroads defined in 49 CFR 1580.101 include:
- Class I railroads that meet the criteria described in § 1580.1(a)(1)
- Railroads that meet § 1580.1(a)(1) criteria and transport Rail Security-Sensitive Materials (RSSM) in a High Threat Urban Area (HTUA)
- Those that meet § 1580.1(a)(4) criteria and are a host railroad to one of the above-described freight railroads or a passenger railroad described in § 1582.101
What are the Goals of the TSA Railroad Cybersecurity Requirements?
The TSA cybersecurity requirements for the railroad industry are designed to protect passengers, workers, and critical infrastructure from the threat of cyberattacks. The TSA's regulations aim to ensure that railroads have adequate security measures in place to detect, prevent, and respond to cyber incidents, protect sensitive information from unauthorized access, and maintain the continuity of operations in the event of a cyberattack.
To meet these goals, the TSA requires railroads to develop and implement a comprehensive cybersecurity program that includes risk assessments, security controls, and incident response plans. The TSA also conducts periodic audits of railroads' cybersecurity programs to ensure they effectively protect against ever-evolving cyberattacks.
What are the 4 Critical Actions Freight Railroads Need to Take?
Key actions required of railroads are outlined in the directive. These include:
- Designating a cybersecurity coordinator
- Reporting cybersecurity incidents to CISA who will tell TSA
- Implementing an incident response (IR) plan
- Conducting a cybersecurity vulnerability assessment
These actions can be summarized as follows:
1. Designate a cybersecurity coordinator
There must be one primary and at least one alternate corporate-level cybersecurity coordinator. Details of these personnel, including name, title, phone number, and email address, must be provided to the TSA within a week of the security directive's effective date. Details must also be provided whenever there is a commencement of new operations or if any information changes.
We see organizations struggle to make significant advances in overall cybersecurity programs because the role is virtually always spread (somewhat understandably) across multiple disciplines (e.g., Legal and Information Security or Compliance). We support the legislative trend in a lot of recent cybersecurity-related legislation where entities must actually identify a coordinator or leader to run point on cybersecurity obligations and operations. (Not that any people can relate to avoiding eye contact with the boss in meetings when the boss mentions the topic of doing the actual work to oversee or manage cybersecurity).
Credit: Original by Lute (IG, Twitter). Original text revised for this blog post. Cartoon, artist and copyright enthusiasts, read on at the end of the post to learn the cartoon backstory.
Cybersecurity coordinators and alternates must meet several criteria and adhere to certain protocols. For example, they must be US citizens, eligible for security clearance, and accessible to the TSA and CISA 24/7. They must also coordinate all internal cybersecurity practices and procedures, serve as the primary contact with the TSA and CISA, and work with emergency response and law enforcement agencies as needed.
2. Report incidents to CISA (who will share with TSA)
Under the directive, owners and operators must report certain incidents to CISA. These include:
- Unauthorized access;
- Malicious software discovery;
- Denial of service attacks; and
- Other incidents that may impact operations or significantly impact passengers, critical infrastructure, core government functions, economic security, national security, or public health and safety.
Rail operators are certainly used to security-related reporting obligations. The directive outlines current reporting protocols, for example, how and when to report—railroads must report an incident by filling out a form or calling the specified number no more than 24 hours after its discovery. Reports must include certain details, such as information about the reporting individual and the affected railroad system and a thorough description of the threat or incident and its impact or potential impact.
3. Develop an IR plan and Annually Certify
Railroad owners and operators must have an up-to-date incident response plan for critical cyber systems. The plan should adhere to SD 1580/82-22-02, which includes measures to minimize operational disruption or other major issues in the event of a cybersecurity incident.
Key objectives of the technical components of a railroad IR plan include identification, isolation, and segregation of infected systems; data backup security and integrity; and establishing capability and governance for the isolation of systems.
Key components of a railroad incident response plan include who is responsible for its implementation and any resources required. IR plans should be completed within 180 days of the directive's effective date (that means June 29th, 2022), and the cybersecurity coordinator must certify to the TSA that all requirements are met. In addition, railroads must test the plan's effectiveness at least annually with a tabletop exercise or similar testing process.
4. Conduct a cybersecurity vulnerability assessment
Owners or operators should use a TSA-provided form to assess cybersecurity vulnerability. The form is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and is designed to identify security gaps. Version 2.0 of the NIST CSF is in the works and it includes new control categories. Remediation measures must be identified and implemented to address any cybersecurity gaps and vulnerabilities.
How Can ZeroDay Law Help?
ZeroDay Law can assist railroads in developing and implementing an incident response plan that meets the TSA's requirements. We have vast experience in cybersecurity law and IR planning, including within the railroad industry. Our comprehensive IR planning template and guide can be customized to fit the specific needs of each railroad. We make sure our clients are prepared for more than the IT-related components of an incident by helping them develop the right strategic, legal, operational response for their organization.
With our help, railroads can ensure that they comply with the TSA's new requirements and that they are prepared to respond effectively to any cybersecurity incidents that may occur. Contact us today to find out more.
Sources:
Cartoon Backstory: While trying to find the cartoon’s original artist, I found an interesting, albeit long, article chronicling the various incarnations of the cartoon’s speech bubbles and identifying the artist as “Lute”. I wanted to confirm Lute is the original artist and find Lute’s last name. Lute’s website isn’t reachable so I went down the rabbit hole on this one (I miss online investigations). Turns out Lute (last name Cartunista :)) works for a Brazilian newspaper, Hoje em Dia and has published cartoons daily since 1993! I’ve only seen data, privacy or cybersecurity-related versions of the cartoon’s text but I discovered that those topics are reeeeeally far from the original cartoon. In the original, the podium features the UN symbol. In the first panel the UN speaker asks, in Portuguese, “Who wants to live in a better world?” The audience members - surprisingly homogenous for UN members - universally raise their hands with conviction and smiles. In the second panel, as we all now know, not a hand was raised and not one person made eye contact with the speaker. In the original, the speaker asked: “Who is willing to abandon the model of unbridled consumerism to achieve this?” Puts discussions about data in perspective, to say the least. Happily, I found Lute Cartunista’s IG, Twitter and Hoje em Dia pages.
