The Department of Homeland Security’s Transportation Security Administration (TSA) has announced a new directive to improve cybersecurity posture and readiness at designated passenger and freight railroad carriers. The new directive, announced in October, 2022, builds upon the TSA’s previous work to secure other transportation industries, and other critical infrastructure industries such as oil and gas.
Railroad operators, and the transportation industry as a whole, are rapidly adopting new connected operational technologies that enable enormously beneficial innovation, but also introduce new levels of cyber risk. The railroads use smart IIoT and OT, to:
- automate safety inspections of rails and train-cars
- optimize routes and reduce carbon emissions
- avoid supply chain disruptions due to unforeseen train stoppage.
The new TSA directive requires railroad operators to take increased security measures to protect their increasingly network-connected operational technology (OT) from cyberattacks.
The TSA’s renewed focus on railroads is not arbitrary. Railroads are an appealing target to cyberattackers. Trains move hundreds of billions of dollars worth of freight per year, including everything from fuel to consumer goods to cars to hazardous waste, not to mention the trains that carry human passengers. The economic damage and potential loss of life from a successful railroad cyberattack are enormous. To continue taking advantage of technological innovation, railroad carriers will need to adopt new industrial cybersecurity measures and technologies to secure access to their increasingly convergent IT and OT systems.
What Does The TSA Directive for Railroads Actually Say?
The following excerpt from the TSA directive summarizes the high level requirements laid out by the TSA.
The security directive requires that TSA-specified passenger and freight railroad carriers take action to prevent disruption and degradation to their infrastructure to achieve the following critical security outcomes:
- Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa;
- Create access control measures to secure and prevent unauthorized access to critical cyber systems;
- Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.
This security directive emphasized the need to invest in industrial cybersecurity solutions that can truly protect assets, showing a heightened focus on prevention as opposed to just detection and response. It was developed by TSA in coordination with CISA and incorporates mitigation strategies based on learnings from recent attacks.
Top 10 Checklist for Railroad Operators to Comply with TSA Directives
Here is the top-10 checklist for designated passenger and freight railroad carriers to ensure you have met the mitigation measures specified in the TSA Security Directive for your OT and IT environments:
Step 1: Identity the Critical Cyber Systems
TSA states that “Critical Cyber System means any Information or Operational Technology system or data that, if compromised or exploited, could result in operational disruption. Critical Cyber Systems include business services that, if compromised or exploited, could result in operational disruption.”
Step 2: Implement Access Control Measures
Implement access control measures, including for local and remote access, to secure and prevent unauthorized access to critical cyber systems:
- Policies and procedures are required to manage access rights based on the principles of least privilege and separation of duties.
- A schedule for required static password resets, or mitigation measures for critical cyber systems that will not have passwords reset periodically.
- Limit access to shared accounts and ensure individuals who no longer need access do not have knowledge of the password necessary to access the shared account.
Step 3: Implement Multi-factor authentication
Multi-factor authentication or compensating controls that supplement password authentication to provide risk mitigation and protect critical cyber systems.
Step 4: Implement Network Segmentation Policies and Controls
Implement network segmentation policies and controls designed to prevent operational disruption to the OT system if the IT system is compromised, or vice versa.
Step 5: Secure and Defend Zone Boundaries
Secure and defend zone boundaries, use secure conduits between zones, prevent unauthorized communications between zones, and prohibit OT system services from traversing the IT system, unless the content from the OT system is encrypted while in transit.
Step 6: Review existing Domain Trust Relationships
Schedule for review of existing domain trust relationships to ensure their necessity and policies to manage domain trusts.
Step 7: Implement Threat Monitoring Capabilities
- Prevent malicious email, known or suspected malicious web domains or web applications, unauthorized code, as well as connections from known or suspected malicious command and control servers.
- Prohibit ingress and egress communications with known or suspected malicious Internet Protocol addresses.
Step 8: Develop a Patch Management Strategy including Mitigation Controls for Unpatched Systems
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates on critical cyber systems consistent with the owner/operator’s risk-based methodology.
- If the operator cannot apply patches/updates to specific OT systems (e.g. legacy OT systems) then it needs to disclose the plan & timeline to implement additional mitigations that address risk due to unpatched systems.
Step 9: Develop and maintain a Cybersecurity Incident Response Plan
Owner/Operator must have an up-to-date cybersecurity incident response plan for critical cyber systems that include measures to reduce the risk of operational disruption, or the risk of other significant impacts on necessary capacity, should their pipeline or facility experience a cybersecurity incident.
Step 10: Develop a Cybersecurity Assessment Program
Develop a Cybersecurity Assessment Program for proactively assessing and auditing cybersecurity measures. This includes an architectural design review once every two years, as well as incorporating other assessment capabilities (e.g., penetration testing).
How Can Xage Help You Comply With TSA Security Directives for Railroads?
Xage’s solution provides identity & access management for local and remote access policy enforcement, multi-factor authentication (MFA) for OT assets, network segmentation controls, secure tamperproof and encrypted conduits between zones, as well as OT asset discovery & visibility to list some of the key capabilities that can be leveraged to comply with TSA’s cybersecurity requirements. Xage is available now to enable passenger and freight rail carriers to comply with TSA requirements, improve security posture, and defend against escalating cyber attacks.
Xage Fabric is implemented via a cybersecurity mesh approach to provide high availability for operations and it doesn’t require any “ripping and replacing” of existing operational technology to comply with the TSA directives. For example, Xage provides compensating controls to comply with TSA’s access control measures when OT assets do not have native capabilities to implement MFA, password resets, and enforcement of access rights based on the principles of least privilege.
Xage Fabric seamlessly overlays every element of an operation to impose granular control over all digital interactions. The Fabric enables an airtight, identity-based model for protecting every single asset and application in an operation, ensuring that each element—even those with no built-in identity of their own—is assigned an identity that determines who and what has access to it, and when, where, how, and what the element may access. Xage enforces Zero Trust Access (ZTA) to secure operations and data from the edge-to-core-to-cloud, overlaying and hardening existing Purdue-model-based security architectures.
Read our whitepaper to find out more details on how we can help passenger and freight rail carriers meet the TSA security directives.