Complying with the TSA Rail Security Directive

Download the Whitepaper

The Department of Homeland Security’s Transportation Security Administration (TSA) has announced a new cybersecurity directive to improve cybersecurity at designated passenger and freight railroad carriers. The new directive, announced in October, 2022, builds upon the TSA’s previous work to secure railroads, other transportation industries, and critical infrastructure industries such as oil and gas.

The TSA’s renewed focus on railroads is driven by increased concern that railroads represent an appealing target for cyberattackers. While the TSA directives only apply to U.S. based carriers, the risk of cyberattack against railroads is a growing global concern. In 2022 alone, cyberattacks have caused operational disruption for railways in Italy, Belarus, Denmark, Israel, and other countries. The rapid adoption of Industrial IoT and network-connected industrial control systems and operational technology (OT) in railroads are introducing increased levels of risk to these critical organizations.

The Latest Developments: What You Should Know

The security directive requires that TSA-specified passenger and freight railroad carriers in the U.S. take action to prevent disruption and degradation to their infrastructure to achieve the following critical security outcomes:

  • Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa;
  • Create access control measures to secure and prevent unauthorized access to critical cyber systems;
  • Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations.
  • Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.

This security directive continues to emphasize the need to invest in security solutions that can truly protect assets, showing a heightened focus on prevention as opposed to just detection and response. TSA guidelines include requirements for access control, credential management, least privilege management, role-based access, multi-factor authentication (MFA), and the use of “compensating controls” to allow railroad operators to embrace the latest innovations.

The Path Forward

Xage offers freight and passenger railroad carriers a holistic approach to meet TSA requirements without having to rely on multiple point solutions. The Xage Fabric cybersecurity mesh approach eliminates the need to “rip and replace” any existing Operational Technology (OT) to rapidly comply with TSA directives. Xage can be deployed now by freight and passenger railroad carriers to comply with TSA requirements, improve security posture, and defend against escalating cyberattacks targeting critical infrastructure.

Xage Fabric provides Zero Trust Access (ZTA) capabilities to secure all the interactions in, out, and across operational, enterprise, and cloud environments. The Xage Fabric creates policies that set an identity based perimeter around each user, app, device, machine, and data stream.

That policy is then enforced anywhere without having to change existing assets or networks.

Xage Fabric provides the required technical controls for protection, monitoring, and response across the entire operation to comply with the TSA security directives. Specifically, Xage provides the following capabilities to meet the key requirements specified in the TSA security directives:

  • Access and Credential Management: TSA continues to stress the criticality of access control and credential management. Xage enables granular identity-based access and credential management for all assets– including legacy assets – powered by its patented Xage Fabric. The Xage Fabric seamlessly overlays an operation to impose granular control over all interactions, without any disruptive changes to your assets or operational network.
  • Compensating Controls and Multi-layer MFA: For the many critical systems that lack their own strong security controls and/or security integrations, the Xage Fabric provides zero trust-based access control with support for multi-layer MFA to deliver the “compensating controls” required in the newest TSA directive. Xage’s multi-layer MFA capability combines zero trust with a defense-in-depth authentication strategy.
  • Secure Zones, Multi-hop Conduits and Asset-centric Segmentation: TSA requires operational environments to be segmented into zones, interconnected with secure, controlled conduits, to prevent contagion from zone-to-zone in the event of breach. The Xage Fabric acts as a mesh, enabling session and protocol termination at each Xage node. The mesh approach guarantees the security of cross-zone conduits between the nodes and ensures that there is no unauthorized access to assets from outside or within each zone.
Request a Demo

Related Resources

Blog

Top-10 Checklist for freight and passenger railroad carriers to comply with the TSA’s Security Directives

Whitepaper

Addressing TSA Cybersecurity Directives