TSA Standards for Rail Transportation Cybersecurity

At present, the rail industry is undergoing an exhilarating transformation. Following a substantial endeavor to fulfill the 2008 Congressional mandate for Positive Train Control (PTC), which was successfully accomplished by the end of 2020, the industry is now anticipating its next significant advancement. Revolutionary prototypes like modular trains, enabling passengers to disembark seamlessly without halting, and virtual coupling, which allows trains on the same track to run closer together, hold immense promise for efficiency gains never before thought possible. These innovations will make lives more convenient, but they will also increase the potential impact of cyber threats on the system.

The interconnectivity of systems has revealed a range of cybersecurity concerns, prompting the TSA to introduce a series of security directives (SDs) aimed at setting minimum standards. This blog examines the cybersecurity obstacles confronting the rail transportation industry and explores the role of TSA regulations in addressing them.

What Cybersecurity Challenges Does Rail Transportation Face? 

Rail systems play a critical role in the global economy and to national security as they are often responsible for transporting military equipment, supplies, and personnel. And, at times, can even be used for emergency response and disaster relief efforts. As rail systems are increasingly converging with IT systems and other critical infrastructure, such as energy grids and communications networks, they have become progressively vulnerable to cyber attacks. Due to this level of connectivity and the following challenges, rail systems have found it increasingly difficult to protect their critical infrastructure from attacks as cyber criminals work to exploit these new attack vectors:   

1. Legacy Systems: Rail transportation systems depend on several outdated legacy systems developed before the emergence of modern cybersecurity protocols. These systems may lack the latest security features or have weak encryption and authentication, making them vulnerable to cyber-attacks. The most crucial systems are train control, dispatch, rail management, and maintenance systems. 

2. Supply Chain Vulnerabilities: The rail transportation industry's supply chain is complex, with several vendors delivering critical services. Due to these critical operations, it only takes one vulnerability in the supply chain to have a downstream impact, causing implications beyond downtime

3. Third-party Risks: The industry depends on third-party vendors and contractors for critical services and support, including  signaling and communication systems, infrastructure maintenance, and more. These external entities, however, may have their own vulnerabilities, and any security breaches to these third-party systems can have severe impacts on rail transportation.

4. Human Error: Cybersecurity is not just a technological issue but also a human issue. Rail employees may inadvertently compromise security by clicking on phishing links, sharing passwords, or falling prey to social engineering attacks. 

How has the TSA Begun to Address These Challenges?

In 2022 TSA released the Security Directive 1580, building on earlier directives and recommendations from TSA’s Mass Transit and Passenger Rail Security (MTPR) initiatives.  This latest directive requires two things, which can be reviewed in further detail through the SD linked above: 

1. Establish and implement a TSA-approved Cybersecurity Implementation Plan by:

   1. Developing network segmentation policies and controls

   2. Creating access control measures

   3. Building continuous monitoring and detection policies and procedures 

   4. Applying security patches in a timely manner 

2. Establish a Cybersecurity Assessment Program and submit an annual plan to TSA.
   

Although this Security Directive has provided baseline standards for the rail transportation sector, it has not fully addressed all challenges faced by the industry. We will outline which challenges the TSA Security Directive has impacted and which challenges still require further cybersecurity measures to fully mitigate risk. 

👍 Legacy System: When it comes to the vulnerability of legacy systems, the directive offers various mitigating controls such as segmentation, active zone control, access control, and encryption requirements. Therefore, we can give a thumbs up for this aspect.

🫴 Supply Chain Vulnerabilities: The TSA regulations for supply chain vulnerabilities only apply to the owner and operators, which means there is still work to be done in terms of regulating any connected system. So, we have given this challenge a hand in the middle as it needs improvement.

👎 Third-party Risks: Although third-party vendors and contractors are a huge challenge for rail transportation the TSA directive only applies to owners and operators, meaning that there is still a risk here. Hence, why we gave this challenge a thumbs down.

👍 Human Error: With the implementation of two-factor authentication, limited shared accounts, and zone control, the directive takes a big step forward in mitigating human error. Therefore, we have given this aspect a thumbs up as a significant step in the right direction.

Sustaining Cybersecurity Compliance

As the rail transportation industry continues to integrate advanced technologies and digital systems, it must also strengthen its cybersecurity measures. The TSA regulations have taken a big step forward, and once complete, the required annual assessments will continue to focus efforts towards the most vulnerable points. As always, collaboration among stakeholders is essential to improving cybersecurity and ensuring rail transportation systems' continued safe and efficient operation. Additionally, working with a cybersecurity vendor, whose solutions were purpose-built to meet all rail transportation use cases, can help systems achieve cyber and operational resilience — and, can help meet the three key principles for securing rail environments: 

1. Gain visibility into all cyber-physical systems (CPS) in your environment: Asset visibility is foundational to industrial cybersecurity, which is why rail systems must attain a complete, real-time inventory of all assets across the XIoT. 

2. Integrate your existing IT tools and workflows with OT: Because most CPS in rain systems use proprietary protocols and legacy systems, they are simply incompatible with traditional IT solutions. But, that does not mean these solutions don’t have a place in OT. With a CPS security provider, like Claroty, rail transportation systems can extend their existing tools and workflow from IT to OT.  

3. Extend your IT security controls and governance to OT: Unlike their IT counterparts, most OT environments lack essential cybersecurity controls and consistent governance. Claroty eliminates this gap by extending existing IT controls to OT — unifying your security governance and driving all use cases on your journey to cyber and operational resilience.

As the XIoT becomes increasingly interconnected and cyber criminals become more sophisticated in their attacks, it is essential that critical infrastructure is protected. By teaming up with Claroty, rail systems can achieve compliance with the TSA cybersecurity directive, and protect the systems that underpin their most critical operations and infrastructure. By gaining complete visibility into assets and understanding the complexity of their environments, rail systems can ensure cyber and operational resilience.