On October 18, 2022, the Transportation Security Administration (TSA) announced new cybersecurity regulations required for passenger and freight railroad carriers that carry sensitive materials. The Security Directives were announced with the goal to enhance cybersecurity resilience across the railroad industry.
Which rail companies are impacted?
The Security Directives apply to all United States freight railroad carriers (owner/operators) described in 49 CFR 1580.101. The Title 49 CFR 1580.101 includes owner/operators that are a Class I freight railroad, transport one or more of the categories and quantities of rail security-sensitive materials (RSSM) in high-threat urban areas (HTUA) and/or serve as a host railroad to a freight railroad described paragraph (a) of (b) of the title or a passenger operation described in §1582.101.
Why is this necessary?
The largest pipeline system for refined oil products in the U.S., Colonial Pipeline, suffered a ransomware attack in May 2021. The cyberattack had the largest recorded impact to consumers in U.S. history, causing major impact to Colonial’s pipeline operations and slowing delivery of energy products to consumers.
Following the Colonial Pipeline hack, the Biden administration released an Executive Order on improving cybersecurity for critical infrastructure control systems. The TSA then released Security Directives in July 2021 that were applicable to a risk-informed set of companies that own natural gas and hazardous liquid transmission pipeline systems, natural gas distribution pipeline systems, liquefied natural gas facility operations, and/or transport toxic inhalation hazards (TIH) to protect oil and natural gas cybersecurity.
Now, the TSA is expanding the scope of those Security Directives to the Rail and Freight industry under similarly structured parameters. More details can be found at sd-1580-82-2022-01.pdf (tsa.gov).
What is included in the Security Directives?
The main requirements for passenger and freight railroad carriers are to create a cybersecurity implementation plan and establish a cybersecurity assessment program.
Cybersecurity Implementation Plan
A cybersecurity implementation plan (CIP) describes the security measures that an owner/operator is using to meet the requirements outlined in the TSA Security Directive released. When creating the organization’s CIP, it is important to work closely with operational technology (OT) teams to gain an understanding of their processes, risk tolerance levels, upcoming security projects, ability to maintain compliance and the cybersecurity controls in place. Additionally, it is important to communicate what is possible to implement without causing business interruptions. Since the cybersecurity implementation plan is specific to each carrier, it is recommended that implementation timelines are achievable and provide a sufficient runway to gather the necessary people, processes and technologies.
Cybersecurity Assessment Program
A cybersecurity assessment program (CAP) is an audit-based plan that the owner/operator submits to the TSA as an annual test to validate the effectiveness of cybersecurity controls and implementation of new controls to ensure the Security Directives are being met.
In creating a cybersecurity assessment program, it is important to align the security assessment steps with the cybersecurity implementation plan submitted to the TSA. The CAP should reference existing organizational policies, procedures and artifacts tied to security controls currently in place. It is also important to validate compensating and mitigating controls that are in place for security controls that have not yet been fully implemented.
What are the next steps?
Through Protiviti’s work helping pipeline companies develop cybersecurity implementation plans, we have learned it is important to follow the following steps:
- Identify if the organization is in-scope
- Based upon the newly released Security Directive (SD), it is important to identify if the TSA SD applies to your organization based on the qualifying categories mentioned in Title 49 CFR 1580.101. It is important to note that even though the organization might not be subject to the directives now, the scope of TSA’s regulations could expand in the future as referenced in an Information Circular sent to all pipeline companies that are not currently required to comply with the Security Directives. It would be beneficial for owner/operators to start considering the cybersecurity measures included and creating a roadmap to implement them into their organization to increase the resilience, safety and security of critical operations.
- Become familiar with Security Directives
- Once it is determined they are applicable, become familiar with the requirements outlined in the Security Directives. It is important to understand the areas that are included in the scope and how they apply to the organization, as well as to review the FAQs provided to owner/operators subject to Security Directives. Consistent communication with regulators and regular attendance at webinars are a necessity to fully understand the requirements and how TSA will interpret responses.
- Form a task force and perform a self-assessment
- It is important to form a task force of individuals throughout the organization dedicated to meeting the TSA regulations and aligning resources/funding. One of the requirements of the security directives is to designate a cybersecurity coordinator and alternate who is required to be available to TSA and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and serve as a main point of contact. Cybersecurity coordinators should understand their responsibilities in what to submit to the TSA and how, as well as the requirements for incident notification.
- Once a dedicated team is formed and familiar with the security directives, perform a self-assessment or external assessment of where the organization stands in compliance with the directives. Take a risk-based approach in the self-assessment to ensure that gaps in the cybersecurity posture do not go unnoticed.
- Draft a Cybersecurity Implementation Plan (CIP) and Cybersecurity Assessment Program (CAP)
- When drafting the CIP and CAP, keep an open channel of communication with the OT team and the task force to ensure that remediations and roadmaps created are realistic and will not interfere with business operations. It would also be beneficial to get a legal opinion or third-party opinion on the deliverables before submitting to the TSA to ensure that everything is captured according to the directives. When drafting the CIP, provide sufficient detail to describe existing controls and where artifacts can be found. Be careful not to give away sensitive information when materials can be reviewed in person.
While new regulations are often intimidating, it is important to understand the purpose of the TSA Security Directives is to prevent cybersecurity threats and harm to the critical infrastructure of the United States. The TSA has been very open to working with the industry to revise previous Security Directives and has aligned on a process they are comfortable with as they add more industries under their regulatory review. The TSA’s Security Operations organizational description states “Security Operations is also responsible for TSA’s global compliance mission, with key officials and Inspectors in offices around the world ensuring all modes of transportation, including aviation, mass transit, passenger and freight rail, highway and motor carrier, maritime, pipeline, and air cargo, are in compliance with domestic and international regulatory requirements.” Industries that transport sensitive materials should take note of the lessons learned from the pipeline and rail industries, as they may be next.