New cybersecurity requirements from the Transportation Security Administration (TSA) give freight railroads, passenger rail and rail transit operators a 24-hour deadline for reporting security incidents.
Starting on Dec. 31, “high-risk” operators and owners across the rail sector must take a number of steps to bolster the cybersecurity of their systems. They must designate a cybersecurity coordinator, implement security incident response plans with the intent of reducing the risk of operational disruption, complete a vulnerability assessment to identify potential security holes in their systems and report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.
The incidents that must be reported include unauthorized access of IT or operational technology systems, discovery of malicious software or denial-of-service attacks on these systems, and “any other cybersecurity incident that results in operational disruption.”
“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” said Secretary of Homeland Security Alejandro Mayorkas in a statement. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”
In addition, the TSA has released voluntary guidance recommending that smaller and “lower-risk” rail operators implement the same measures. Airline and airport operators will also be required to appoint a cybersecurity coordinator and report breaches within 24 hours.
Cyberattacks in the Transportation Sector
The upcoming mandates, first detailed in October, are part of a series of sprints that were announced by Mayorkas earlier this year. These sprints, which came on the heels of the Colonial Pipeline cyberattack and the ensuing executive order for securing critical infrastructure from the Biden administration, include initiatives from the DHS around ransomware, industrial control systems and more. Mayorkas in March said that the “Cybersecurity and Transportation” sprint would focus on increasing the security of transportation systems, including aviation, rail, pipelines, and the marine transport system.
The sprint also comes on the heels of a slew of cyberattacks targeting various transportation agencies over the years, including the New York Metropolitan Transportation Authority, the Santa Clara Valley Transportation Authority, the Ann Arbor Area Transportation Authority and the Toronto Transit Commission. An IBM X-Force industry profile found that the transportation industry was the ninth most attacked sector in 2020, experiencing 5.1 percent of all attacks in the top ten industries; and the industry was also ranked the tenth most costly sector for experiencing a data breach.
Cybercriminals behind these attacks, which have included sophisticated actors like Chinese nation-state actor APT10 or Iran-linked ITG07, are attempting to steal data that can be monetized or launch ransomware attacks, with researchers pointing to recent claims on underground forums by attackers that they have access to networks for companies operating air, ground and maritime cargo transport.
Cyberattacks on the transportation sector have had varying impacts. The cyberattack on the Ann Arbor Area Transportation Authority, for instance, caused temporary disruptions to real-time bus information and other information systems, but bus service continued to operate. A ransomware attack on the Santa Clara Valley Transportation Authority, meanwhile, reportedly resulted in a days-long shutdown of many computer systems across the agency, and, while light rails remained operational, certain functions like real-time arrival data went down.
New Rail Mandates
During a Thursday House Committee hearing, government representatives stressed that transportation organizations continue to struggle with highly complex - and in some cases, archaic - systems, across traffic management, control and signaling, station operation and more. At the same time, these organizations must juggle securing operating systems, applications and mobile devices on various networks, as well as various supply-chain issues.
“I think the bottom line is we’re constantly operating behind the eight-ball,” said Nick Marinos, director of the U.S. Government Accountability Office’s (GAO) Information Technology and Cybersecurity team, during the hearing.
An October audit found that the Department of Transportation (DOT) has “yet to address longstanding cybersecurity deficiencies related to its practices for protecting its mission-critical systems from unauthorized access, alteration, or destruction.”
The audit found that the DOT did not maintain complete inventories of all its systems, a practice essential to risk management; it also did not test the security controls for systems and did not consistently remediate flaws.
“The reality is that it just takes one successful cyberattack to take down an organization and each federal agency, as well as owners and operators of critical infrastructure have to protect themselves against countless numbers of attacks,” said Marinos. “And so in order to do that, we need our federal government to be operating in the most strategic way possible.”
Rail Industry Response
Since announcing the directives in October, the TSA (which is part of the DHS) has sought input from industry stakeholders and federal partners, including CISA. The directives were initially met with pushback from a group of Republican senators, as well as those within the rail industry, such as Thomas Farmer, assistant vice president of security with the Association of American Railroads (AAR).
In a November Committee of Transportation and Infrastructure hearing, Farmer argued that the directives would lead to “erroneous perceptions” that the rail sector did not have effective security measures and that the directives posed several implementation challenges. The AAR also said that security assessments have been conducted on a recurring basis, and that railroads have already been reporting "significant cyber threats, incidents and security concerns" to the DOT since 2014.
“Railroads and rail industry organizations have not been advised by federal officials of any prevailing emergency conditions that justify use of this authority, despite the many opportunities available,” said Farmer during the hearing.
In a Thursday statement, the AAR said the rail industry has had “productive consultations” with agency officials and that a “number of the industry’s most significant concerns have been addressed."
“For the better part of two decades, railroads have thoughtfully coordinated with each other and government officials to enhance information security, which has proven to be an effective, responsive way of addressing evolving threats,” said AAR President and CEO Ian Jefferies in the statement.