TSA Release New Cybersecurity Requirements For The Rail Sector
Hot off the press: the U.S. Transport Security Administration has issued an updated Security Directive to reduce the risk that cybersecurity threats pose to the Rail Sector.
Share This Article:
On 24 October, the U.S. Transport Security Administration (TSA) released Security Directive 1580-82-2022-01 “Rail Cybersecurity Mitigation Actions and Testing” which sets performance-based cybersecurity standards to further uplift the maturity in the U.S. Rail Sector across both passenger and freight rail operations. As an extension to Directive 1580-21-01 “Enhancing Rail Cybersecurity” issued in 2021, the new requirements cover a range of detailed security program components in line with other verticals such as the U.S. Energy Sector.
With continuous threats to the Transportation Sector, particularly Rail, additional processes, controls, and strategies have been developed with the aim to protect it from dire impacts when these critical assets are targeted by cyber attacks.
As these supply chains remain critical for national security, the Directive requires owners and operators to have a TSA-approved Cybersecurity Implementation Plan. In summary, this must include:
- Alignment with known network segmentation standards inclusive of policies and controls such as NIST 800-82 and IEC 62443 to ensure that Operational Technology (in this case Signalling and Control Systems) are able to operate if ICT (referring to Business and Collaboration Systems) are compromised.
- Implementing access control measures to secure and prevent unauthorized access to Critical Cyber Systems (Mission Critical Systems).
- Implement continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect Critical Cyber System operations.
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on Critical Cyber Systems in a timely manner using a risk-based methodology.
- Establish a Cybersecurity Assessment Program and submit an annual plan to TSA that describes how the Owner/Operator will proactively and regularly assess the effectiveness of cybersecurity measures, and identify and resolve device, network, and/or system vulnerabilities.
What is the relevance for the Australian Rail Industry?
What we see with the TSA’s release is the reinforcement of existing advice around operational technologies and control systems. Adherence to standards, in particular the focus on segmentation and demarcation between systems with distinct functions, is highlighted as a key design control of any modern operational technology system.
Based on our industries’ known sources of authority such as 50701:2021 and IEC 62443, risk assessments focusing on safety and suitable design strategies are the foundation of defence-in-depth and provide an understanding that the network acts as the conduit for lateral movements within system boundaries.
It is important to note the role that the TSA is playing in this space, notwithstanding the Security of Critical Infrastructure Legislation (SOCI, SLACIP, TSACI) within Australia and within certain sectors (Energy as an example). Both generic Critical Infrastructure advice via SOCI and sector-specific maturity frameworks such as the Australian Energy Sector Cyber Security Framework (AESCSF) are delivering maturity uplifts.
I have previously spoken about the Rail Industry Safety and Standards Board (RISSB) AS7770 Rail Cyber Security standard, and although there may not be a role for RISSB to regulate in line with the role the TSA plays in the United States, the Australian Rail Sector can certainly take some guidance globally.
Time to refresh our local standards?
As an industry, we can soon expect an excellent opportunity to update AS7770 (released July 2018) to leverage the work done in Europe with CLC 50701, the pending updates to IEC 62443, and also now with TSA releasing SD-1580-82-2022-01. This will refresh our local standards to ensure that the focus is on our critical rail systems and supply chains.
In my opinion, even with the SOCI legislation being released, what we need to avoid is a race to the bottom for generic compliance goals and take a leaf out of the international community for a prescriptive approach. This will be critical in ensuring that our rail systems remain secure by design, deliver to documented security requirements and take cyber security planning as seriously as operations planning.
Would you like to know more?
This article only provided a brief overview of the TSA’s SD-1580-82-2022-01. The full version, available for download here, is well worth a read to see why and how other regulators are putting cyber security at the forefront of railway operations.
Please do not hesitate to contact us to discuss how Anchoram can help keep you on the right track when it comes to your railway-specific cybersecurity requirements.
Hot off the press: the U.S. Transport Security Administration has issued an updated Security Directive to reduce the risk that cybersecurity threats pose to the Rail Sector.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.