On October 24, 2022, the updated TSA (Transportation Security Administration) Rail Security Directive 1580/82-2022-01 for passenger and freight railroad carriers came into effect. Due to a surge of cyber threats against critical infrastructures over the past couple of years, the US has become more involved in protecting its railroads from an attack.
“The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack,” said TSA Administrator David Pekoske.
The latest update is indicative of the effort to establish a preventative, resilience-based approach that enhances the cybersecurity preparedness of the nation’s railroads. Owner/Operators have 120 days from the effective date to submit a Cybersecurity Implementation Plan to the TSA for approval. In this guide, we will explain how Cervello ensures passenger and freight railroad carriers comply with TSA Rail Security Directive 1580/82-2022-01.
Cervello’s comprehensive and holistic rail cybersecurity solution, Cervello Platform, is uniquely designed to safeguard railroads’ critical systems against cyber threats. Cervello provides defense in depth with layered cybersecurity measures that significantly reduce the risk of destruction, disruption, or malfunctioning of rail infrastructure control systems due to a cybersecurity incident.
Implementing a Security Plan for TSA Rail Security Directive Compliance
As part of the Cybersecurity Implementation Plan, Owners/Operators must implement the following cybersecurity measures:
1. Implement network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised;
2. Establish access control measures to secure and prevent unauthorized access to Critical Cyber Systems (meaning, any IT or OT system or data that, if compromised or exploited, could result in operational disruption);
3. Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect Critical Cyber System operations; and
4. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on Critical Cyber Systems in a timely manner using a risk-based methodology.
Rail Network Segmentation Policies and Controls
The TSA Rail Security Directive requires that all relevant parties submit a list and description of the Information Technology (IT) and Operational Technology (OT) system interdependencies and all external connections to these systems, zone boundaries, and a breakdown of how these systems are defined and organized into zones based on criticality, consequence, and operational necessity. As for policies, they must ensure that IT and OT system services transit each other only when necessary for business and operational reasons.
Railroad carriers must provide identification and description of measures for securing and defending zone boundaries. This includes security controls that prevent unauthorized communication between zones and that prohibit OT system services from crossing into the IT systems, and vice-versa, with the exception of encrypted content. If this is not possible, the content must be secured and protected to ensure integrity and prevent corruption or compromise while in transit.
Cervello facilitates network segmentation, sub-segmentation, and asset mapping of OT/IT/IoT critical systems, including signaling and rolling stock, based on the individual needs and preferences of the Owners/Operators. Rail operators can then gain unparalleled visibility of their entire critical environment, including a complete asset inventory, list of all external connectivities, and operational interdependencies.
Establishing policies and security zones is critical for identifying and alerting of unauthorized lateral movement and communication between IT and OT zones. Cervello’s in-depth visibility provides the essential context railroad owners need to eliminate blind spots and possible security gaps and prevent unauthorized communication between zones.
Prevent Insider Threats with Access Control Measures
More than half of cybersecurity incidents result from insider threats. The TSA is now requiring that railroad carriers implement access control measures, including those for local and remote access, to secure and prevent unauthorized access to Critical Cyber Systems. The measures must include identification and authentication policies and procedures that prevent unauthorized access to Critical Cyber Systems.
Cervello’s uniquely passive, non-intrusive Zero Trust approach ensures there is continuous authentication and validation of all movement, commands, and access to rail operational networks. The Cervello platform eliminates implicit trust through the validation of every digital interaction, ensuring each connected asset is safe, secure, and complies with its function and expectations, without compromising safety or usability.
Security and access policies are easily customizable to allow railroad Owners/Operators to enforce their own rules for shared accounts and account management, including separation of duties and principles of least privilege. Powered by patented technologies, Cervello Platform detects anomalies more efficiently and suggests updates to access control management policies and procedures.
Threat Monitoring, Detection Policies, and Procedures for Railroad Carriers
As part of the Cybersecurity Implementation Plan, railroad carriers must implement continuous monitoring and detection policies and procedures designed to prevent, detect, and respond to cybersecurity threats. These measures must be able to identify the execution of unauthorized code and implement capabilities to define, prioritize, and trigger incident response activities. The security directive also states that there must be continuous collection and data analysis to detect potential intrusions or anomalous behavior on Critical Cyber Systems and the other OT/IT systems that connect with Critical Cyber Systems.
Mitigation measures must include the ability to isolate industrial control systems in the event that a cybersecurity incident in the IT system puts at risk the safety and reliability of the OT system.
Cervello’s railway cybersecurity platform conducts continuous monitoring and threat detection of all network traffic based on the railroad’s set policies and behaviors. The solution uses novel components and state-of-the-art security mechanisms such as Zero Trust, AI-based behavioral analysis, vulnerability mapping, threshold analysis, and deep packet inspection (DPI) to identify unauthorized code as well as to define, prioritize, and alert on vulnerabilities and cybersecurity threats.
Cervello passively and continuously collects data from the railroad’s OT/IoT/IT and physical systems and uses AI and automated data analysis to learn, better detect, and contextualize any anomalous, misused, or unexpected network traffic for each network segment. The extent of data retention is customizable to make it possible to go back to any historical point and analyze the sequence of events.
Reduce the Risk of Unpatched Systems with Automated Vulnerability Management
To reduce the risk of exploitation of unpatched systems, the TSA requires that railroad Owners/Operators implement a patch management strategy that includes a risk-based methodology for categorizing and determining criticality of patches and updates followed by an implementation timeline based on categorization, criticality, and prioritization. In case the Owner/Operator cannot apply patches and updates, the strategy must include a description and timeline of additional mitigations that address the risk of not installing the patch or update.
How Cervello Enables TSA Rail Security Directive Compliance
Cervello automates all monitoring and threat detection processes, including vulnerability detection and prioritization. The solution prevents the exploitation of unpatched systems with vulnerability mapping and a management dashboard that continuously detects, categorizes, determines, and alerts on the criticality of patches and updates using a risk-based methodology. The system then automatically prioritizes and presents implementation guidance to Owners/Operators. For each public vulnerability it discovers and maps, Cervello Platform assigns a respective common vulnerability exposure (CVE) score and builds a complete threat profile with an in-depth description and the potential consequences of an attack, as well as a unique understanding of its context.