Important Update: 2023 Revised TSA Security Directives Released 

Eitam Aharon
November 9, 2023

On October 23, 2023, the Transportation Security Administration (TSA) renewed and revised its cybersecurity requirements for passenger and freight railroad carriers. The revised TSA Security Directives (SD 1580-21-01B, SD 1582-21-01B, and SD 1580/82-2022-01A) include updates intended to strengthen the rail industry’s defenses against cyberattacks. The changes were made following discussions with industry stakeholders and federal agencies in an effort to better reflect the needs and challenges of the industry today. 

As mentioned in the note SD 1580/82-2022-01A, “This Security Directive continues to require the same performance-based cybersecurity measures first issued by TSA in October 2022.” Cervello’s rail cybersecurity platform ensures full compliance with the Directives, which include: 

  1. Implement network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised; 
  2. Establish access control measures to secure and prevent unauthorized access to Critical Cyber Systems (meaning, any IT or OT system or data that, if compromised or exploited, could result in operational disruption);
  3. Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect Critical Cyber System operations; and,
  4. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on Critical Cyber Systems in a timely manner using a risk-based methodology.

Additionally, and where Cervello is one step ahead due to its compliance and reporting feature, the requirement to develop a Cybersecurity Assessment Plan changed slightly, adding the need to submit an “annual report that provides Cybersecurity Assessment Plan results from the previous year.” This new requirement presents a major challenge to rail operators who have had no ability to access or create reports.

Other major changes include measures of transparency and reporting to the TSA such as:

  • “the TSA Administrator is authorized to ‘enforce security-related regulations and requirements'”; “inspect, maintain, and test security facilities, equipment, and systems”; and “oversee the implementation, and ensure the adequacy of security measures at … transportation facilities.” 
  • “Given this authority, TSA may require Owner/Operators to provide specific documentation and access to TSA as necessary to establish compliance,” or;
  • “ensure an annual report of the results of assessments conducted in accordance with the Cybersecurity Assessment Plan is submitted to TSA…” including, “which assessment method(s) were used to determine whether the policies, procedures, and capabilities described by the Owner/Operator in its Cybersecurity Implementation Plan are effective; and results of the individual assessments conducted in the previous 12 months.”

How We Help You Comply with TSA Security Directive 2023 Revisions:

The recent changes and a renewal of the TSA Security Directives for another year prove that rail cybersecurity regulation and compliance is here to stay. Governments are becoming increasingly involved in ensuring that public transportation and critical infrastructures are following the highest standards of cyber safety and security. Read how Cervello Platform is already allowing rail organizations to comply with these standards:

Cervello facilitates Network Segmentation, Sub-Segmentation, and Asset Mapping of OT/IT/IoT Critical Cyber Systems. Rail operators can then gain unparalleled visibility of their entire critical environment and a complete asset inventory, including all external connectivities and operational dependencies. 

Cervello’s uniquely passive, non-intrusive Zero Trust approach ensures there is continuous authentication and validation of all movement, commands, and access to rail operational networks, eliminating implicit trust with the validation of every digital interaction. Security and access policies are easily customizable to allow railroad Owners/Operators to enforce their own rules for shared accounts and account management and prevent insider threats.

Cervello’s railway cybersecurity platform conducts continuous monitoring and threat detection of all network traffic based on the railroad’s set policies and behaviors with Zero Trust, AI-based behavioral analysis, vulnerability mapping, threshold analysis, and deep packet inspection (DPI) to identify, prioritize, and alert on vulnerabilities and cybersecurity threats. Cervello passively and continuously collects the data and uses AI and automated data analysis to learn, better detect, and contextualize any anomalous, misused, or unexpected network traffic for each network segment. The extent of data retention is customizable to make it possible to go back to any historical point and analyze the sequence of events.

Additionally, Cervello recently announced Cervello Compliance, the world’s first rail cybersecurity compliance dashboard. It examines your rail environment, policies, protocols, access control measures, and network configurations, to ensure that your railway aligns with each TSA security directive for rail. Cervello Compliance enables security teams to generate audit-ready compliance reports in seconds, with a verification checklist, information on compliance gaps, and detailed next steps that include instructions on where and how to close the gaps. 

Compliance with TSA security directives is not just a legal obligation for railway companies; it is a fundamental necessity to protect passengers, railway staff, and the general public. Embracing these directives not only protects lives and assets but also upholds the integrity of the rail industry.