TSA Security Directive 1580/82-2022-01

How railways can comply with the technical requirements of TSA Security Directive 1580/82-2022-01

Compliance with safety and cybersecurity regulations in the rail industry is becoming increasingly complex. The recent updates to the Transportation Security Administration (TSA) Security Directive 1580/82-2022-01 present fresh challenges that demand immediate attention and action. 

In this guide, we’ll walk you through sections of the TSA Rail Security Directive, outlining the key components of the Cybersecurity Implementation Plan. We will also explain how Cervello, through its unique and holistic approach, helps operators comply with the technical aspects of these new guidelines, providing in-depth protection for their critical systems. This guide is designed to help you understand the directive, what it means for your business, and how you can comply effectively using Cervello’s comprehensive cybersecurity platform.

About the TSA Rail Security Directive 

On October 24, 2022, the TSA updated its Security Directive 1580/82-2022-01 for passenger and freight railroad carriers. The surge of cyber threats over the past couple of years against US critical infrastructures prompted the government to become more proactive in protecting its railroads from a cyber attack.  
The latest update is indicative of the effort to establish a preventative, resilience-based approach that enhances the cybersecurity preparedness of the nation’s railroads. Owners/Operators have 120 days from the effective date to submit a Cybersecurity Implementation Plan to the TSA for approval.

Executing a Cybersecurity Implementation Plan

As part of the Cybersecurity Implementation Plan, Owners/Operators must implement the following cybersecurity measures:

1. Implement network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised;
2. Establish access control measures to secure and prevent unauthorized access to Critical Cyber Systems (meaning, any IT or OT system or data that, if compromised or exploited, could result in operational disruption); 
3. Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect Critical Cyber System operations;
4. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on Critical Cyber Systems in a timely manner using a risk-based methodology. 

Network Segmentation Policies and Controls

The TSA Rail Security Directive requires that all relevant parties submit a list and description of the Information Technology (IT) and Operational Technology (OT) system interdependencies and all external connections to these systems, zone boundaries, and a breakdown of how these systems are defined and organized into zones based on criticality, consequence, and operational necessity. As for policies, they must ensure that IT and OT system services transit each other only when necessary for business and operational purposes reasons. Railroad carriers must provide identification and description of measures for securing and defending zone boundaries. This includes security controls that prevent unauthorized communication between zones and that prohibit OT system services from crossing into the IT systems, and vice-versa, with the exception of encrypted content. If this is not possible, the content must be secured and protected to ensure integrity and prevent corruption or compromise while in transit.

Comply with Cervello

Cervello facilitates network segmentation, sub-segmentation, and asset zoning of IT/IoT/OT critical systems, including signaling and rolling stock, based on the individual needs and preferences of the Owners/Operators.
Rail operators can then gain unparalleled visibility of their entire critical environment, including a complete asset inventory, list of all external connectivity, and operational interdependencies. Establishing policies and security zones are critical for identifying and alerting of unauthorized lateral movement and communication between IT and OT zones. Cervello’s in-depth visibility provides the essential context railroad owners need to eliminate blind spots and possible security gaps and prevent unauthorized communication between zones.

Access Control Measures 

More than half of cybersecurity incidents result from insider threats. The TSA is now requiring that railroad carriers implement access control measures, including those for local and remote access, to secure and prevent unauthorized access to Critical Cyber Systems. The measures must include identification and authentication policies and procedures that prevent unauthorized access to Critical Cyber Systems.

Comply with Cervello

Cervello’s uniquely passive, non-intrusive Zero Trust approach ensures there is continuous authentication and validation of all movement, commands, and access to rail operational networks. Cervello platform eliminates implicit trust through the validation of every digital interaction, ensuring each connected asset is safe, secure, and complies with its function and expectations, without compromising safety or usability.
Security and access policies are easily customizable to allow railroad Owners/Operators to enforce their own rules for shared accounts and account management, including separation of duties and principles of least privilege. Powered by patented technologies, Cervello Platform detects anomalies more efficiently and suggests updates to access control management policies and procedures.

Threat Monitoring, Detection Policies and Procedures 

As part of the Cybersecurity Implementation Plan, railroad carriers must implement continuous monitoring and detection policies and procedures designed to prevent, detect, and respond to cybersecurity threats. These measures must be able to identify the execution of unauthorized code, and implement capabilities to define, prioritize, and trigger incident response activities. The security directive also states that there must be continuous collection and data analysis to detect potential intrusions or anomalous behavior on Critical Cyber Systems and the other OT/IT systems that connect with Critical Cyber Systems. Mitigation measures must include the ability to isolate industrial control systems in the event that a cybersecurity incident in the IT system risks the safety and reliability of the OT system. 

Comply with Cervello

Cervello’s railway cybersecurity platform conducts continuous monitoring and threat detection of all network traffic based on the railroad’s set policies and behaviors. The solution uses novel components and state-of-the-art security mechanisms such as Zero Trust, AI-based behavioral analysis, vulnerability mapping, threshold analysis, and deep packet inspection (DPI) to identify unauthorized code as well as to define, prioritize, and alert on vulnerabilities and cybersecurity threats. 
Cervello passively and continuously collects data from the railroad’s OT/IoT/IT and physical systems, and uses AI and automated data analysis to learn, better detect, and contextualize any anomalous, misused, or unexpected network traffic for each network segment. The extent of data retention is customizable to make it possible to go back to any historical point and analyze the sequence of events.

Automated Vulnerability Detection and Management 

To reduce the risk of exploitation of unpatched systems, the TSA requires that railroad Owners/Operators implement a patch management strategy that includes a risk-based methodology for categorizing and determining criticality of patches and updates followed by an implementation timeline based on categorization, criticality, and prioritization. In case the Owner/Operator cannot apply patches and updates, the strategy must include a description and timeline of additional mitigations that address the risk of not installing the patch or update. 

Comply with Cervello

Cervello automates all monitoring and threat detection processes, including vulnerability detection and prioritization. The platform prevents the exploitation of unpatched systems with vulnerability mapping and a management dashboard that continuously detects, categorizes, determines, and alerts on the criticality of patches and updates using a risk-based methodology.
The system then automatically prioritizes and presents implementation guidance to Owners/Operators. For each public vulnerability it discovers and maps, Cervello Platform assigns a respective common vulnerability exposure (CVE) score and builds a complete threat profile with an in-depth description and the potential consequences of an attack, as well as a unique understanding of its context.

Automated Tech Compliance