Yesterday, the U.S. Transportation Security Administration released official regulations directed to rail and rail transit groups designed to bolster cybersecurity risk management. The regulations will go into effect December 31, 2021, following a year marked by a series of cyberattacks targeting the rail industry. New York’s Metropolitan Transportation Authority, The Port of Houston — one of the largest depositories of airline passenger records, and global railroads each faced targeted attacks. The risk of cyberattacks is becoming more evident, and in response, the TSA is directing rail operators to take four immediate actions:  

  • Designate a cybersecurity coordinator 

  • Report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of detection 

  • Complete vulnerability assessments to address risks both within Information (IT) and Operational (OT) technology systems 

  • Develop a cybersecurity incident response plan based on security issues discovered 

According to The Hill, “Owners and operators will have 90 days to conduct a cybersecurity vulnerability assessment and 180 days to implement a cybersecurity incident response plan.” 

Read on for an explanation of each requirement and show how Shift5 can help. 

Designate A Cybersecurity Coordinator 

The cybersecurity coordinator serves as the point of contact for all cyber-related incidents, activities, and communication between the rail organization and TSA / CISA. In addition to being accessible 24/7 to the TSA and CISA, the cybersecurity coordinator is responsible for conducting proper cybersecurity practices and procedures internally in the rail organization. They must have awareness and understanding of the cyber situation on all of their rail assets at all times, and for that they will need real-time data and the right tools. We provide those tools and data. 

Once the individual (as well as an alternate) have been identified, your company must provide their names, titles, and email addresses in writing to the TSA by January 6th, 2022 (seven days after effective date). 

Email to be sent to: TSA-Surface-Cyber@tsa.dhs.gov 

Report Cybersecurity Incidents to CISA within 24 hours 

Rail industry professionals are actively debating the type of incidents to report and to what extent a disruption to service and/or operations is deemed a “cyber incident.” According to the TSA, a cybersecurity incident involves one of the following: 

Unauthorized access of an IT or OT system 

Discovery of malicious software on an IT or OT system 

Activity resulting in denial of service to any IT or OT system 

Any other incident that results in: 

  • Disruption of operations to the railroad carrier’s IT or OT systems 

  • Potential to cause impact to large number of customers or passengers, critical infrastructure or core government functions, or impacts national security, economic security or public health and safety 

These incidents must be reported to CISA within 24 hours after a cyber incident has been identified and can be done through their online reporting system

Learn More About OT Cybersecurity For Rail 

Complete A Vulnerability Assessment 

By March 31st, 2022 (90 days after the effective date) your organization must complete a cybersecurity vulnerability assessment for both IT and OT systems and identify gaps using a form provided by TSA (to be sent directly to you). This assessment should include an assessment of current practices and activities to both IT and OT systems and identify remediation measures to address any identified vulnerabilities and gaps.  

Develop Incident Response Plan 

Within 180 days of the effective date (unless otherwise directed), your organization must develop and adopt a Cybersecurity Incident Response Plan to reduce the risk of operational disruption, should you experience a cybersecurity incident. This plan must include the following: 

  • Prompt identification, isolation and segregation of the infected systems from the uninfected systems, networks, and devices 

  • Security and integrity of backed up data 

  • Established capability and governance for isolating the IT and/or OT systems in the event of a cybersecurity incident arises 

  • Annual situational exercises to test effectiveness 

How Shift5 Can Help →  

The U.S. Department of Homeland Security designated the Transportation System Sector as one of 16 critical infrastructure sectors, whose disruption would have a debilitating effect on our nation’s security. The stakes for transportation infrastructure cybersecurity are high, and recent cyberattacks demonstrate risk has moved from a hypothetical to a reality. Shift5 can help Rail industry owners and operators meet TSA requirements to keep trains running in a contested cyber environment. 

In order to report any type of incident, rail organizations must gain full visibility into their systems and networks both in IT and OT. Shift5 specializes in OT cybersecurity of rolling stock and can implement a real-time cyber visibility solution across an entire rail fleet to help ensure nothing slips through the cracks. Once our hardware is installed, we can capture all data on your OT networks, monitor your cyber health, and immediately alert you to potential threats and incidents. 

What to do next 

  • Download the official directive from TSA (Freight, Passenger

  • Schedule a call now to learn more about how Shift5 can help your organization meet the requirements of Security Directives 1580-21-01 and 1582-21-01 
    About Shift5

About Shift5

Shift5 is the onboard data company. Created by officers who stood up U.S. Army Cyber Command and pioneered modern weapon system cyber assessments, Shift5 defends commercial transportation systems and military platforms against operational failures and OT cybersecurity risks. Household name aviation companies, U.S. railroads, and fleets within the U.S. military rely on Shift5 to maintain the readiness and availability of today’s fleets and tomorrow’s next-generation vehicles.