New cybersecurity regulations released by TSA for trains and planes

Emergency cybersecurity regulations for pipeline operators issued this summer were also released publicly this week.
Written by Jonathan Greig, Contributor

Homeland Security Secretary Alejandro Mayorkas announced new cybersecurity regulations for US railroad and airport operators on Wednesday. 

First reported by Reuters, the rules mandate that operators disclose any hacks, create cyberattack recovery programs and name a chief cyber official. The Transportation Security Administration will manage the regulations, Mayorkas added. 

He said the regulations would go into effect by the end of the year. 

"Whether by air, land, or sea, our transportation systems are of utmost strategic importance to our national and economic security. The last year and a half has powerfully demonstrated what's at stake," Mayorkas said, according to Reuters. 

In April, the New York City's Metropolitan Transportation Authority -- one of the largest transportation systems in the world -- was hacked by a group based in China. While the attack did not cause any damage and no riders were put at risk, city officials raised alarms in a report because the attackers could have reached critical systems and may have left backdoors in the system. 

In 2020, the Southeastern Pennsylvania Transportation Authority was hit with ransomware, and earlier this year, ferry services to Cape Cod were also disrupted by a ransomware attack. 

The new rules apply to railroad operators, rail transit companies, US airport operators, passenger aircraft operators and all-cargo aircraft operators. There are also lower-level transportation organizations that will be encouraged to follow the rules as well. 

The rules come days after the Washington Post revealed many of the specific emergency regulations for pipeline operators that were issued this summer after the attack on the Colonial Pipeline

Ben Miller, a vice president at cybersecurity firm Dragos, said the company has been working with pipeline customers as they adjust to a changing regulatory environment. 

"We encourage public-private collaboration and not moving too quickly. Reliability and safety are paramount, and the industry and their facilities are not cookie-cutter. We run the risk of making too many assumptions, ultimately slowing down progress and security of these important systems and environments," Miller said. 

The rules drew mixed responses from experts who questioned whether any organizations could live up to the stringent new regulations. 

"The security requirements laid out in the newly public TSA Security Directive are definitely ambitious. Most organizations we work with today can't meet these requirements, nor likely can most federal government agencies," said Jake Williams, CTO of BreachQuest. 

"The DNS monitoring requirements alone are far beyond what most organizations today are capable of. While effective in detecting intrusions, effort applied to implementing this sort of requirement will almost certainly distract from more important and achievable goals like foundational IT/OT network segmentation and monitoring."

Chris Grove, a Product Evangelist at Nozomi Networks and an expert in industrial cybersecurity, said the directorate follows the suit of many other attempts to secure operational technologies by "providing a blend of prevention, detection and resiliency." 

But he noted that when the recommendations overlap with operational technology, they don't actually apply. 

"Even patching systems, MFA, allows OT operators a way out. In other areas, it doesn't, like weekly virus scanning of OT systems. The Directorate is high-level and non-specific enough that it doesn't appear to be directed at pipelines, but more about OT or critical infrastructure in general," Grove explained.

"Many operators, particularly those that pursued NERC-CIP, will be well positioned, probably superseding the requirements in the directive. On page 9, part 3, to break storage and identity stores between IT and OT is a huge challenge for converged environments. Also, on page 9, C.1.a mandates prompt removal from the network and disabling of drives any infected equipment, something that's not always possible in an OT environment. To put this directive in context, it would have had no impact on the Colonial Pipeline incident, as the operator had security at a higher level than what the directive aims for."

Former US Defense Department cybersecurity advisor Padraic O'Reilly added that the days of voluntary guidance being sufficient in critical infrastructure are coming to an end. 

He noted that some organizations, like the New York City's Metropolitan Transportation Authority, will be fine with the new mandates because they have already tried to implement the voluntary guidelines. 

"But we know that isn't true across the board, and pushback from private industry, when they hold assets that impact the public good, hearken back to the killing of the 2012 cybersecurity act," O'Reilly told ZDNet

"Even then, in a much simpler threat landscape, Cyber Command and the NSA tried to explain the importance of 'minimum security standards.' But the issue became partisan, and that is really too bad on matters that concern national security."

O'Reilly noted that there is likely to be more industry wrangling over specific requirements but honed in on the section titled, "Security Directive (SD) Pipeline-2021-02" -- which focuses on the key elements of hardening pipeline OT and IT against many current exploits. The section also effectively announces an end to some voluntary guidelines for the industry. 

According to O'Reilly, the timelines to submit (7, 30, and 180 days) statements all "seem reasonable even if they require quick action", and requiring documentation of compliance is another good measure included in the document.

"There will likely be industry pushback because the comment period was brief, and there are some unique considerations with respect to patching and other practices where Operational Technology is concerned. But even there, TSA has been careful to allow for a risk-based approach to patching OT, which is quite reasonable," O'Reilly added. 

"The most important aspect of the directive is that cyber resiliency is no longer voluntary. Arguably allowing pipeline standards to be voluntary was a mistake. It is beyond dispute that the critical infrastructure sectors (such as finance and electrical) that are regulated generally have much better security practices in place. Where the public good is concerned, there is a clear need for oversight, and only the Federal Government can do this effectively. We can ill afford another attack like the one that hit Colonial." 

Editorial standards