Security experts question new DHS/TSA cybersecurity rules for rail companies

Some questioned whether CISA would be overloaded with messages now that rail companies have to report many cybersecurity incidents.
Written by Jonathan Greig, Contributor

On Thursday, the Department of Homeland Security (DHS) released new rules for the US's freight railroad and passenger rail transit industry. The rules make it mandatory for companies to have a cybersecurity coordinator, report cybersecurity incidents to CISA, complete a cybersecurity self-assessment and create a cyber-incident response plan.

DHS officials repeatedly said the new rules were made after consultation with industry experts and meetings with rail companies. They added that the rules were pushed by the Transportation Security Administration (TSA) after CISA informed them of legitimate threats facing the rail industry. 

The government agency has faced backlash this year from companies in a variety of industries -- as well as senior Republican lawmakers -- for cybersecurity rules that some have called onerous and unnecessary. 

In October, Senators Roger Wicker, John Thune, Cynthia Lummis, Todd Young, Deb Fischer -- all Republican leaders on the Committee on Commerce, Science and Transportation -- slammed DHS' use of emergency authority to push new rules for US railroad and airport systems, questioning whether they were "appropriate absent an immediate threat."

The Republican lawmakers said the "prescriptive requirements" rolled out by TSA "may be out of step with current practices" and may "limit affected industries' ability to respond to evolving threats, thereby lessening security." They also claimed the rules will impose "unnecessary operation delays at a time of unprecedented congestion in the nation's supply chain."

"Rather than prescriptive requirements that may not enhance capabilities to address future threats, TSA should consider performance standards that set goals for cybersecurity while enabling businesses to meet those goals," the senators wrote. "If a determination is made to proceed with specific mandates, the notice and comment process would at least allow for thoughtful consideration of industry practices and concerns." 

The senators additionally claimed that current practices are "working well."

When asked about the latest regulations handed down by TSA for the rail industry, many cybersecurity experts involved in the rail industry expressed concern about how the new rules would work in practice.

Jake Williams, CTO at BreachQuest, told ZDNet that at a high level, the directives seem reasonable. But a closer look at the new rules raised questions about how CISA would handle the deluge of incident reporting that is now required. 

"Section B.2.b of the Enhancing Rail Cybersecurity directive mandates the reporting of the discovery of malicious software on any IT system within 24 hours of discovery. It is hard to imagine how TSA will benefit from knowing about every malicious software discovery on every IT system," Williams said. 

"Taken at face value, railway operators would have to report every piece of commodity malware that is discovered in the environment, even if antivirus or EDR prevented that malware from ever executing. Even if railway operators were properly staffed to create these reports, the TSA will likely miss significant reports buried in the noise. The onerous reporting requirements will likely reduce railway security, at least in the short term, as understaffed teams dedicate resources to reporting rather than network security."

Williams added that these policy language issues are typically discovered during the public comment period, which TSA chose to forego. 

"There are likely other significant issues in the two railway cybersecurity directives released by TSA without a public review period," Williams noted. 

Ron Brash, vice president at ICS/OT software security firm aDolus Technology, echoed Williams' concerns about the reporting requirements, explaining that most organizations lack the skill and resources to comply. 

"Currently, beyond the obvious attacks such as ransomware, the majority of organizations have trouble differentiating between accidental and malicious events. For example, a forklift may clip a utility pole, and a fibre optic run is severed -- connectivity may degrade or come to a full halt. Legislation such as this may result in overzealous behaviors because coordinators may jump to immediately claiming everything is cyber-related if the clock is fiercely ticking away, or conversely potentially result in the opposite of the intended effect: organizations may avoid reporting and improving infrastructure visibility altogether" Brash noted. 

"I hope neither occurs as that is counterproductive to the spirit of the objective and may discourage proactive action. If Biden's XO for SBOMs and supply chain transparency overflow into rail and transportation, organizations will need accelerated security program growth and maturity yesterday. This is both a good thing and a bad thing because infrastructure resiliency certainly may increase, but bad because the overall amount of foundational catch up may lead to overanalysis paralysis or poor budget allocation." 

He also said overly prescriptive approaches may result in too rigid of a structure and focus on the wrong elements, leading to a checkbox ticking exercise versus actual efforts to reduce cybersecurity risk.

Amir Levintal, CEO of rail cybersecurity company Cylus, said the rail industry has made significant technological advances in the last decade, with digitization helping companies improve service, efficiency, comfort, communications, and more. 

But these efforts have also expanded the rail industry's threat landscape for hackers, Levintal said.  

"The TSA's new directives, which require railways to bolster their cybersecurity measures, come as a direct response to the innovations the rail industry has onboarded recently and the resulting threats, and these regulations -- along with similar ones in the EU -- will only evolve as new technologies continue to be adopted across the planet," Levintal explained. 

Despite the concerns about the new reporting requirements, some experts said the rail industry's cybersecurity risks outweighed worries about overzealous reporting. 

Coalfire vice president John Dickson said that the potential for disruption is high given existing supply chain bottlenecks and the nature of rail networks. 

He noted that one or two key rail lines service entire regions of North America that are vulnerable to disruption and might cripple the US economy like the Colonial Pipeline event almost did. 

"We have not witnessed a rail industry event on the level of Colonial Pipeline, but a ransomware disruption, let alone a targeted attack, is a plausible scenario. Ransomware specifically, and malware automation generally, has lowered the bar so significantly for attackers that DHS CISA should be concerned and is well served to push the industry more," Dickson said. 

"The railroad industry, particularly the freight portion of the railroad industry, is generally not considered to be on the bleeding edge of cybersecurity. It's doubtful that without a regulatory 'nudge' from the Federal government, they are likely to not increase their cybersecurity hygiene on their own accord."

Padraic O'Reilly, chief product officer of CyberSaint, called the new rules a "good and timely development" that is "long overdue" because the rail industry is a vulnerable piece of the US critical infrastructure.

With the 24-hour reporting requirement as the baseline, the industry will be moved on to the right track, O'Reilly explained, adding that it was good that government agencies had consulted groups like the Association of American Railroads (AAR) before releasing the regulations. 

The AAR said they and other rail industry groups had been consulting with Secretary of Homeland Security Alejandro Mayorkas and the TSA since October to "revise provisions that would have posed challenges in implementation."

The group said that with the latest regulations, "a number of the industry's most significant concerns have been addressed." All Class I railroad and Amtrak, as well as many commuter and short line carriers, already have chief information security officers and cybersecurity leads who will serve as the required cybersecurity coordinators, according to the AAR.

Many companies also conduct cybersecurity assessments on a recurring basis and have been reporting some cyber threats to CISA through AAR's Railway Alert Network (RAN). 

"For the better part of two decades, railroads have thoughtfully coordinated with each other and government officials to enhance information security, which has proven to be an effective, responsive way of addressing evolving threats," said AAR President and CEO Ian Jefferies. "Let there be no mistake -- railroads take these threats seriously and value our productive work with government partners to keep the network safe." 

Editorial standards