RazorSecure is supporting passenger and freight rail comply with new TSA Security Directives

RazorSecure is uniquely positioned to support U.S. rail owners and operators implement cyber security solutions that ensures compliance with new TSA Security Directives. RazorSecure have experience with operational deployments in both Europe and North America since 2017, covering more than 1600 rail vehicles today and over 50M passenger journeys protected.

The TSA announced two new Security Directives on December 2  that affect rail and transit operators in the USA, continuing the U.S. government’s move to a regulatory approach to cyber security within critical infrastructure. Security Directive 1582-21-01, “Enhancing Public Transportation and Passenger Railroad Cybersecurity” applies to the owners and operators of passenger rail;  Security Directive 1580-21-01, “Enhancing Rail Cybersecurity” applies to freight rail. 

This is an interesting development for the rail industry as it shows the U.S. Government, along with the TSA, strongly believe that cyber security threats on transportation are growing, and are prepared to take serious actions to prevent malicious cyber attackers from continuing to target U.S. critical infrastructure, including the rail transport modes. The Security Directives are further built upon other OT security directives that were issued after the May 2021 Colonial Pipeline ransomware attack.

Requirements that necessitate immediate action

Both the rail passenger and rail freight Security Directives contain identical requirements, and are both effective from December 31, 2021. Under the Security Directives rail owners and operators must meet four critical requirements: 

1. A Cybersecurity Coordinator should be designated

2. All Cybersecurity incidents should be reported to CISA within 24hrs

3. A Cybersecurity Incident Response Plan should be developed

4. A Cybersecurity Vulnerability Assessment should be completed

The Security Directives come as additional measures to the increasing objectives announced by the U.S. government, to increase the cyber security resilience, and preparedness for cyber attacks on critical infrastructure that will affect the economy and national security.

The requirements mirror to some extent the EU’s NIS Directive, which came into force in 2018. RazorSecure has been working with rail operators and owners in Europe since 2017 to help them meet their requirements under the NIS Directive alongside the new TS50701 Technical Specification, and we understand the practical implications of such requirements.

Cyber security monitoring and incident reporting 

Both Security Directives require reporting to CISA, within 24 hours, cyber security incidents that cause operational disruption, impact large number of passengers or national security,

With such a key emphasis on the speed at which incidents are discovered, and the steps taken to report such activity, it is clear that there is a strong requirement on security monitoring, detection and response in real-time; without excessive ‘false positives’. Reporting every activity within the network may become as disruptive as the incidents themselves - both for the owners, operators and the CISA. The Security Directives therefore will be more than just the detection of malicious activity; but also the accuracy in which the incidents are discovered and alerted.

An effective and timely response to an incident relies on having close to real-time alerting of a potential cyber security incident, and to have an effective process in place to investigate, retrieve forensic data, and make reporting decisions, prior to the reporting taking place. An Incident Response Plan requires you being able to characterise the incident and be able to identify and isolate affected systems, and respond and recover correctly. 

That said, we find some of our rail customers lack the internal resource, or skills, to be able to monitor their OT rail and wayside systems, while at the same time finding a large-scale outsourced Security Operations Centre too onerous and expensive. RazorSecure therefore provides our customers with a full monitoring service, with SLAs designed to meet the relevant reporting timeframes.

Conducting a Vulnerability Assessment

Instead of a ‘Risk Assessment’, which is more common practice within OT cyber security, the Security Directives require rail owners and operators to complete a Vulnerability Assessment and then develop a cyber security incident response plan based on the security issues and gaps discovered. This is, to some extent, understandable: a Vulnerability Assessment, when done correctly, is objective and does not require the assessment of impact or probability that would be needed for a Risk Assessment. 

However, this also places the owners and operators in a challenging position - there will be many vulnerabilities identified in the course of a Vulnerability Assessment, but which vulnerabilities should be prioritised? It will not be feasible to address all of them. This prioritisation should ideally be done in conjunction with a formal risk assessment, but failing that, owners and operators may need to take a pragmatic approach. 

RazorSecure has long experience in identifying and responding to real-world threats, as well as designing and implementing pragmatic and cost-effective solutions to either eliminate the underlying vulnerabilities or, where this is not possible, add appropriate monitoring to provide an early warning of any issue. We are 100% focused on rail and have a deep understanding of the vulnerabilities and constraints that are typically found.

How can RazorSecure help?

We have strong experience working with our customers to meet requirements, including the need to report incidents to central government agencies in a timely manner, as well as supporting the implementation of appropriate security measures, carrying out vulnerability assessments and supporting incident response planning and execution.

With RazorSecure’s Delta Intrusion Detection System, which is designed specifically for rail systems and networks, we have an effective solution for monitoring, alerting, and forensic analysis.

Furthermore, RazorSecure has been delivering solutions to help protect rolling-stock and wayside systems and networks. We are able to design and deploy our EN50155 Security Gateway onto both legacy and new-build rolling stock, providing a range of security functionality such as Firewalling, Network Access Control, Privileged Access Management and Log Aggregation that help both operators and car builders build in effective protection to meet a range of common cyber risks.

Cyber security begins with a conversation. Contact us to discuss how RazorSecure solutions can be matched to your unique challenges, or request a demo to further understand the innovation of our technology..