RazorSecure’s product portfolio provides compliance with the new TSA requirements
The Transportation Security Administration (TSA) has announced a new cyber-security directive regulating designated passenger and freight railroad carriers, which places new requirements seeking to enhance U.S. railroad cyber-security resilience. In this article, we’ll look at these requirements in more detail and show how RazorSecure’s product portfolio can help you comply with these.
The new SD titled Enhancing Rail Cybersecurity – SD 1580/82-2022-01 effective October 24, 2022, extends cybersecurity requirements to achieve critical cybersecurity outcomes. This means that in addition to reporting cyber security incidents and completing a cybersecurity vulnerability assessment, specific solutions need to be implemented in order to prevent disruption and degradation to their infrastructure.
Let’s look more closely at the main desired outcomes of this directive:
Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa;
Create access control measures to secure and prevent unauthorized access to critical cyber systems;
Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations;
Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.
These four requirements are well considered and align very strongly with best practices in security engineering. Network Segmentation and Segregation is a key technique to reduce the risk of compromise and manage the risk of a breach of a less critical system spreading to a more critical system. It absolutely should be used when there are a mix of systems with differing security requirements, such as is commonly found with rail systems.
In our experience in rail, Access Control is generally not as strong as it should be: weak passwords may be used. Network Access Control measures are infrequently used (physical access control alone is deemed acceptable in many situations), individual user accounts with roles and restricted permissions may be absent and systems may rely on a single shared administrator account to perform maintenance activities. Far too often we hear that Rolling Stock or Wayside networks are “closed” and that justifies the lack of access controls - this is an incorrect viewpoint and leaves rail systems exposed to significant cyber risk, because no network is ever truly closed.
Monitoring and Intrusion Detection is an absolute core concept. How do you know if you are facing a cyber threat if you have no mechanism to alert you? All cyber risk frameworks emphasize the importance of process and continuous monitoring, as this is the only way to catch potential issues (whether threats or underlying vulnerabilities) early and fix, or reappraise the risks and deploy appropriate countermeasures. It’s worth noting that a good cyber monitoring solution can also help identify and fix operational issues too, so there may be benefits beyond the reduction in cyber risk.
Every digital system in production deployment needs to be updated and patched over its lifetime, and timeliness can be critical in a cyber context. Rail systems can be complicated and costly to update, and considering ways in which this can be more quickly and cost-effectively achieved, both from a process and technological point of view, is extremely important. Further, accurate reporting of configuration information, including software versions, helps to identify vulnerable software (including software dependencies and libraries) and incorrect configuration. As with monitoring, there may be significant operational cost savings associated with improved update processes.
RazorSecure has been active in rail cyber security since 2015 and we work closely with our customers in the development of holistic solutions designed to address their key cyber risks. As such, it’s no accident that our solutions align with the new TSA requirements and our products can help in achieving compliance with all of these.
RazorSecure’s Security Gateway was designed specifically to implement segmentation and separation of critical networks on rolling stock to prevent attackers from gaining unrestricted network access and ensure network communication is tightly controlled, and permitted, between protected systems. The Security Gateway is a EN50155-approved hardware and software solution that provides next-generation firewall capability and network monitoring, as well as other security-related functions.
We can also ensure TSA compliance when it comes to establishing access control measures and protecting systems by preventing unauthorized threats from infiltrating the network. RazorSecure’s Digital Maintenance Gateway solution is designed to provide secure access to on-board systems for updates, configuration, and maintenance purposes. It serves the dual aim of providing significant mitigation for key cyber threats through its strong access control measures, even for legacy systems with weak existing security controls, as well as improving the speed and reliability of software update rollouts across a fleet.
We can also work with you to establish continuous monitoring and detection capabilities in line with the TSA requirements. Our flagship product, RazorSecure Delta, is an Intrusion Detection System (IDS) that continuously monitors the behavior of individual systems and traffic across the network, to quickly detect, alert and respond to malicious activity and security violations in real-time. It monitors a host or network traffic for abnormal activity and issues alerts when such activity is detected. Alerts are managed using our Explorer dashboard and can also be pushed to a central Security Information and Event Management (SIEM) system. RazorSecure Delta is designed to monitor both wayside and on-board systems and networks, and has been in production use in Rail for almost 5 years.
RazorSecure’s experience with operational deployments makes us a trusted partner to support U.S. rail owners and operators implementing cyber security solutions that ensures compliance with new TSA Security Directives. Working regularly with operators, RazorSecure cyber products are deployed on more than 2500 vehicles to date collaborating with 9 different train operators as well as 5 train builders in both Europe and North-America.
We have developed our solutions to align with the latest cyber security frameworks and regulations, whilst also supporting efficient ongoing operations. We have a holistic approach to rail cyber security, working regularly with operators and stakeholders to address the evolving needs within the rail environment through our comprehensive product portfolio, and a range of professional services. Our solutions are applicable to both new-build and legacy systems, on-board as well as on the wayside.
Cyber security begins with a conversation. Contact us to further discuss how RazorSecure solutions can be matched to your unique challenges to ensure compliance with the new TSA directive, or request a demo to further understand the innovation of our technology. Meet with Randy Mitzelfelt, Head of Business Development, North America on November 14-16 at the Commuter Rail Coalition Summit in San Jose, CA.
