New DHS railroad and aviation security directive aims to strengthen cybersecurity fabric

The Transportation Security Administration (TSA) division within the U.S. Department of Homeland Security (DHS) is set to impose a new ‘security directive’ for railroad and aviation industries in an effort to strengthen cybersecurity strategies. Homeland Security Secretary Alejandro Mayorkas confirmed in a speech earlier this month that the cybersecurity regulations slated to be released by the end of the year will help to strengthen cybersecurity and require critical transport and higher-risk railroad companies to disclose cyber incidents to the government, identify cyber officials, and prepare contingency plans for cyberattacks.

However, the cybersecurity regulations lead to concerns that the move by the US government calling on owners and operators may appear reactive around serious cybersecurity issues in the aviation, maritime, and surface transportation sectors. The U.S. government could instead have chosen a more proactive approach using mandatory rules and regulations to strengthen cybersecurity across the critical infrastructure sector.

Tom Alrich, independent consultant specializing in supply chain security of critical infrastructure

Tom Alrich, an independent consultant specializing in supply chain security of critical infrastructure

Agreeing that the U.S. was being cautious, Tom Alrich, an independent consultant specializing in supply chain security of critical infrastructure, told Industrial Cyber, “Of course, they’re being reactive. When isn’t government reactive?”

Jim Crowley, CEO at Industrial Defender 300

Jim Crowley, CEO at Industrial Defender

“I would like to see the government focus on the work that they have been doing over many years on foundational controls,” Jim Crowley, CEO at industrial cybersecurity firm Industrial Defender told Industrial Cyber. “There is an excellent playbook in the NIST CSF framework that the government has invested many years and resources in that has already been adopted. Putting forth cyber requirements, without mapping them to this framework is confusing and may actually prevent organizations from moving their cyber programs forward,” he added.

Secretary Mayorkas said that to strengthen cybersecurity of railroads and rail transit, the new security directive from the TSA will cover higher-risk railroad and rail transit entities and require them to identify a cybersecurity point person, report incidents to CISA, and put together a contingency and recovery plan, in case they become a victim of malicious cyber activity.

Alrich said, “​They’ll improve it. Are they all that’s needed? No,” he added.

There is far too much focus on reporting incidents and information sharing, Crowley said. “This can be helpful at a macro level, but doesn’t encourage focusing on basic security hygiene, which many companies still do not have in place,” he added.

When the FBI issued an advisory in early September on the possibility of attacks in the food and agriculture sector, food cooperatives New Cooperative and Crystal Valley were subsequently targeted by ransomware attackers. ​

Evaluating whether the announcement by the US administration that it will be releasing guidelines for improving protection later in the year puts these sectors at increased risk during the interim period, Alrich said it’s no secret that aviation, maritime and surface transportation are critical infrastructure, and they’re already experiencing various attacks. “So I don’t think the directive itself increases the risk level one way or the other. I just hope that, when they come out with these regulations, they’re better than what they put out for the pipeline industry. It would be hard for them to be worse,” he added.

Crowley also did not see ​​a lot of cause and effect in this area. “The companies that are being attacked were already soft targets. If anything, the government should be more transparent,” he added.

“They recently released the TSA pipeline cyber requirements document to general industry. However, many parts were redacted. If you are part of the solutions ecosystem helping critical infrastructure companies, you are left guessing as to what the government is asking customers to implement,” Crowley added.

Alrich was recently given the opportunity to review a redacted copy of the TSA pipeline cybersecurity directive issued in July. In a recent blog post, he addressed two questions – on whether this is a step forward from existing OT cyber regulations, especially NERC CIP, and if it is, could it provide a guide to how CIP can be remade to become much more effective and efficient than it currently is.

Secondly, he analyzed if it is a step backward, meaning that if anything it will furnish a good object lesson in how not to regulate OT cybersecurity. “My answer….drum roll, please…is that the TSA directive is a big step backward,” Alrich wrote in his post. “As such, it will provide us with some great lessons on how not to regulate OT, and especially how not to revamp NERC CIP. I’ve listed below what I think are some of the big failings of the directive, but I’ve restated them as lessons learned for any agency or organization that might someday find themselves writing or rewriting OT cybersecurity standards,” he added.

Clearly, Alrich does not think very much of the TSA directive for the pipeline industry and had a radical idea instead. “Why couldn’t they have ordered pipeline companies to implement a cybersecurity risk management program based on the NIST Cyber Security Framework? Admittedly, this wouldn’t have been seen as an innovation, and it wouldn’t have resulted in a Full Employment Act for cybersecurity consultants who can now put themselves out as experts familiar with the arcane niches of the TSA directive,” he added.

Cybersecurity expert Joe Weiss said that with the never-ending, and too often successful, attacks on critical infrastructure networks, there needs to be a better way to protect control systems and the processes they monitor and control. “July 28, 2021, an announcement was made about the President’s Industrial Control System Cybersecurity (ICS) Initiative to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings. To date, this is a network-based approach specific to cyber threats. However, the existing approach of securing critical infrastructures by securing the networks is not working,” Weiss wrote in a blog post.

Citing that the Israel Water Authority, recognizing that need, is monitoring the electrical characteristics of the process sensors as the raw process sensor signals are ground truth and not susceptible to network attacks, Weiss was hopeful that the “ US government, insurance companies, credit rating agencies, and others recognize what is really needed to be secured – the field control system equipment that keeps lights on and water flowing,” he added.