Skip to content

Illustration by Security Management

TSA Announces New Cyber Requirements for Rail Operators and More in a Security Roundup

It’s been a busy week, especially in the cybersecurity arena. Here’s a rundown of some of the top news from around the world.

TSA Issues Rail Security Mandates

The U.S. Transportation Security Administration (TSA) announced new cybersecurity requirements for freight and passenger rail owner and operators on Thursday.

The TSA, part of the U.S. Department of Homeland Security, will require high-risk surface rail owners and operators to designate a cybersecurity coordinator; complete vulnerability assessments; create plans to respond to cybersecurity incidents; and report cybersecurity incidents to DHS’ Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.

The new requirements go into effect on 31 December. After that date, Cyberscoop reports that owners and operators will have 90 days to conduct a cybersecurity vulnerability assessment and 180 days to implement their cybersecurity incident response plans.

Additionally, TSA is requiring airport and airline operators to designate cybersecurity coordinators and report incidents to CISA within 24 hours. The agency also released guidance to recommend that all other lower-risk surface transportation owners and operators voluntarily implement these measures.

“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” said U.S. Secretary of Homeland Security Alejandro N. Mayorkas in a statement. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.” 

The announcement of the new measures came the same week that Gartner released predictions that 30 percent of critical infrastructure organizations will experience a security breach that will result in halting of an operations- or mission-critical cyber-physical system by 2025. 

“Governments in many countries are now realizing their national critical infrastructure has been an undeclared battlefield for decades,” said Ruggero Contu, research director at Gartner, in a press release. “They are now making moves to mandate more security controls for the systems that underpin these assets.”

Taking on 5G Security

CISA released its third installment of guidance on protecting the confidentiality, integrity, and availability of data within a 5G core cloud infrastructure.

The guidance is the third installment in a four-part series and focuses on protecting sensitive data from unauthorized access. CISA developed the guidance with the U.S. National Security Agency to further their respective cybersecurity missions.

“Data protection is critical because our adversaries are constantly attempting to steal our sensitive data,” said Natalie Pittore, chief of ESF in the National Security Agency’s Cybersecurity Collaboration Center, in a statement. “As the amount of data increases, it is even more important that we all prioritize securing data in all stages of its lifecycle. This guidance can help us do that.” 

Cyber Insurance Shakeup

In a sign of the times, Lloyd’s of London is cutting insurance coverage for state-sponsored cyberattacks. The new measures will exclude cyber coverage for attacks that are a direct—or indirect—result of a war or cyber operation.

In an interview with Cybersecurity Dive, Andrea DeField—partner at the law firm Hunton Andrews Kurth—said that some of the Lloyd’s proposals expand “the war exclusion to situations beyond formally declared war and practically eliminate the cyber terrorism exception so as to preclude all coverage arising out of actions ‘by or on behalf of a state to disrupt, deny, degrade, manipulate, or destroy information in a computer system of or in another state.’” 

The move by Lloyd’s is just the latest in the insurance market to reassess how cybersecurity incidents are covered and liability. Previous Security Management reporting based on analysis by the U.S. Government Accountability Office (GAO) found that “insurer appetite and capacity for underwriting cyber risk has contracted more recently, especially in certain high-risk industry sectors such as healthcare and education and for public-sector entities.”

Spyware and U.S. Diplomats

Spyware from NSO Group was on the iPhones of 11 U.S. diplomats, which may have allowed their conversations and movements to be monitored.

Apple notified the diplomats on Friday, marking the first confirmed cases of the NSO Group’s Pegasus spyware being used to targe American officials. NSO Group was also blacklisted in November 2021 by the U.S. government for allegations that it allowed foreign government clients to hack embassy employees, political activists, human rights workers, and others.

“At least some of those whose phones were penetrated by Pegasus were U.S. citizens, according to people familiar with Apple’s notifications, who added that the attacks were focused on U.S. officials working in Uganda or elsewhere in East Africa,” The Washington Post reports. “Last month the company began alerting people who had been potentially compromised by a known Pegasus exploit called ‘FORCEDENTRY’ and sued the company, seeking to prevent it from using Apple products in the future.”

Meta Mandates Two-Factor Authentication

High-risk Facebook accounts likely to be targeted by malicious hackers will now be required to adopt two-factor authentication (2FA), expanding the Facebook Protect security program.

“The initiative helps these accounts adopt stronger security protections by simplifying security features—including 2FA—and providing additional security protections for accounts and Pages, including monitoring for potential hacking threats,” according to Tech Crunch. 

Approximately 1.5 million accounts already used Facebook Protect; about 950,000 of those accounts voluntarily used 2FA prior to the new mandate.

In a statement sent to Security Management, Data-Driven Defense Evangelist for KnowBe4 Roger Grimes called the mandate “great news.”

“MFA significantly reduces the risk of some types of hacking attacks. With that said, MFA is not the security defense panacea that many vendors and users think it is,” he explained. “Once an attacker is aware of the type of MFA being used, in 80 to 90 percent of cases, it becomes as trivial to hack or bypass as a password. In most cases, an attacker can send a phishing email to an MFA-using user and get around the protection of MFA like it was not even there. MFA is not a bad thing. It is the opposite. Everyone should use it when and where they can to protect valuable data. But it is not like hackers and malware attacks are going away because MFA is being used. Quite the contrary. Companies who have been using MFA on large scales, long term are as nearly likely to be compromised as companies that do not. How? Usually social engineering and unpatched software."