Skip to content
Menu
menu

Illustration by Security Technology; iStock

How a Proposed TSA Regulation Might Change Rail Security

When trains exceed the speed permitted on a piece of track, they run the risk of derailing—potentially killing the people onboard, destroying freight they’re carrying, and damaging the infrastructure around the rail system.

To lower the risk of derailments, many regulators have implemented requirements for rail owners to implement automatic train protection in the form of positive train control (PTC) systems. These are systems designed to prevent train-to-train collisions, over-speed derailments, and movement of trains through switches left in the incorrect position. They are a critical system to improve the safety of railroads, says Miki Shifman, CTO and co-founder of Cylus—a cybersecurity company focused on the rail sector.

To implement PTC, “trains are communicating with wayside equipment, and the wayside equipment sends different instructions like status signals to the trains so the trains will know the current state of the tracks and whether they should stop,” Shifman explains.

PTCs rely on wireless communication to work, introducing a digital component to the train to enhance safety and efficiency that also could be compromised through wireless channels, supply chains, or even insiders.

“The more you add connectivity to the systems, you need to ensure that the systems are also adequately protected,” Shifman says.

And that’s not just making sure your digital components are secure. The physical locations those components use to connect to trains also matter.

“If you consider a train which consists, many times, of hundreds of connected devices or wayside equipment that sometimes have thousands of places around the track and you have physical locations that someone could access, you have different backbone communication links that some potentially unauthorized actor could access,” Shifman says. “All of them are potential entry points and they should be secured wherever it is possible, physically as well by properly monitoring for access control.”

One of those physical vulnerabilities in the rail system was on display in the lead-up to the Opening Ceremony for the Paris 2024 Olympics. Attackers cut fiber-optic cables that ran along the rail line and then set fire to them, disrupting service for approximately 800,000 people traveling to and from Paris.

The incident affected the train’s automatic train protection systems and is just one security incident that rail owners and operators tracked during 2024, Shifman adds.

“There were other cases in which operations just stopped in what could be related to third-parties that were compromised that were essential to operations,” he says.

Improving Rail Security

Rail owners and operators have been on a journey during the past 25 years to increase cybersecurity of their systems as they become more digitally connected, said Ian Jeffries, president and CEO of the Association of American Railroads (AAR), in testimony in November before a subcommittee of the U.S. House of Representatives Committee on Homeland Security.

“Railroads leverage a strong mix of private and public capabilities to effectively prevent and respond to malicious cyber activity,” Jeffries added. “As threats evolve, our industry strives to stay agile and innovative to address the dynamic threat landscape.”

This evolving threat landscape includes ransomware attacks, misconfiguration errors, and nation state efforts to infiltrate critical infrastructure, such as the transportation sector, to potentially disrupt it during times of conflict.


At its core, the concept is the government can set down objectives and outcomes to be achieved, but we shouldn’t be in the business of exactly telling you how to get there because cyber is fluid—cyber is different, depending on the network and the industry


In response to this changing landscape, the U.S. Transportation Security Administration (TSA) has issued voluntary guidelines, action items, and best practices for the surface industry (freight rail, passenger rail, public transportation, highway, and motor carrier). That work was built upon after the Colonial Pipeline ransomware incident, when TSA began issuing yearly security directives requiring certain rail owners and operators to make security changes to their organizations, policies, and procedures.

But the first security directive issued in 2021 was not well received by industry. The directive included prescriptive requirements for mitigating actions and timelines that stakeholders said were not feasible. Scott Gorton, executive director of surface policy at TSA, recalls that one of the memorable themes in feedback from industry about that directive was that the prescribed methodology was antiquated and would stymie practitioners from being innovative.

“That rang in our ears very loudly,” Gorton adds. “You have to be innovative and agile in a cyber environment because it changes so quickly. You’ve got to be prepared to use a new technology, or a new technique. We did not want to create a regulatory box that would prevent people from doing that.”

So, TSA went back to the drawing board and held weekly sessions with subject matter experts to issue a new security directive in 2022 that established an outcome-focused, performance-based regulatory structure.

“At its core, the concept is the government can set down objectives and outcomes to be achieved, but we shouldn’t be in the business of exactly telling you how to get there because cyber is fluid—cyber is different, depending on the network and the industry,” Gorton adds.

Subsequent security directives have followed that structure. While supported by industry, the security directives have had challenges when it comes to implementation because they are temporary requirements. They must be renewed each year, and this doesn’t provide industry with consistency on what to anticipate and prepare for long term, says Michael Welch, managing director of utility, manufacturing, food, beverage, and transportation, at MorganFranklin Consulting.

“With the limited resources, when it’s a directive it’s hard to build out a roadmap or a plan of how to remediate—what to do, how to bring in the resources needed to support operations,” Welch adds.

Regulation Changes

The work that went into the security directives and feedback from industry informed TSA’s latest effort to enhance cybersecurity and resilience of the rail system: a Notice of Proposed Rulemaking, which will turn the security directives it previously issued into formal, continuous regulation.

As it stands at press time, the proposed rule would apply to approximately 73 freight railroads responsible for 94 percent of the freight transported by rail in the United States. Alternatively, the proposed rule would apply to 34 rail transit and passenger railroads—including Amtrak. TSA estimates that initial compliance with the proposed rule will cost $2.2 billion.

In general, the proposed rule would require certain freight and passenger rail owners and operators to designate security coordinators for both physical and cybersecurity.

Additionally, owners and operators with higher cybersecurity risk profiles would need to establish and maintain comprehensive cyber risk management programs. These would include:

  • Class I railroads

  • Class II railroads or those that transport certain amounts of rail security-sensitive materials in a high threat urban area

  • Switching providers to two or more Class I railroads

  • Terminal service providers to two or more Class I railroads

  • Operators with an average of at least 400,000 train miles in any of the three years before the effective date of the final rule and after the effective date

  • Designated Defense Connector Railroads by the U.S. Department of Defense

  • Hosts for freight railroad operations listed above

  • Passenger railroads with average daily unlinked passenger trips of 5,000 or greater in any of the three years before the effective date of the final rule and any single year after the effective date

  • Rail transit systems with average daily unlinked passenger trips of 50,000 or more per year in any of the three years before the effective date or any single year after the effective date


The proposed rule defines “unlinked passenger trips” as “the number of times an individual boards public transportation as counted each time a vehicle is boarded, not based on travel from origin to destination.”

Covered entities would be required to annually conduct enterprise-wide cybersecurity evaluations to identify their current cybersecurity profile compared to the target profile, which must include security outcomes identified in the proposed rule that align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Additionally, covered entities would need to develop cybersecurity operational implementation plans (COIPs) that include five main provisions:

  1. Identification of individuals or positions responsible for the governance of the owner or operator’s cybersecurity risk management program. Governance should also extend to an executive and a designated cybersecurity coordinator.

  2. Identification of critical cyber systems, specific network issues, and baseline communications.

  3. Details of measures to protect the identified critical cyber systems.

  4. Details of measures to detect cybersecurity incidents and monitor critical cyber systems.

  5. Measures to address response to and recovery from a cybersecurity incident.


Organizations must also develop cybersecurity assessment plans that include a schedule for assessments, an annual report of assessment results, identification of unaddressed vulnerabilities, and assurances that individuals or companies assigned or hired to evaluate the effectiveness of the plan are independent—without a financial interest in the results of the assessments.

The proposed regulation embraces the concept of security by design, which Welch says he is a proponent of.

“I think it’s going to bring both IT/cybersecurity and engineers to the table and working together to make sure they’re designing security in the beginning,” Welch explains. “I think that this new regulation’s proposed biggest change is that principle of the security by design and default. You have to bring your vendors in, you’ve got to bring your engineers in, you’ve got to bring your development people in early rather than trying to bolt something on later.”

These same rail owners and operators would also be required to report significant physical security concerns to TSA and significant cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).

The proposed rule defines a cybersecurity incident as “an event that, without lawful authority, jeopardizes, disrupts, or otherwise impacts, or is reasonably likely to jeopardize, disrupt, or otherwise impact, the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system.”

Gorton says the reporting of incidents is split because CISA can handle the intake of cyber incident reports. Pushing these reports to CISA also allows the agency to act as the central hub for cyber incident reporting. He adds that this gives CISA the ability to look across all 16 sectors of critical infrastructure—including multiple modes of transportation—to identify trends.

Welch says that he does not mind the splitting of reporting for physical and cyber incidents because each practice requires different skillsets.

“Physical security is different—it’s technology driven of course with cameras, card readers, alarms, and panels,” Welch adds. “There are a lot of similarities, but the skillsets of a physical security practitioner and a cybersecurity practitioner are different. Personally, I don’t mind that they go to different agencies and hopefully the share across other industries and the ISACS to help because a physical security breach could be a step toward a cyber breach, potentially.”


Not only does this lack of harmonization create confusion, the 24-hour window is impractical.


Additionally, incident reports would be required to identify the affected systems and facilities; describe the threat, incident, and impact or potential impact on IT and Operational Technology (OT) systems and operations.

Covered owners and operators would be required to report a cybersecurity incident within 24 hours of identifying it. This potential requirement, however, is already receiving pushback. In testimony, Jeffries said that it conflicts with an existing Congressional mandate to report incidents within 72 hours.

“Not only does this lack of harmonization create confusion, the 24-hour window is impractical,” Jeffries said. “Within 24 hours, an attack could still be occurring, the information about the incident will be less complete, if not inaccurate, and railroads would be pulling resources and manpower away from responding to the attack and towards complying with reporting requirements.”

Jeffries also shared in testimony a conflict with the proposed rule’s requirement that railroad security coordinators be U.S. citizens.

“Two large railroads in the U.S. are headquartered in Canada and employ Canadian citizens in high-level cybersecurity roles,” Jeffries explained. “Prohibiting these highly skilled senior level employees from representing their companies as security coordinators serves no clear security benefit and makes it extremely difficult for these Canadian railroads to comply.”

The potential requirement is consistent with the 9/11 Act, but TSA can waive the requirement for security coordinators if they complete a security threat assessment.

“From the agency’s perspective, the purpose of the citizenship requirement is to ensure each covered owner/operator has a designated point of contact for receiving critical threat information, including intelligence information that cannot be shared with foreign citizens,” the proposed rule said. “TSA is assuming that owner/operators would ensure that if the security coordinator on duty is not cleared to receive certain information, that individual would promptly notify the security coordinator or other appropriate individual who has the required clearances.”

Next Steps

Overall, Jeffries said that AAR is pleased that TSA has initiated this rulemaking process that will make regulations more effective. He outlined in his testimony two additional areas, though, that AAR would like to see action by government agencies on.

First, additional government analysis of cyber incidents and attacks on the rail industry to better inform owner and operators’ decisions about how to strengthen their networks.

“Second, the government’s focus on the cybersecurity risks of transportation companies overlooks the importance of ensuring the security of suppliers to the industry,” Jeffries added. “Suppliers play a critical role in various aspects of railroad operations, and the government should consider how best to directly address their vulnerability to cyber incidents.”


Compliance doesn't mean security, but compliance does become the enabler or mover of getting companies to start thinking about it.


Stakeholders will have until 5 February 2025 to submit their comments on the proposed rule. TSA will then go through those comments, address them, and then issue a final rule to eventually become a regulation.

Welch encourages stakeholders to review the proposed rule, understand how it will affect them, and participate in the public comment process to shape the final regulation.

“As a cybersecurity practitioner that focuses on this space, [the proposed rule] is a needed step,” he adds. “I’m not always for compliance. This is an adage out there: compliance doesn’t mean security, but compliance does become the enabler or mover of getting companies to start thinking about it. Because they don’t want the fines or the reputational issues if something happens.”

And while the rulemaking process unfolds, Welch encourages security practitioners to begin working on putting some of the measures in the proposed rule in place.

“Even if you’re not in that [covered entity category]—it doesn’t mean it’s not going to come your way later,” Welch says. “Start now. We’re doing this to protect the critical infrastructure of our country.”

The proposed rule was issued under the Biden administration. With the incoming Trump administration in January, it’s unclear how that will affect development of the regulation. But Gorton says that like with all federal regulations, there are timeframes built in to allow for public comment and to ensure that regulators are giving careful thought before imposing requirements.

“Some folks in industry have let us know informally that they are very interested and that they plan to comment,” Gorton says. “We are anticipating a fairly large volume of detailed comments. This is a big rule, it touches on a lot, and I am not oblivious to the fact that it’s going to have a significant financial impact on the companies that are regulated. Everybody needs to be thoughtful about this.”

 

Megan Gates is editor-in-chief of Security Technology. Connect with her at [email protected] or on LinkedIn.

arrow_upward