Expanding Rail Transit Cybersecurity [Weekly Cybersecurity Brief]

Of the major cyber incidents to occur over the course of this year, a common target was critical infrastructure. Whether it was the pipeline attack impacting access to fuel on the East Coast or a forced temporary shutdown of a large-scale beef supplier and its supply chain, it has become clear that there are significant vulnerabilities present in this sector. In the mission to address this issue, agencies have recently turned their focus to rail transportation.

Like other infrastructure operators, rail organizations such as the Southeastern Pennsylvania Transportation Authority and New York’s MTA have experienced threats signaling a need for cybersecurity attention. In a new regulation initiative, the federal government has put forth cybersecurity mandates designated for “higher-risk” railroad and rail transit systems, according to CBS News. Like requirements set earlier this year for other critical infrastructure entities, the measures established by the Department of Homeland Security and Transportation Security Administration, direct rail organizations to report cyber incidents to the federal government within a certain time frame, appoint a cybersecurity liaison, conduct a cybersecurity audit, and create a response plan. There has been some pushback on these mandates, however. TSA Deputy Assistant Administrator Victoria Newhouse stated that “These are very tight deadlines, and [stakeholders] have communicated dutifully with us. They were very direct and frankly vocal with us when they met challenges.” In addition to the deadline, complaints have included confusion over what type of cases must be reported.

Nextgov reports, though, that the rail related directives have narrowed down the definition a bit, unlike those released earlier for pipelines. They state that operators should be reporting incidents that are “under investigation as a possible cybersecurity incident.” The other difference lies in the reporting deadline. Whereas pipelines were given 12 hours to notify the CISA of worrisome events, those in the rail industry have been granted 24 hours. The TSA is looking to extend these cybersecurity mandates to the aviation field as well. According to DHS officials, specific guidelines around assessment and response plans will be released soon.

Railways and aviation are not the only infrastructure systems receiving the spotlight now. As The Wall Street Journal recently shared, the Biden Administration is preparing to enhance cybersecurity practices around water supply. Much like other infrastructure networks, the water sector is plagued with the cybersecurity challenge that comes with an industry controlled by thousands of organizations. Therefore, as the Industrial Control Systems Cybersecurity Initiative launched in April grew its focus on electrical operators to include natural-gas pipelines, there is interest in expanding it again for water facilities. Considering that the industry has faced threats such as the event in Oldsmar, Fla. In which a hacker attempted to compromise the community’s supply, the White House has enlisted the Environmental Protection Agency and Cybersecurity and Infrastructure Security Agency to help in addressing such concerns. 

To learn more about ways to protect critical infrastructure, visit Option3 portfolio company Veracity Industrial Networks.

Key Takeaways:

“U.S. imposes first cybersecurity rules for rail transit, despite industry pushback” – Nicole Sganga, CBS News

https://www.cbsnews.com/news/cybersecurity-trail-train-transit-rules/

  • The federal government has put forth cybersecurity mandates designated for “higher-risk” railroad and rail transit systems.
  • The requirements direct rail organizations to report cyber incidents to the federal government within a certain time frame, appoint a cybersecurity liaison, conduct a cybersecurity audit, and create a response plan.
  • Some rail organizations have pushed back on these regulations citing issues with the reporting details and deadline.

“DHS Redefines ‘Cybersecurity Incident’ in Directives for Surface Transportation” – Mariam Baksh, Nextgov

https://www.nextgov.com/cybersecurity/2021/12/dhs-redefines-cybersecurity-incident-directives-surface-transportation/187246/

  • While the regulations for rail operators mimic those set earlier this year for pipelines, they more narrowly define the type of incidents that should be reported.
  • They also grant an additional 12 hours for the reporting time frame.
  • The TSA is looking to extend these cybersecurity mandates to the aviation field as well.

“White House Readies Plan to Boost Cybersecurity of Water Supply” – David Uberti, The Wall Street Journal

https://www.wsj.com/articles/white-house-readies-plan-to-boost-cybersecurity-of-water-supply-11638565221

  • The Biden Administration is preparing to enhance cybersecurity practices around water supply.
  • Like other infrastructure networks, there are thousands of organizations controlling water facilities, which poses cybersecurity challenges for the sector. 
  • The White House has enlisted the Environmental Protection Agency and Cybersecurity and Infrastructure Security Agency to help in addressing such concerns.

 

Share
Share on facebook
Share on twitter
Share on linkedin
Share on email

You Might Also Like...