By Julie Sneider, Senior Associate Editor
Later this year, the U.S. Transportation Security Administration (TSA) will issue new cybersecurity directives requiring freight and passenger railroads to name a cybersecurity point person, report cybersecurity incidents to the federal Cybersecurity and Infrastructure Security Agency (CISA), and develop a contingency and recovery plan in case they become a victim of malicious cyber activity.
The security directives — announced earlier this month by U.S. Homeland Security Secretary Alejandro Mayorkas — are being issued in the aftermath of the Colonial Pipeline ransomware attack that occurred in May, in which hackers broke into the company’s data system by stealing a single password. The attack prompted Colonial to shut down its 5,550-mile gasoline pipeline, which disrupted fuel supplies throughout the country.
For the Biden administration, the Colonial case underscored how vulnerable the nation’s aging, critical infrastructure is to cyberattacks. As a result, the Department of Homeland Security is taking steps to strengthen national cybersecurity, including TSA’s upcoming mandates for the rail industry.
“Reducing cybersecurity risk is in every organization’s self-interest, especially considering the indiscriminate nature of ransomware,” Mayorkas said Oct. 6 in a speech at the 12th Annual Billington Cybersecurity Summit.
When it comes to cyber and physical security concerns, the rail industry has long had a process and plan in place to monitor threats, share information and mitigate risks to protect U.S. and Canadian freight- and passenger-rail systems. So says Thomas Farmer, assistant vice president of security at the Association of American Railroads (AAR), which helps coordinate such matters for the industry.
RISC monitors security threats, risks
Through AAR’s Rail Information Security Committee (RISC), railroads are kept apprised of information they need to identify and secure the potential vulnerabilities in their information technology networks. The RISC’s membership includes representation from Class Is, short lines and regionals, Amtrak, Virginia Railway Express and others who focus on following and evaluating current and evolving cybersecurity threats.
The group also shares effective practices, identifies and assesses cyber risks to railroads individually as well as to the industry as a whole; conducts cybersecurity training exercises; and shares information with other transportation and government partners, including the TSA, CISA, the FBI, U.S. Department of Transportation and Transport Canada. The government entities also share information with the RISC to help keep railroads aware of potential risks or threats.
RISC members teleconference or meet virtually twice a month to share updates.
"Reducing cybersecurity risk is in every organization's self-interest, especially considering the indiscriminate nature of ransomware." — U.S. Homeland Security Secretary Alejandro Majorkas. dhs.gov Farmer worries the new TSA mandates could disrupt what the rail industry already is doing to tighten cybersecurity. Additionally, AAR is concerned TSA is implementing the mandates as “directives” instead of through the lengthier federal rulemaking process that would involve more stakeholder input. Under the directive scenario, AAR had just three days to review and comment on the TSA’s plan.
“We think we have in place a very proactive approach toward cybersecurity that recognizes we’re in an evolving threat environment,” Farmer says. “We share as much information as we can about the evolving threats and take the right course of action to narrow our risk profile.”
The RISC dates back to 1999, when the Class Is and Amtrak formed a group to address worries about the Y2K transition.
“Y2K turned out not to be as big a concern as initially thought, but the interaction [among the railroads] was so effective that the committee decided to maintain its existence,” Farmer says.
Today, the RISC is particularly vigilant about tactics that adversaries use to perpetuate ransomware attacks. One common method is using phishing campaigns, in which hackers send a malicious file attachment via email that, if opened, introduces software that compromises the targeted organization’s computer system.
“We have set as a priority with the federal government that when an attack like that occurs, tell us how it happened,” Farmer says. “We want to know what were the indicators that preceded the attack — what was said in the emails that would raise alarm and should be reported to the security team at railroads?”
The RISC also tracks reports of vulnerabilities in widely used software products. One such situation arose in August, when a cybersecurity flaw was discovered in Blackberry-designed software that transportation companies use for real-time operating systems. The RISC worked with government to understand the scope of the risk, then identified and notified railroads and industry suppliers that used devices with the software installed so they could apply a solution to mitigate the risk.
“Whether we hear about a vulnerability from government or private-sector sources, we continuously make the effort to understand the cyber environment and then take the right measures to narrow the risk profile,” Farmer says.
The RISC is constantly mining government and private-sector sources to be aware of evolving and emerging threats. Farmer doesn't believe there’s been a recent increase in the volume or sophistication of malicious cyber activity directed at railroads.
Security plan changed as threats evolved
While the RISC stays focused on cybersecurity, a second AAR group keeps track of physical security risks and threats to railroads. Combined, the two committees form the Rail Sector Coordinating Council, which serves as the principal rail industry liaison with government on security matters. The council has created a broad security plan for the rail industry that initially focused on terrorism but over time has expanded to cover cybersecurity attacks and acts of domestic extremism.
Farmer says he’s not aware of a specific threat toward the rail industry that prompted the TSA to issue directives. In general, the directives call for railroads to appoint cybersecurity coordinators; report cybersecurity incidents to CISA within 12 hours of identification; and maintain cyber- incident response and contingency plans.
“We’re doing all those things,” Farmer says. “Railroads do have cybersecurity coordinators, and they do report significant incidents. … The advantage is that there’s much more freedom in our reporting because in most cases [the] advisories don’t identify the affected organization so they are free to share what really happened and what the organization will do about it.”
As for incident response plans, railroads develop theirs in part by building on the lessons learned during the industry’s annual cybersecurity exercises and semi-annual risk assessments, Farmer says. Government entities such as TSA, CISA and USDOT have participated in those exercises and are familiar with those plans, according to Farmer.
“We take a great deal of pride in our program because it is intended to be broad based and inclusive with our industry,” he says. “But I think more importantly, we are partners with our colleagues in other transportation modes and other sectors in private industry, and we share [information] very widely and proactively with government.”
Farmer hopes that tradition won’t be lost once the new mandates come down.
“We think this is a team effort,” he says.
