Railway Cybersecurity Regulations and Standards

RAILWAY AGE, JUNE 2023 ISSUE: Cybersecurity for rail operations has become one of the industry’s top concerns. Each year, cybersecurity initiatives require more time and resources than the prior year, and can easily become an overwhelming situation for anyone. The intent of this article is to explain cybersecurity, how it relates to the railroad industry, and the roles of relevant regulatory agencies in terms that railroaders understand. For a discussion of cyber attackers and example attacks made to railways, please see our companion article in the January 2023 issue of RT&S.

What is Cybersecurity?

A good way to describe cybersecurity is as a series of processes and procedures that an organization needs to implement to ensure resilient protection against cyber threats. In many ways, it is similar to quality assurance that manufacturers use to deliver high quality products or services. For both quality assurance and cybersecurity, there are many documents that will define the specific actions that individuals in the organization need to take to meet their objectives.

Similar to quality assurance, cybersecurity is not a one-size-fits-all methodology. Rather, it is a risk-based application of the processes and procedures. For both a quality assurance program and a cybersecurity program, the stakeholders assess risk and determine what is acceptable and where to “draw the line” of what will be done. Additionally, this process is re-reviewed periodically because risks routinely change.

The objective of any organization’s cybersecurity program is to ensure confidentiality, integrity, and availability of its entire information technology (IT) system. Confidentiality is the ability to keep information from being read by unauthorized sources. For a railway, this would be protecting sensitive information from being stolen, such as documentation on how a train control system can be remotely accessed. Integrity is the ability to protect information from being modified by unauthorized parties intentionally or through human error. For railways, this would be preventing an attacker from modifying a train control database without the railway being aware of the change. Lastly, availability is ensuring that systems, applications and data are accessible when needed by authorized parties. For a railway, this would be preventing an attacker from disabling a train control system from working.

To ensure confidentiality, integrity and availability, an organization needs to formalize its cybersecurity program with appropriate processes and procedures that defend against the ever-evolving threat.

Regulations and Standards

The regulatory body that defines cybersecurity requirements at a high level is the Cybersecurity & Infrastructure Security Administration (CISA), which is part of the Department of Homeland Security (DHS). CISA is a coordinating organization for critical infrastructure protection requirements. Critical infrastructure is defined as being private sector organizations that are key for the United States to operate. They are defined as 16 different sectors: 1) Chemical Sector; 2) Commercial Facilities Sector; 3) Communications Sector; 4) Critical Manufacturing Sector; 5) Dams Sector; 6) Defense Industrial Base Sector; 7) Emergency Services Sector; 8) Energy Sector; 9) Financial Services Sector; 10) Food and Agriculture Sector; 11) Government Facilities Sector; 12) Healthcare and Public Health Sector; 13) Information Technology Sector; 14) Nuclear Reactors, Materials, and Waste Sector; 15) Transportation Systems Sector; and 16) Water and Wastewater Systems Sector.

Freight and passenger railways are considered Critical Infrastructure as part of Sector 15, Transportation Systems. Additionally, manufacturers of locomotives, railroad and transit cars and rail track equipment are considered Critical Infrastructure as part of Sector 4, Critical Manufacturing Sector, because they are key to serving the Transportation Sector.

CISA is not the government body that defines specific cybersecurity regulation to the Critical Infrastructure organizations. Instead, CISA defines the high-level requirements and then works with regulatory bodies already overseeing each sector to implement specific requirements. For example, for Sector 16, Waste and Wastewater Systems, CISA gives high-level cybersecurity requirements to the Environmental Protection Agency (EPA), which then makes the specific cyber regulations for Water Treatment facilities. The Transportation Security Agency (TSA) does the same for freight and passenger railways.

The TSA has recently utilized the CISA high-level requirements to release two Security Directives and an Advanced Notice of Proposed Rulemaking (ANPRM). Security Directive 1580-21-01, released on Dec. 31, 2021, was focused on establishing the basics for railways to report cybersecurity incidents to CISA and to coordinate with the TSA. Security Directive 1880/82-2022-01, released on Oct. 24, 2022, focused on railways providing their Cybersecurity Implementation Plan (CIP), which details their cybersecurity protection level. Additionally, on Nov. 30, 2022, the TSA released an ANPRM in Federal Register Vol. 87 No. 229, in which it posed a series of questions to freight and passenger railways to gain a better understanding of the status of cybersecurity in the rail sector to pursue development of comprehensive requirements.

A cybersecurity framework is a very useful collection of already-defined controls that an organization can use as a starting point when building its cybersecurity program. The Security Directives and ANPRM do not mandate a specific cybersecurity framework that a railway must use. The National Institute of Standards and Technology (NIST) is one of the largest cybersecurity framework creators providing a wide array of individual framework standards used across government and private sector organizations. One such standard is the NIST Cybersecurity Framework (NIST CSF), which includes best practices to identify, protect, detect, respond and recover from cyberattacks. Additionally, the International Organization for Standardization (ISO) has also created a cybersecurity framework through their ISO 27001 standard. NIST and ISO 27001 have a lot of similarities. In general, NIST is the preferred framework for government organizations, and ISO tends to have more favor with commercial organizations. NIST has higher total number of controls, but the controls are more flexible to meet each organization’s needs. ISO 27001 has fewer controls, but those controls tend to be more prescriptive as compared to the controls offered by NIST. Another difference from NIST and ISO 27001 is that NIST standards are voluntary and self-governing (not mandated), while ISO 27001 requires auditing and certification.

Rail industry companies identified as Critical Infrastructure by CISA will need to utilize a cybersecurity framework to address the call-to-action from the TSA through its Security Directives and ANPRM.

Where to Learn More

The Transportation Technology Center (TTC), operated by ENSCO, is hosting its first annual conference on Nov. 7 and 8 in Pueblo, Colo. The conference is excited to have Ms. Sonya Proctor, TSA’s Assistant Administrator for Surface Operations, as a featured speaker. Ms. Proctor oversees the organization responsible for security of U.S. railroads, including cybersecurity. The event is a great opportunity for railway industry stakeholders to hear directly from the TSA about cybersecurity expectations going forward for the rail industry. More information about the conference can be found at ttc-conference.com.