The Transportation Security Administration (TSA) issued two Directives focusing on the cybersecurity of both passenger and freight railroads. Security Directive SD-1582-21-01 addresses passenger carriers and rail transit systems while Security Directive SD-1580-21-01 applies to freight and railroad carriers. Effective as of December 31, 2021, the directives mandate the designation of a cybersecurity coordinator; the reporting of cybersecurity incidents to DHS Cybersecurity & Infrastructure Security Agency (CISA); the development of a Cybersecurity Incident Response Plan; and the execution of vulnerability assessments. These directives are designed to help TSA and CISA feed technical intelligence such as indicators of compromise and vulnerability information back to the rail system customers to bolster their cybersecurity capabilities.

At a time when increased cyber-attacks are being conducted against civilian critical infrastructure by both nation-states and cybercriminal actors, railway cybersecurity has gone neglected for far too long, particularly as more noteworthy attacks have occurred against other critical infrastructures. Energy utilities, gas and oil, and water facilities have garnered an immediate response due to their direct impact on the civilians they support. Railway systems are a critical component of the national supply chain. In light of the recent supply chain problems that have impacted both commercial maritime operations as well as internal trucking transportation issues, it’s evident that any consequential disruption of rail services as a result of a cyber-attack can hurt the public both as consumers and travelers.

According to the Association of American Railroads (AAR), freight rail consists of an integrated network of trains, trucks, and barges that transports approximately 61 tons of goods per American every year. Per AAR, many of the products found at retailers have traveled on intermodal train, with more than half consisting of imports or exports, showing its tight relationship with international trade. Passenger rail is equally important in supporting economic development, as it connects rural communities to the nation. According to one think tank, Amtrak serves more than 500 destinations in 46 states and three Canadian provinces, boasting a ridership of 31.6 million passengers. As one of the United States’ oldest transportation services, the railway infrastructure is vital to the U.S. supply chain, accounting for approximately $219 billion in economic output and around one-third of U.S. exports by volume. It’s obvious why the security of its unimpeded operation is essential for sustained U.S. economic health.

The United States is not alone in expressing concern over its rail systems. In a recent report, the European Union Agency for Cybersecurity (ENISA) identified the increasing threat to rail networks in Europe. In addition to acknowledging the sophistication of attackers threatening railway networks, ENISA identified outdated operational technology systems as a growing concern. Over the past several years, ENISA cited several examples where cyberattacks have impacted rail services in Europe to include but not limited to: a distributed denial-of-service (DDoS) attack that impacted the ticketing system of a Danish railroad; a DDoS attack against Ukraine’s state-owned rail system temporarily disrupting operations, preventing travel; and a ransomware attack against a United Kingdom railway ticketing system. The evolution of the industry, combined with merging older trains with newer, more technologically advanced models, has increased the attack space and exposed potential cybersecurity vulnerabilities on the network. Freight and passenger rail systems in Europe are so important that the European Commission dubbed 2021 the Year of Rail.

The implementation of these Security Directives comes on the heels of the White House’s July 2021 National Security Memorandum on Improving the Cybersecurity for Critical Infrastructure Control Systems. Per the Memorandum, the government created an Industrial Control Systems Cybersecurity Initiative to defend critical infrastructures via the deployment of technologies and systems that provide “threat visibility, indications, detection, and warnings, and that facilitate response capabilities.” Rail systems are not the only sector getting increased attention. Similar directives are also in the works for the aviation and water supply sectors as well. The recent bipartisan infrastructure bill has $32 million slated for Tribes of cybersecurity grants to help make more localized infrastructure more resilient to cyber-attacks.

These developments are a positive and necessary step as recent ransomware attacks have demonstrated how disruptions of critical infrastructure services can impact the civilian population. While ransomware is not overly sophisticated malware, when applied against the right target, its effects were felt immediately. What should give pause is the advanced cyber weaponry created by more advanced state actors whose impact can greatly degrade, disrupt, or flat-out destroy critical infrastructure systems for long periods of time.

Despite the recent moves by the White House to improve the cybersecurity of several critical infrastructure sectors, a December 2021 report by the Government Accountability Office stressed the need to develop a comprehensive national cyber security strategy in which the government assumed a larger role in critical infrastructure protection. This suggests that the government needs to do more than provide strategic guidance to critical infrastructure owners, which seems to run contrary when considering that the overwhelming majority of rail is privately owned and operated.

While the two directives help the government get information from rail stakeholders it does nothing to address the challenges of securing their operational networks. Generally, there has been less emphasis on the cybersecurity of ICS systems than their IT system counterparts. Lack of the necessary security controls and antiquated legacy systems have further helped hostile actors attack critical infrastructures. And this is the area that needs to be the focal point of ICS security discussions, not just in rail but across other sectors that must manage ICS systems. At some point, strategies must give way to application.

Critical infrastructure sectors must lead their own cybersecurity efforts and compel the application of sector-wide solutions to bolster their operational technology environments. That means each sector must be responsible for setting and implementing their own compulsory standards, or risk sector-administered punitive consequences. At the end of the day, each sector must take responsibility for itself, and be held accountable for those included in its membership ranks. Only once those mandates are instituted can true progress be measured.

Opportunities for Advantage

All of this exponential disruption means we must make focused efforts to gain advantage. Stay informed on a variety of these critical issues at OODAloop.com and during our monthly OODA Network meetings and Salons.

 

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real-world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this megatrend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for businesses and governments

From the very beginning of the pandemic, we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily intelligence as well as pointers to reputable information from other sites. See OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision-making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast