Dec 4, 2021
71 Views
0 0

TSA rolls out rail cyber requirements, targeting prevention and rapid response

Written by

The TSA had not completed its assessment of cybersecurity weaknesses for pipeline cybersecurity, the Government Accountability Office (GAO) said in July. The GAO wants to see the TSA collect more data from pipeline owners and operators, and modernize aged protocols for incident response. 
Until GAO’s recommendations to address issues such as these are fully implemented, federal agencies will not be effectively positioned to ensure critical infrastructure sectors are adequately protected from potentially harmful cybersecurity threats,” a GAO report said, published Thursday. 
The TSA had success with its May security directives for the pipeline industry and the same is expected for the rail industry. However, pipeline owners and operators had concern over the aggressive timeline the directives demanded. 
It is always a valid and repeatable statement that the industry should have a voice in any attempt by the government to establish regulation within their sectors,” Kenneth Frische, director of cybersecurity and risk services for 1898 & Co., told Cybersecurity Dive in an email. 
The TSA developed the rail measures using input from CISA and stakeholders in the public and private sectors, and expects to have a rule-making process for “certain surface transportation entities,” DHS said. 
For pipeline owners and operators, the TSA allowed alternative procedures to accomplish a cybersecurity requirement — it’s a compromise that allows for flexibility, though the TSA still has to approve the alternative approach. 
“Many of the inefficiencies in our economy and government can be traced to unfunded mandates and regulations imposed with negligible input from actual practitioners,” Frische said. The transit and rail industry is not profitable — “spending money on cyber is difficult when your budget is already thin.”
Even with financial setbacks and outdated technologies, the government has been having a conversation about transportation cybersecurity for at least six years. 
“This has not been a sudden development … In 2016, I attended a public NIST conference session on this very topic,” Frische said. The four initial provisions the TSA announced for the rail industry are “quite reasonable.”  
“Every one of the 16 critical infrastructure sectors should be expecting this,” he said. 
When the government identified the 16 critical infrastructure sectors, it assigned tiers to the industries facing the highest risk. Transportation was not initially listed as a tier 1 sector, which is the highest risk category. “It was only a matter of time before the government got around to regulating other tiers,” Frische said. 
Where the rail industry might run into issues with the new directives is the lack of specificity. Frische wants to know what qualifications a cyber coordinator must have and what standards should be used in a vulnerability assessment. 
“Interpretations of ‘risk assessment’ and ‘vulnerability assessment’ vary greatly in every industry from a checkbox questionnaire to a more meaningful drill-down into IT and OT systems,” he said. 
Another issue is the incident reporting measure. The National Defense Authorization Act (NDAA) for FY2022 includes an incident reporting measure, which requires entities to report an incident within 72 hours of discovery, with the exception of ransomware. It is unknown if the NDAA requirement will supersede the TSA’s rule for surface transportation. 
Follow on Twitter
Get the free daily newsletter read by industry experts
Data disclosures from cloud misconfigurations are often the result of human error — but policies, not users, are to blame.  
Corporate boards are no longer rubber-stamping assurances from CIOs or CISOs but are bringing in outside experts, asking more questions and preparing for the risk of personal liability.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Get started
Data disclosures from cloud misconfigurations are often the result of human error — but policies, not users, are to blame.  
Corporate boards are no longer rubber-stamping assurances from CIOs or CISOs but are bringing in outside experts, asking more questions and preparing for the risk of personal liability.
The free newsletter covering the top industry headlines

source

Article Categories:
Cybersecurity News

Comments are closed.