Government Regulations and Fundings Site
Cybersecurity for Freight and Passengers Railroad Carriers
Implementing TSA’s Rail Cybersecurity Mitigation Actions and Testing
In October 2023, the Transportation Security Administration (TSA) renewed and revised its security directive to address ongoing cybersecurity threats to freight and passenger railroad carriers, including rail and light rail. The directive requires owners/operators to submit a cybersecurity implementation plan within 120 days for TSA approval. Tenable makes it easier to develop your cybersecurity implementation plan and maintain the security and productivity of your systems.
Request a Demo
How Tenable Can Help
The Transportation Security Administration (TSA) issued security directives requiring TSA-specified passenger and freight railroads to implement cybersecurity measures to prevent disruptions to their infrastructure and/or operations.
This is only a partial list of TSA requirements. For the complete list, please see here.
Regulation / Recommendation
(SD III.A.) Identify the Owner/Operator’s Critical Cyber Systems as defined in Section VII of this Security Directive.
(SD VII.A. Definition) Critical Cyber Systems means any Information or Operational Technology system or data that, if compromised or exploited, could result in operational disruption. Critical Cyber Systems include business services that, if compromised or exploited, could result in operational disruption.
How We Help
Tenable helps customers identify critical cyber systems using a hybrid discovery approach that involves passive traffic analysis and active querying to identify IT/OT/ICS assets.
Regulation / Recommendation
(SD III.B.) Implement network segmentation policies and controls designed to prevent operational disruption to the Operational Technology system if the Information Technology system is compromised or vice versa.
As applied to Critical Cyber Systems, these policies and controls must include:
A list and description of:
All external connections to the Information Technology and Operational Technology system;
Policies to ensure Information Technology and Operational Technology system services transit the other only when necessary for validated business or operational purposes.
How We Help
Segmenting a network creates barriers limiting how far an attack can spread; however, segmentation also limits device visibility. Tenable discovers how devices communicate and which protocols they leverage, providing a contextual asset inventory that is critical for securing your OT environment. Additionally, you can identify high-risk IT assets an attacker would target and then prioritize actions to mitigate risk.
(1.b) Tenable can identify and notify of any connections between IT and OT systems/networks.
(1.d) Custom detection logic can be created to only alert on connections that have not been identified as necessary for validated business or operational purposes.
Regulation / Recommendation
(SD III.D.) Implement continuous monitoring and detection policies that are designed to prevent, detect, and respond to cybersecurity threats and correct anomalies affecting Critical Cyber Systems.
These measures must include:
Capabilities to:
Monitor and/or block connections from known or suspected malicious command and control servers (such as Tor exit nodes, and other anonymization services).
Procedures to:
Audit unauthorized access to internet domains and addresses;
Document and audit any communications between the Operational Technology system and an external system that deviates from the Owner/Operator’s identified baseline of communications;
Logging policies that:
Require continuous collection and analysis of data for potential intrusions and anomalous behavior on Critical Cyber Systems and other Operational and Information Technology systems that directly connect with Critical Cyber Systems; and
Ensure data is maintained for sufficient periods, to provide effective investigation of cybersecurity incidents.
How We Help
Tenable leverages multiple detection methodologies to alert on threats coming from external and internal sources. It identifies controller configuration changes, even if a human or malware makes changes directly on a device. Tenable monitors for unauthorized changes and alerts critical stakeholders, providing extended information for a comprehensive audit trail, which results in faster incident response and forensic investigations.
(1.e.) Tenable alerts users on any connections from known or suspected malicious command and control servers.
(2.a.) Tenable alerts users on connections to internet domains and addresses. Authorized domains and addresses can be whitelisted.
(2.b.) Tenable alerts users on deviations from the established baseline of network connectivity.
(3.a.) Tenable continuously analyzes data for potential intrusions and anomalous behavior on Critical Cyber Systems and other Operational and Information Technology systems that directly connect with Critical Cyber Systems.
(3.b.) Tenable retains packet captures to provide an effective investigation of cybersecurity incidents.
Regulation / Recommendation
(SD III.E.) Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on Critical Cyber Systems consistent with the Owner/Operator’s risk-based methodology.
These measures must include:
The strategy required by Section III.E.1. must include:
The risk methodology for categorizing and determining the criticality of patches and updates, and an implementation timeline based on categorization and criticality; and
Prioritization of all security patches and updates on the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog.
How We Help
Tenable offers complete visibility, security, and compliance, enabling freight and passenger railroad carriers to mitigate risk.
(2.a) Tenable uses CVSS scores as a standardized view of vulnerabilities across the environment. In addition, Tenable’s Vulnerability Prioritization Rating (VPR) helps practitioners identify high-risk systems and vulnerabilities to focus on, making the best use of your security team’s time during a maintenance window.
(2.b) Through integration with Tenable Security Center, users can prioritize all security patches and updates based on the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog.
Available Government Funding for the Rail Sector
There are a number of federal funding programs available for rail carriers for cybersecurity expenditures.
The Department of Homeland Security has a grant program that prioritizes cybersecurity for transit projects, including rail:
- Department of Homeland Security Transit Security Grant Program: A discretionary grant program that provides more than $90 million per year for passenger rail, intra-city bus and ferry systems. Grant applicants receive a 20% uplift to their application scores for addressing cybersecurity in their Investment Justifications.
While Federal Railroad Administration (FRA) grant programs expressly focus on cybersecurity projects, all grant applicants must demonstrate “efforts to consider and address physical and cyber security risks relevant to the transportation mode and type and scale of the project.”
FRA's Corridor Identification and Development Grant Program: A discretionary grant program to develop new and enhanced intercity passenger rail services to help bolster economic growth throughout the United States. The most recent Notice of Funding Opportunity (“NOFO”) can be found here.
FRA's Railroad Crossing Elimination Grant Program: A discretionary grant program for highway-rail or pathway-rail grade crossing improvement projects that focus on improving the safety and mobility of people and goods. The most recent NOFO can be found here.
FRA's Federal-State Partnership for Intercity Passenger Rail Grant Program: A discretionary grant program to develop new and enhanced intercity passenger rail services to help bolster economic growth throughout the United States. The most recent Notice of Funding Opportunity (“NOFO”) can be found here.
FRA's Restoration and Enhancement Grant Program: A discretionary grant program for initiating, restoring, or enhancing intercity passenger rail transportation. The most recent NOFO can be found here.
Regulation and government funding information provided on this web page is dynamic and subject to change. Refer to tsa.gov for the most up-to-date information.
Related Products
