Written by
Jonathan Greig, Contributing Writer
Jonathan Greig
Contributing Writer
Jonathan Greig is a journalist based in New York City. He recently returned to the United States after reporting from South Africa, Jordan, and Cambodia since 2013.
Full Bio
on December 6, 2021
| Topic: Security
On Thursday, the Department of Homeland Security (DHS) released new rules for the US’s freight railroad and passenger rail transit industry. The rules make it mandatory for companies to have a cybersecurity coordinator, report cybersecurity incidents to CISA, complete a cybersecurity self-assessment and create a cyber-incident response plan.
DHS officials repeatedly said the new rules were made after consultation with industry experts and meetings with rail companies. They added that the rules were pushed by the Transportation Security Administration (TSA) after CISA informed them of legitimate threats facing the rail industry.
The government agency has faced backlash this year from companies in a variety of industries — as well as senior Republican lawmakers — for cybersecurity rules that some have called onerous and unnecessary.
In October, Senators Roger Wicker, John Thune, Cynthia Lummis, Todd Young, Deb Fischer — all Republican leaders on the Committee on Commerce, Science and Transportation — slammed DHS’ use of emergency authority to push new rules for US railroad and airport systems, questioning whether they were “appropriate absent an immediate threat.”
The Republican lawmakers said the “prescriptive requirements” rolled out by TSA “may be out of step with current practices” and may “limit affected industries’ ability to respond to evolving threats, thereby lessening security.” They also claimed the rules will impose “unnecessary operation delays at a time of unprecedented congestion in the nation’s supply chain.”
“Rather than prescriptive requirements that may not enhance capabilities to address future threats, TSA should consider performance standards that set goals for cybersecurity while enabling businesses to meet those goals,” the senators wrote. “If a determination is made to proceed with specific mandates, the notice and comment process would at least allow for thoughtful consideration of industry practices and concerns.”
The senators additionally claimed that current practices are “working well.”
When asked about the latest regulations handed down by TSA for the rail industry, many cybersecurity experts involved in the rail industry expressed concern about how the new rules would work in practice.
Jake Williams, CTO at BreachQuest, told ZDNet that at a high level, the directives seem reasonable. But a closer look at the new rules raised questions about how CISA would handle the deluge of incident reporting that is now required.
“Section B.2.b of the Enhancing Rail Cybersecurity directive mandates the reporting of the discovery of malicious software on any IT system within 24 hours of discovery. It is hard to imagine how TSA will benefit from knowing about every malicious software discovery on every IT system,” Williams said.
“Taken at face value, railway operators would have to report every piece of commodity malware that is discovered in the environment, even if antivirus or EDR prevented that malware from ever executing. Even if railway operators were properly staffed to create these reports, the TSA will likely miss significant reports buried in the noise. The onerous reporting requirements will likely reduce railway security, at least in the short term, as understaffed teams dedicate resources to reporting rather than network security.”
Williams added that these policy language issues are typically discovered during the public comment period, which TSA chose to forego.
“There are likely other significant issues in the two railway cybersecurity directives released by TSA without a public review period,” Williams noted.
Ron Brash, vice president at ICS/OT software security firm aDolus Technology, echoed Williams’ concerns about the reporting requirements, explaining that most organizations lack the skill and resources to comply.
Government – US
|
Security TV
|
Data Management
|
CXO
|
Data Centers