# Opener

Railroad Cybersecurity as Directed by the TSA

Published by Axio

The TSA is now requiring railroad owners and operators to perform cybersecurity architecture design reviews (CADR). In this blog, we discuss why this new assessment is an important initiative to improve railroad cybersecurity, and how Axio can help you fulfill this new requirement with our partner 1898 & Co.

Need a CADR assessment for your railroad organization and don’t have time to read this article? Contact [email protected], and we will help you get started right away.

Why railroad cybersecurity is so critical

Railroads have become increasingly reliant on technology in recent years, with everything from signaling systems to dispatching software now controlled by computer systems. While these technological advancements have made rail transportation more efficient and safer in many ways, they have also made railroads more vulnerable to cyber-attacks. One major concern with railroad cyber-attacks is the potential for hackers to gain access to train control systems. If a hacker were to gain control of a train’s controls, they could cause the train to derail or collide with another train, potentially causing significant damage and loss of life. Another concern is the potential for hackers to disrupt railroad operations by targeting critical computer systems such as dispatching software or signaling systems. These attacks could lead to train delays and cancellations, which could have significant economic and social impacts.

Some real-world railroad cyber-incidents include:

  • Canadian National Railway (CN) Ransomware Attack – In March 2021, a ransomware attack on the CN disrupted operations and caused significant customer delays. The attack affected CN’s IT systems and customer-facing applications but did not compromise the safety of the railway’s operations.
  • Siemens Train Control System Vulnerability – In 2018, researchers from cybersecurity firm TrendMicro discovered a vulnerability in a commonly used train control system developed by Siemens, which could allow an attacker to take control of a train’s speed and direction.
  • Ukrainian Power Grid Cyber Attack – In 2015, hackers targeted the Ukrainian power grid, causing a blackout that affected 225,000 people. The attack was attributed to a Russian cyber espionage group and demonstrated the potential of cyber-attacks to disrupt critical infrastructure.

Railroad companies are improving their cybersecurity posture and protecting against cyber-attacks. This includes implementing strong authentication and access control measures, performing regular vulnerability assessments and penetration testing, and investing in employee cybersecurity training. However, as technology continues to advance, and hackers become increasingly sophisticated, new directives from the US government aim to accelerate cybersecurity improvement.

TSA Directive 1580/82-2022-01 for passenger and freight railroad carriers

On October 18, 2022, the Transportation Security Administration (TSA) announced a new cybersecurity security directive for owners and operators classified as designated passenger and freight railroad carriers.

This security objective has been designated as 1580/82-2022-01 and is an extension of Security Directive 1580-21-01. These directives aim to “reduce the risk that cybersecurity threats pose to critical railroad operations and facilities through implementing layered cybersecurity measures that provided defense-in-depth.

A requirement for developing of a cybersecurity assessment program has also been added that includes the execution of a Cybersecurity Architecture Design Review (CADR) to validate that the network architecture effectively isolates critical OT cyber systems from potential threats.

We here at Axio have you covered if you are looking for a Cybersecurity Architecture Design Review (CADR) for your railroad organization.

CADR: going further than a standard cybersecurity assessment

In collaboration with 1898 & Co., Axio has established a CADR assessment process built on reputable assessment methodologies consistent with the recommended controls in NIST Special Publication 800-82 Guide to Industrial Control Systems Security. This process provides stakeholders with a clear evaluation of alignment with the TSA’s security directives while establishing a baseline on which to build effective defense-in-depth strategies to improve the security posture of the OT environment. But the CADR assessment goes further than traditional assessments: in addition to reviewing current practices and controls, testing is performed to substantiate the effectiveness of these controls. This gives operators a real-world view of their cybersecurity strategy performance.

CADR was designed for industrial control systems and operational technology

This process provides stakeholders with a clear evaluation of alignment with the TSA’s security directives while establishing a baseline on which to build effective defense-in-depth strategies to improve the security posture of the OT environment. The four components of a CADR assessment are:

  • Network architecture review
  • System configuration and log review
  • Network traffic analysis
  • A comprehensive NIST-based controls review

You can read the full Axio brief about the CADR assessment here.

If you’d like to get started with a CADR assessment, contact [email protected] for a consultation.