Ratification of Security Directives

<RULE> DEPARTMENT OF HOMELAND SECURITY <CFR>6 CFR Chapter I</CFR> <CFR>49 CFR Chapter XII</CFR> <SUBJECT>Ratification of Security Directives</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Office of Strategy, Policy, and Plans, Department of Homeland Security (DHS). <HD SOURCE="HED">ACTION:</HD> Notification of ratification of security directives. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The Department of Homeland Security (DHS) is publishing official notice that the Transportation Security Oversight Board (TSOB) has ratified Transportation Security Administration (TSA) Security Directive 1580-21-01B, Security Directive 1582-21-01B, Security Directive 1580/82-2022-01A, and Security Directive 1580/82-2022-01C applicable to owners and operators of critical rail entities (owners/operators). Security Directive 1580-21-01B and Security Directive 1582-21-01B extended the requirements of 1580-21-01 and 1582-21-01 series for an additional year, with minor revisions. Security Directive 1580/82-2022-01A and Security Directive 1580/82-2022-01C extend the performance-based requirements of the 1580/82-2022-01 series for an additional year and amends them to strengthen their effectiveness and address emerging cyber threats. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> The TSOB ratified Security Directive 1580-21-01B, Security Directive 1582-21-01B, and Security Directive 1580/82-2022-01A on November 22, 2023. The TSOB ratified Security Directive 1580/82-2022-01C on July 29, 2024. </EFFDATE> <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Thomas McDermott, Deputy Assistant Secretary for Cyber, Infrastructure, Risk and Resilience Policy, at 202-834-5803 or <E T="03">thomas.mcdermott@hq.dhs.gov.</E> </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Background</HD> <HD SOURCE="HD2">A. Cybersecurity Threat</HD> The cyber threat faced by the nation's critical rail infrastructure has only increased in the time since TSA issued its initial security directives addressing cybersecurity in rail and mass transit in December 2021. <SU>1</SU> <FTREF/> Cyber threats to surface transportation systems, including railroads and transit systems, continue to proliferate, as both nation-states and criminal cyber groups target critical infrastructure in order to cause operational disruption and economic harm. <SU>2</SU> <FTREF/> In recent years, cyber attackers have maliciously targeted surface transportation modes in the United States, including freight railroads, passenger railroads, and rail transit systems, with multiple cyberattack and cyber espionage campaigns. <SU>3</SU> <FTREF/> Cyber incidents, particularly ransomware attacks, are likely to increase in the near- and long-term, due in part to vulnerabilities identified by threat actors in U.S. networks. <SU>4</SU> <FTREF/> Especially in light of the ongoing Russia-Ukraine conflict, <SU>5</SU> <FTREF/> these threats remain elevated and pose a risk to the national and economic security of the United States. <FTNT> <SU>1</SU>  Transportation Security Administration, SD 1580-21-01 Enhancing Rail Cybersecurity (Dec. 31, 2021), <E T="03">https://www.tsa.gov/sites/default/files/sd-1580-21-01_signed.pdf;</E> Transportation Security Administration, SD 1582-21-01 Enhancing public Transportation and Passenger Railroad Cybersecurity (Dec. 31, 2021), <E T="03">https://www.tsa.gov/sites/default/files/sd-1582-21-01_signed.pdf.</E> </FTNT> <FTNT> <SU>2</SU>  Annual Threat Assessment of the U.S. Intelligence Community, Office of the Director of National Intelligence (2024 Intelligence Community Assessment), 11, 16 (dated Feb. 5, 2024) (last accessed July 23, 2024, at <E T="03">https://www.dni.gov/files/ODNI/documents/assessments/ATA-2024-Unclassified-Report.pdf</E> ). </FTNT> <FTNT> <SU>3</SU>  These activities include the January 2023 breach of the Washington Metropolitan Area Transit Authority; the January 2023 breach of San Francisco's Bay Area Rapid Transit System; and the April 2021 breach of New York City's Metropolitan Transportation Authority (the nation's largest mass transit agency) by hackers linked to the government of the People's Republic of China. This threat is ongoing: on February 7, 2024, CISA published an advisory warning of the threat posed by PRC state-sponsored actors. <E T="03">See</E> Cybersecurity Advisory (AA24-038A), <E T="03">PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure.</E> </FTNT> <FTNT> <SU>4</SU>  Alert (AA22-040A), <E T="03">2021 Trends Show Increased Globalized Threat of Ransomware,</E> released by CISA on February 10, 2022 (as revised). </FTNT> <FTNT> <SU>5</SU>  Joint Cybersecurity Alert—Alert (AA22-110A), <E T="03">Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure,</E> released cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom on April 20, 2022 (as revised). </FTNT> In its 2023 annual assessment, the Intelligence Community noted that “China almost certainly is capable of launching cyber attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems.”  <SU>6</SU> <FTREF/> And the 2024 annual assessment notes that, “[i]f Beijing believed that a major conflict with the United States were imminent, it would consider aggressive cyber operations against U.S. critical infrastructure and military assets. Such a strike would be designed to deter U.S. military action by impeding U.S. decision-making, inducing societal panic, and interfering with the deployment of U.S. forces.”  <SU>7</SU> <FTREF/> In addition, “Russia maintains its ability to target critical infrastructure . . . in the United States as well as in allied and partner countries” and “Tehran's opportunistic approach to cyber-attacks puts U.S. infrastructure at risk for being targeted.”  <SU>8</SU> <FTREF/> Furthermore, “malicious cyber actors have begun testing the capabilities of [artificial intelligence (AI)]-developed malware and AI-assisted software development—technologies that have the potential to enable larger scale, faster, efficient, and more evasive cyber-attacks—against targets, including pipelines, railways, and other US critical infrastructure.”  <SU>9</SU> <FTREF/> <FTNT> <SU>6</SU>  Annual Threat Assessment of the U.S. Intelligence Community, Office of the Director of National Intelligence (2023 Intelligence Community Assessment), 10 (dated February 6, 2023) (last accessed July 23 2024), <E T="03">available at https://www.dni.gov/files/ODNI/documents/assessments/ATA-2023-Unclassified-Report.pdf.</E> </FTNT> <FTNT> <SU>7</SU>  2024 Intelligence Community Assessment at 11. </FTNT> <FTNT> <SU>8</SU>  2024 Intelligence Community Assessment at 16, 20. </FTNT> <FTNT> <SU>9</SU>  DHS Intelligence and Analysis (I&A), Homeland Threat Assessment (2024) at 18 (last accessed July 23, 2024, <E T="03">available at https://www.dhs.gov/sites/default/files/2023-09/23_0913_ia_23-333-ia_u_homeland-threat-assessment-2024_508C_V6_13Sep23.pdf</E> ). </FTNT> <HD SOURCE="HD2">B. Regulatory History</HD> To counter the threat to rail infrastructure, in December 2021, TSA issued two security directives to owners and operators of certain higher risk rail entities (owner/operators) requiring them to implement cybersecurity measures necessary to prevent disruption and degradation to their critical infrastructure. Security Directive 1580-21-01 (applicable to freight rail entities) and Security Directive 1582-21-01 (applicable to passenger rail and mass transit entities) required covered owner operators to: (1) report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA); (2) designate a cybersecurity coordinator to be available 24/7 to coordinate with TSA and CISA; (3) conduct a vulnerability assessment of cybersecurity practices, identify any gaps, and develop a plan and timeline for remediation; and (4) develop a Cybersecurity Incident Response Plan to reduce the risk of operational disruption in the event of a cybersecurity incident. Due to the evolving threat to freight and passenger rail, TSA issued Security Directive 1580/82-2022-01 on October 18, 2022, which built on the requirements of the initial directives and required covered owner/operators to implement additional performance-based cybersecurity measures. <SU>10</SU> <FTREF/> Under the performance-based framework of Security Directive 1580/82-2022-01, TSA identified critical security outcomes that covered parties must achieve. To ensure that these outcomes are met, the directive required owner/operators to: <FTNT> <SU>10</SU>  88 FR 36921 (June 6, 2023). </FTNT> • Establish and implement a TSA-approved Cybersecurity Implementation Plan (CIP) that describes the specific cybersecurity measures employed and the schedule for achieving the security outcomes identified; and • Establish a Cybersecurity Assessment Program (CAP) and submit an annual plan that describes how the owner/operator will proactively and regularly assess the effectiveness of cybersecurity measures and identify and resolve device, network, and/or system vulnerabilities. The performance-based approach enhances security by mandating that critical security outcomes are achieved while allowing owner/operators to choose the most appropriate security measures for their specific systems and operations. In response to the continuing cyber threat to rail infrastructure, the requirements of Security Directive 1580-21-01, Security Directive 1582-21-01, and Security Directive 1580/82-2022-01 have been renewed and extended beyond their original expiration dates by subsequent directives, creating three security direct ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 21k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━