Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.¹ By design, OT underpins many critical infrastructure functions and is typically Spartan in terms of features and applications. 

OT systems usually rely on highly-customized and specific deployments, such as remote monitoring and controlling of oil and gas flow, water treatment, SCADA systems and railroad operations. OT systems also tend to rely on proprietary protocols and tend to be deployed with particularly narrow functions with minimal bloat or frills. 

From a security perspective, OT systems are not commonly compatible with traditional malware. Since OT systems are so narrow, they benefit from a concept called "security through obscurity" which refers to systems whose security is not based on encryption or any other technical measure, but rather on the tools and applications they use. 

While security through obscurity remains an important feature of OT systems, the failure to implement sufficient technical safeguards and governance structures presents a basis for legal liability (i.e., regulatory investigations or lawsuits). Entities involved in supporting critical infrastructure are held to an elevated standard of security over private sector entities.   

Regulation for Railroads is Rising  

It has been a rough year for the railroad industry. From September to November of 2022, carriers in India, Denmark and the UK suffered cyberattacks that disrupted OT and caused delays and shutdowns.² In October of 2022, a jury found  BNSF Railway liable for $228 million as a result of violations of Illinois’ Biometric Information Privacy Act.³ 

Railroad carriers are one of seven key subsectors of the Transportation Sector. Earlier this month, a nationwide strike was averted because it would have inflicted economic damage reaching $2 billion a day, equivalent to “half a million trucks going offline.”⁴     

Additionally, a carrier agreed to adopt safeguards that include stronger physical security for railroad control and switch centers based on a report last week from the Office of Inspector General. For cybersecurity controls, the Transportation Security Administration (TSA) issued two security directives in the past year with detailed requirements and timelines.   

December 2021 and October 2022 Security Directives

While the first directive applies to passenger railroad carriers, the second directive includes certain freight railroad carriers “based on a risk determination,” and points out that “[e]ven minor disruptions in critical rail systems may result in temporary product shortages that can cause significant harm to national security …with ripple effects across the economy.”⁵   

The key requirements spelled out in the October 2022 directive considered “the growing sophistication of nefarious persons, organizations, and governments.” In addition to Cybersecurity Implementation Plans and Assessment Programs, policies and procedures are required to mitigate access to and monitor systems after security has been implemented.⁶

As to the plan and program requirements, TSA requires that covered entities describe in detail the specific measures that will be taken to:

1. Implement network segmentation policies and controls;

2. Implement access control measures to secure and prevent unauthorized access;

3. Implement continuous monitoring and detection policies and procedures; and

4. Reduce the risk of exploitation of unpatched systems.

For these measures, a schedule must be submitted showing when these measures will be implemented. Additionally, an annual plan must be submitted describing how the covered entities will proactively and regularly assess the effectiveness of the above measures. Once approved by the TSA, the plan and the program will be used by the TSA to monitor compliance.    

It is essential that all of the above must be submitted to TSA by February of 2023 and must consider the more than fifty technical requirements referred to in the directive. In addition, in November, the Department of Homeland Security (DHS) and the TSA released an Advance Notice of Proposed Rulemaking to assess the current cybersecurity baseline for railroad transportation and how the industry can improve.

The TSA is requesting input on current practices that reflect an understanding of both cybersecurity and the operational issues of applying cyber risk management and their costs to the private sector. The TSA is collecting these comments to guide future directives with achievable expectations and all comments are due by January 17, 2023.⁷

For all critical infrastructure sectors, especially OT that is connected to information technology systems, government agencies are seeking detailed, industry-specific approaches from covered entities as they consider the TSA directives and pending improvements for the railroad subsector. In 2023, organizations that fall into any of the sixteen critical infrastructure sectors should expect requirements like the TSA directives. We expect to see this through regulation, administrative law interpretations and updates to commonly adhered to security frameworks such as the NIST Cybersecurity Framework. 

We also expect that organizations operating in critical infrastructure will be the subject of closer scrutiny as regulations are finalized. In determining where the standard should be set by the proposed rules, we expect that organizations’ cybersecurity and data privacy capabilities will be evaluated relative to their cohorts. 

Organizations will need to be prepared to account for their management of cybersecurity risk. It is unlikely that previous policies adequately addressed the forthcoming procedures anticipated by regulators. Organizations should closely evaluate their cybersecurity programs and controls and revisit them on a routine basis.  

Organizations should also review and update their incident response plans, risk assessments and written information security programs to identify and improve overlooked areas of risk. Relatedly, as industries work internally to incorporate these new requirements, we expect that contractual agreements may need to be reviewed or renegotiated. 

FOOTNOTES

^[1]https://www.gartner.com/en/information-technology/glossary/operational-technology-ot

^[2] https://www.broadcom.com/case-studies/symantec/go-ahead,  https://www.newindianexpress.com/states/karnataka/2021/oct/01/south-western-railwaywebsite-hacked-no-data-stolen-2366045.html, and https://www.securityweek.com/cyberattack-causes-trains-stop-denmark

^[3] 3 Takeaways From The First BIPA Verdict https://www.law360.com/articles/1539704?e_id=23049038-9894-41ae-914c-9554ee5b5991&utm_source=engagement-alerts&utm_medium=email&utm_campaign=case_updates

^[4]https://www.nytimes.com/2022/09/14/business/freight-rail-strike-supply-chain.html?smid=nytcore-ios-share&referringSource=articleShare

^[5] https://www.tsa.gov/sites/default/files/sd-1580-82-2022-01.pdf 

^[6]https://www.tsa.gov/sites/default/files/sd-1580-82-2022-01.pdf

^[7]https://www.govinfo.gov/content/pkg/FR-2022-11-30/pdf/2022-25941.pdf