Operational Technology (OT) is hardware and software that detects or causes change by directly monitoring and/or controlling industrial equipment, assets, processes, and events.1 By design, OT underpins many critical infrastructure functions and is typically frugal in terms of features and applications.
OT systems typically rely on highly customized specific deployments such as remote monitoring and control of oil and gas flows, water treatment, SCADA systems, and rail operations. OT systems also tend to rely on proprietary protocols and tend to be deployed with minimal bloat and frills, particularly narrow features.
From a security perspective, OT systems are typically incompatible with traditional malware. OT systems are so narrow that they benefit from a concept called “security by obscurity”, which refers to systems whose security is based on the tools and applications they use rather than on cryptography or other technical measures.
Security through obscurity remains an important feature of OT systems, but the inability to implement adequate technical safeguards and governance structures is grounds for legal liability (i.e. regulatory investigation or litigation). Entities involved in supporting critical infrastructure hold higher security standards than private sector entities.
Tighter regulations on railroads
It has been a turbulent year for the rail industry. Between September and November 2022, telecom operators in India, Denmark and the UK were hit by cyberattacks that disrupted OT and caused delays and shutdowns.2 In October 2022, a jury found the BNSF railroads liable for $228 million as a result of violating the Illinois Biometric Information Privacy Act.3
Railway companies are one of the seven major subsectors of the transportation sector. Earlier this month, a nationwide strike was averted. This is because the economic damage of 500,000 trucks going offline is equivalent to $2 billion per day.Four
Additionally, the airline has agreed to adopt safety measures, including stronger physical security for rail control and switching centers, based on a report from the Inspector General’s Office last week. On cybersecurity controls, the Transportation Security Administration (TSA) last year issued two security directives with detailed requirements and timelines.
Security Directives of December 2021 and October 2022
While the first Directive applies to passenger rail companies, the second Directive targets certain freight rail companies “based on a determination of risk”, pointing out:[e]Even minor disruptions to critical rail systems can lead to temporary product shortages that can seriously harm national security, with ripple effects across the economy. ”Five
A key requirement detailed in the October 2022 Directive is that “a malicious person, organization, and the government.In addition to a cybersecurity implementation plan and assessment program, policies and procedures should be in place to mitigate and monitor access to systems once security is implemented.6
With respect to plan and program requirements, the TSA requires covered entities to detail the specific actions that will be taken to:
-
Implement network segmentation policies and controls.
-
Implement access control measures to protect and prevent unauthorized access.
-
Implement continuous monitoring and detection policies and procedures.When
-
Reduce the risk of unpatched systems being exploited.
For these measures, you must submit a schedule that indicates when these measures will be implemented. In addition, covered entities must submit an annual plan outlining how they will proactively and regularly assess the effectiveness of the above measures. Once approved by the TSA, plans and programs are used by the TSA to monitor compliance.
All of the above must be submitted to the TSA by February 2023 and must take into account the 50+ technical requirements mentioned in the Directive. Additionally, in November, the Department of Homeland Security (DHS) and the TSA launched a review of proposed rulemaking to assess the current cybersecurity baseline for rail transportation and how the industry could improve. We have released advance notice.
The TSA is seeking input on current practices that reflect an understanding of both cybersecurity and the operational issues that apply cyber risk management and its costs to the private sector. The TSA will collect these comments to guide future directives with achievable expectations. All comments must be submitted by January 17, 2023.7
For all critical infrastructure sectors, especially OT, which is connected to information technology systems, agencies should consult the industry with details from covered entities when considering TSA directives and pending improvements in the rail subsector. Seeking a unique approach. By 2023, organizations in any of the 16 critical infrastructure sectors should look forward to requirements such as the TSA Directive. This is expected to be seen through regulatory, administrative law interpretations, and updates to commonly followed security frameworks such as the NIST Cybersecurity Framework.
Additionally, organizations operating on critical infrastructure are expected to come under closer scrutiny as the regulations are finalized. We expect that an organization’s cybersecurity and data privacy capabilities will be assessed relative to its cohort in determining where the bar should be set by the proposed rule.
Organizations should be prepared to discuss managing cybersecurity risks. It is unlikely that the previous policy adequately addressed the forthcoming proceedings anticipated by regulators. Organizations should closely evaluate and periodically revisit their cybersecurity programs and controls.
Organizations should also review and update incident response plans, risk assessments, and documented information security programs to identify and improve areas of risk that are overlooked. Relatedly, it is expected that contractual agreements may need to be confirmed or renegotiated as the industry works internally to incorporate these new requirements.
footnote
[1]https://www.gartner.com/en/information-technology/glossary/operational-technology-ot
[2] https://www.broadcom.com/case-studies/symantec/go-ahead, https://www.newindianexpress.com/states/karnataka/2021/oct/01/south-western-railwaywebsite-hacked-no- data-stolen-2366045.html, and https://www.securityweek.com/cyberattack-causes-trains-stop-denmark
[3] Three points from the first BIPA decision https://www.law360.com/articles/1539704?e_id=23049038-9894-41ae-914c-955…
[4]https://www.nytimes.com/2022/09/14/business/freight-rail-strike-supply-chain.html?smid=nytcore-ios-share&referringSource=articleShare
[5] https://www.tsa.gov/sites/default/files/sd-1580-82-2022-01.pdf
[6]https://www.tsa.gov/sites/default/files/sd-1580-82-2022-01.pdf
[7]https://www.govinfo.gov/content/pkg/FR-2022-11-30/pdf/2022-25941.pdf
© Polsinelli PC, Polsinelli LLP of CaliforniaNational Law Review, Vol. XII, No. 356
