Waterfall Simplifies TSA Directives for Rails Cyber Incident Response

Picture of Andrew Ginter

Andrew Ginter

Effective December 31, 2021, new security directives require that railroad carriers (SD 1580-21-01), as well as owner/operator of a passenger railroad carrier or rail transit system (SD 1582-21-01), perform four critical actions:

  • Designate a Cybersecurity Coordinator with US clearance,
  • Report cybersecurity incidents to CISA,
  • Develop a Cybersecurity Incident Response Plan; and,
  • Conduct a cybersecurity vulnerability assessment using a form provided by TSA.

The TSA has made these directives mandatory because cybersecurity incidents affecting surface transportation are a growing and evolving threat, and the TSA is convinced that malicious cyber actors continue to target U.S. critical infrastructure.

Which incidents should be reported?

The TSA directives do not provide a precise definition of what constitutes an incident, but clearly identifies that the directives apply to both the IT (Information Technology) and OT (Operational Technology) networks. Cybersecurity best practices suggest reporting any:

  • Discovery of malicious software,
  • Activity resulting in a denial of service,
  • Unauthorized access,
  • Incident resulting in operational railway disruption, potentially impacting the system’s economic security,
  • Incident that affects the system’s safety or endangers the life or health of passengers, and any
  • Incident putting at risk the integrity of a critical infrastructure.
Simpler incident response

Unidirectional Gateways facilitate compliance with these directives by simplifying cybersecurity incident-response plans. Unidirectional Security Gateways are deployed most commonly as the sole connection between OT networks that automate physical operations and IT networks that automate business operations. The gateways replicate database servers and other servers from operations out to business networks, so that business automation has access to all permitted operations data. The gateway hardware, however, permits no cyber-attack information whatsoever, nor any other potentially compromised information, to leak back into operations control networks.

By positioning these gateways at the boundary between the OT and IT networks, cybersecurity teams can be 100% certain that no attack that impacted business operations in the IT infrastructure can spread to the OT environment. This dramatically simplifies incident response plans – if there is physically no way for IT attacks to “leak” into operations, there is no need to pre-emptively shut down operations or investigate operations as part of commonplace IT security incidents. Physically and unidirectionally protecting rail systems’ OT and safety-related automation from the more vulnerable Internet-connected IT network infrastructure thus dramatically simplifies and reduces the cost of IT cybersecurity incident investigations.

For a free consultation with a Waterfall rail systems cybersecurity specialist about how unidirectional gateways can reduce the cost of incident response while improving overall operations security, please fill out the “contact us” page on the Waterfall website.

For more information on how Waterfall’s Unidirectional Security Gateways improve rail systems’ cybersecurity, please download Waterfall’s latest rails cybersecurity report.

Waterfall’s latest rails cybersecurity report



Stay up to date

Subscribe to our blog and receive insights straight to your inbox