tsa - X-Industry - Red Sky Alliance2024-03-28T09:04:10Zhttps://redskyalliance.org/xindustry/feed/tag/tsaCyber Security & Railroadshttps://redskyalliance.org/xindustry/cyber-security-railroads2022-10-25T12:40:10.000Z2022-10-25T12:40:10.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10854665084,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10854665084,RESIZE_400x{{/staticFileLink}}" width="250" alt="10854665084?profile=RESIZE_400x" /></a>The US Transportation Security Administration (TSA) have announced a new cyber-security directive regulating designated passenger and freight railroad carriers. The announcement demonstrates the Biden Administration’s commitment to strengthen the cyber-security of US critical infrastructure. Building on the TSA’s work to strengthen defenses in other transportation modes, this security directive will further enhance cyber-security preparedness and resilience for the nation’s railroad operations.<a href="#_ftn1">[1]</a></p>
<p>Developed with extensive input from industry stakeholders and federal partners, including the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation’s Federal Railroad Administration (FRA), this Enhancing Rail Cybersecurity – SD 1580/82-2022-01<a href="#_ftn2">[2]</a> strengthens cyber-security requirements and focuses on performance-based measures to achieve critical cyber-security outcomes.</p>
<p>“The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack,” an administrator for TSA, said. “We are encouraged by the significant collaboration between TSA, FRA, CISA and the railroad industry in the development of this security directive.</p>
<p>The security directive requires that TSA-specified passenger and freight railroad carriers take action to prevent disruption and degradation to their infrastructure to achieve the following critical security outcomes:</p>
<ul>
<li>Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate if an Information Technology system has been compromised and vice versa.</li>
<li>Create access control measures to secure and prevent unauthorized access to critical cyber systems.</li>
<li>Build continuous monitoring and detection policies and procedures to detect cyber-security threats and correct anomalies that affect critical cyber system operations.</li>
<li>Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.</li>
</ul>
<p>Passenger and freight railroad carriers are required to:</p>
<ul>
<li>Establish and execute a TSA-approved Cybersecurity Implementation Plan that describes the specific cyber-security measures the passenger and freight rail carriers are utilizing to achieve the security outcomes set forth in the security directive</li>
<li>Establish a Cybersecurity Assessment Program to proactively test and regularly audit the effectiveness of cyber-security measures and identify and resolve vulnerabilities within devices, networks, and systems.</li>
</ul>
<p>This is the latest in TSA’s performance-based security directives; previous security directives include requirements such as reporting significant cyber-security incidents to CISA, establishing a cyber-security point of contact, developing, and adopting a cyber-security incident response plan, and completing a cyber-security vulnerability assessment. Through this security directive, US TSA continues to take steps to protect transportation infrastructure in the current threat environment. TSA also intends to begin a rulemaking process, which would establish regulatory requirements for the rail sector following a public comment period.<a href="#_ftn3">[3]</a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.globalrailwayreview.com/news/138501/new-cyber-security-directives-issued-to-u-s-railroad-carriers/">https://www.globalrailwayreview.com/news/138501/new-cyber-security-directives-issued-to-u-s-railroad-carriers/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.tsa.gov/sites/default/files/sd-1580-82-2022-01.pdf">https://www.tsa.gov/sites/default/files/sd-1580-82-2022-01.pdf</a></p>
<p><a href="#_ftnref3">[3]</a> <a href="https://www.law360.com/cybersecurity-privacy/articles/1541198/white-house-issues-new-cybersecurity-rules-for-railroads/">https://www.law360.com/cybersecurity-privacy/articles/1541198/white-house-issues-new-cybersecurity-rules-for-railroads/</a></p></div>DHS Introduces New Cybersecurity Requirements, Againhttps://redskyalliance.org/xindustry/dhs-introduces-new-cybersecurity-requirements-again2021-06-16T17:01:54.000Z2021-06-16T17:01:54.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}9103820261,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9103820261,RESIZE_400x{{/staticFileLink}}" alt="9103820261?profile=RESIZE_400x" width="250" /></a>The Department of Homeland Security has issued a cybersecurity directive that requires the operators of oil and gas pipelines to report ransomware attacks and other security incidents to the government. The new cybersecurity mandates, which will replace some voluntary guidelines that had been in place for a decade, were announced Thursday in the wake of a 07 May 2021 ransomware attack that led Colonial Pipeline Co. to temporarily shut down its pipeline serving the East Coast, triggering fuel shortages in several states.</p>
<p>The security directive, which will be enforced by the Transportation Security Administration and the Cybersecurity and Infrastructure Security Agency, requires companies that own or operate oil and gas pipelines to report any security incidents, as well as potential threats, to DHS. It also requires the firms to have a dedicated "cybersecurity coordinator" available around the clock.</p>
<p>The directive also requires pipeline owners and operators to review their cybersecurity practices, identify any gaps and required risk remediation measures, and report the results to TSA and CISA within 30 days.</p>
<p>TSA says it is considering releasing several other directives for oil and gas pipeline operators. "The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security," says Homeland Security Secretary Alejandro Mayorkas. "DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure."</p>
<p>The security directive comes as the pipeline industry is facing increasing scrutiny. The directive does away with many of the voluntary cybersecurity reporting guidelines TSA put in place in 2010. The Wall Street Journal recently reported that Colonial Pipeline did not undergo a review of its security practices in 2020 as requested by TSA.</p>
<p>Since 2018, the U.S. Government Accountability Office has accused TSA of lax oversight of the nation's interstate pipeline systems. TSA took on responsibility for the physical security of pipelines following the terrorist attacks on Sept. 11, 2001.</p>
<p>Bernie Cowens, the former CISO of Pacific Gas & Electric, said in a recent interview that the U.S. was not well-prepared to handle the type of attack that disrupted the Colonial Pipeline. The Colonial Pipeline attack "simply underscores the fact that in many areas we're simply underprepared," Cowens said. "We don't seem to be aware of the situation - at least not at the level that we need to be - and we don't seem to be taking the actions that we need … especially in critical infrastructure."</p>
<p>Joseph Neumann, a cyber executive adviser suggests that DHS and TSA should further expand security requirements for pipeline operators. For example, he says the companies should provide metrics to help determine the risks they're facing. He would also like to see Congress make the DHS security directive's requirements permanent by codifying them into law.</p>
<p>DHS's new requirements are being implemented as a result of an executive order, so they're not truly permanent and have "little to no teeth" for enforcement, he says. "This is nowhere near enough and is completely reactionary to make it look like the administration is actually trying to solve the problem," he adds.</p>
<p>Neumann recommends that DHS and the Biden administration issue additional directives that would put new cybersecurity rules in place for operational technology and industrial control systems, requiring system developers to bake security into the designs. "ICS systems are not built with security in mind and have never been," Neumann says. "OT systems need to be treated the same way as IT and maintained as such. Vendors providing these technologies need to be held to the same standards and not ride the assumptions of network segmentation."</p>
<p>Lawmakers are expected to ask Colonial Pipeline CEO Joseph Blount about why the firm paid a $4.4 million ransom to the DarkSide criminal gang to obtain a decryptor, which ultimately proved to be faulty. The DarkSide gang announced on May 13 that it was shutting down its ransomware-as-a-service operation.</p>
<p>Several bills have recently been introduced in Congress to address a range of security issues in the nation's critical infrastructure.</p>
<p>Bryan Orme, the principal, and partner at cybersecurity firm GuidePoint Security says that while incident reporting rules and mandatory guidelines will not necessarily lead to better security, the emphasis on cybersecurity should at least bring more attention to the issue. "Although compliance with a regulation does not necessarily achieve a strong security posture, it at least raises the bar to a minimum acceptable threshold for security," Orme says. "Stronger regulatory requirements and enforcement for these organizations that provide critical services to U.S. citizens should ensure that these entities achieve and maintain an acceptable level of cybersecurity controls."</p>
<p><a href="{{#staticFileLink}}9103831877,RESIZE_710x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}9103852099,RESIZE_400x{{/staticFileLink}}" alt="9103852099?profile=RESIZE_400x" width="350" /></a>On 13 May 2021, Red Sky Alliance conducted a collection and analysis of Colonial Pipeline in our proprietary data. Our data showed 401 ‘hits’ with a breakdown below:</p>
<p>Breach Data: In just the recent COMB breach alone, there were 227 hits for Colonial pipeline employee user credentials.</p>
<p>Pastebin: We have 1 Pastebin hit for an employee at Colonial Pipeline from 2019. The Pastebin post consists of a username and password data. This user is also listed as part of the COMB breach data. It only takes one breach to conduct an attack.</p>
<p>Botnet_Tracker: We have one hit from November 2019 indicating an IP address on Colonial Pipeline’s network communicating with the Anubis Sinkhole. This typically indicates the device is infected with malware.</p>
<p><strong>Red Sky Alliance has been analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org">https://redskyalliance.org</a> at no charge. Many past tactics are reused in current malicious campaigns.</strong></p>
<p><strong>To protect your own supply chain, consider subscribing to RedXray, Red Sky Alliance’s cyber threat notification service. Details can be found at: <a href="https://www.wapacklabs.com/redxray">https://www.wapacklabs.com/redxray</a>.</strong></p>
<p><strong>Red Sky Alliance is in New Boston, NH, USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</strong></p>
<p><strong> </strong></p>
<p><strong>Interested in a RedXray subscription to see what we can do for you? Sign up here: <a href="https://www.wapacklabs.com/RedXray">https://www.wapacklabs.com/RedXray</a> </strong></p>
<ul>
<li><strong>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></strong></li>
<li><strong>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></strong></li>
<li><strong>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></strong></li>
</ul>
<p> </p></div>