February 1, 2023
David P. Pekoske
Transportation Security Administration
6595 Springfield Center Drive
Springfield, VA 20598
RE: Enhancing Surface Cyber Risk Management
Docket No. TSA-2022-0001
Dear Administrator Pekoske:
On behalf of the Transportation Trades Department, AFL-CIO (TTD), I am pleased to respond to the Transportation Security Administration’s (TSA) advanced notice of proposed rulemaking (ANPRM) regarding surface cyber risk management. TTD consists of 37 affiliated unions representing the totality of rail labor, including both passenger and freight rail workers. Our affiliated unions represent the workers who operate, maintain, and dispatch trains; inspect and maintain signal systems and switches; and perform a host of other safety-critical tasks in the rail sector. Not only do these workers bear the greatest risk exposure associated with cyber threats, but they are the eyes and ears of our rail systems and should be considered instrumental to the implementation of cyber risk management and reporting of cyber threats.
However, frontline rail workers across the entire industry have been excluded from the cyber security process, exposing a glaring error in how cyber risk management has been carried out in the rail industry. This exclusion makes it difficult for our affiliates to respond to TSA’s specific questions in this ANPRM. The patchwork system that currently exists to address cyber security risks, largely handled individually by each rail carrier, has historically not included any input from rail labor and has wholly failed to educate workers on risks, responses, and mitigation procedures.
TTD applauds TSA for initiating this rulemaking to create mandatory standards for railroads and to hold them accountable regarding cybersecurity to protect their workers and the public. The patchwork system that currently exists is not sufficient to meet the needs of today’s cybersecurity landscape, and it has not been sufficient for many years. The standards that this rule will set forth are long overdue, and we are eager to work with TSA and the railroads to create minimum, robust standards for safety and security that will be able to evolve as threats do. TTD recognizes rail infrastructure as critical infrastructure that falls under the Department of Homeland Security’s Primary Mission Essential Function (PMEF) #2 to ensure delivery of essential services and functions; the Department of Transportation’s PMEFs #1 and 2; supporting FEMA’s National Essential Functions #5, 6, 7, and 8 in the National Continuity Program; and FEMA’s Emergency Support Function #1: Transportation under the National Response Framework. The rail network also plays a key role in maintaining the country’s electrical and energy infrastructure. Given the number of critical roles that rail serves on a daily basis and would serve in the case of an activation of national continuity and response planning, securing our country’s rail infrastructure is vital.
Without question, this rulemaking should provide opportunities and processes to ensure that labor is included in developing, approving, and implementing Cyber Risk Management (CRM) plans that are used in rail and hazardous material operations. Failing to do so jeopardizes the safety and security of the rail industry. Moreover, as technology develops, it will become even more important to include workers in the process to ensure that any proposed plans are both effective and practical and can be fully implemented as intended.
Beyond the questions posed in this ANPRM, we urge the TSA to seek a more fundamental understanding from the rail industry and its workers about how workers have been excluded in the cyber security threat management process, and whether workers have been trained to identify, report, and manage cyber threats. It is frontline workers who operate and maintain our rail systems. There is nobody better equipped to identify when a system is working outside of its normal operational functions than the frontline workers who operate and maintain those systems on a daily basis. Yet, by excluding those workers from the cyber threat management process, we are putting workers and the communities through which rail lines operate at serious risk.
In its ANPRM, TSA proposed a number of questions to labor and industry groups. Where we feel equipped to do so, we will offer common sense solutions and input from the labor perspective, but this is no replacement for bringing labor stakeholders together with industry and security professionals to holistically address these issues with the seriousness they deserve.
Additionally, while TSA is asking excellent questions to delve further into the CRM practices railroads are currently utilizing, the questions in the ANPRM do not address some of the most obvious flaws in railroads’ CRM. In this notice, TSA has not examined the needs of workers in regards to training, ways that workers can properly identify problems or breaches, how these incidents would be reported, and how workers would respond to manage any immediate threats posed by breaches in cyber security. The full incident cycle must be considered from the perspective of workers on the ground, including operating employees, the train dispatchers, carmen and signalmen, maintenance of way employees, and anyone else who may be called to respond to the incident.
TSA Question B.1: What cybersecurity measures does your organization currently maintain and what measures has your organization taken in the last 12 months to adapt your cybersecurity program to address the latest technologies and evolving cybersecurity threats? What are your plans to update your cybersecurity program in the next 12 months? How much does your organization spend on cybersecurity annually?
Because frontline rail workers and their unions have been excluded from the cyber security threat management process and have not been given proper training by their employers on identifying and managing cyber threats or vulnerabilities, they currently do not have the tools they need to recognize whether irregular operations are a result of breaches in cyber security. Significantly, employees and their unions are not even made aware of the existence or contents of railroads’ CRM plans or updates to those plans. This lack of communication is not acceptable. Workers, particularly those who are operating or dispatching trains that can weigh more than 16,000 tons and exceed five miles, should be trained to recognize suspicious activity and implement procedures for reporting and responding to incidents. As it is, employees assume that any anomalies are simple mechanical failures and thus do not warrant any further investigation because workers have not been given any process for reporting and further assessing anomalies. Critically, employees also have not been trained on how best to manage the immediate impacts that cyber threats may have on their own or others’ safety.
TSA Question B.2: What assessments does your organization conduct to monitor and enhance cybersecurity (such as cybersecurity risk, vulnerability, and/or architecture design assessments, or any other type of assessment to information systems)? How often are they conducted? Who in your organization conducts and oversees them? What are the assessment components, and how are the results documented?
CRM procedures vary from rail carrier to rail carrier with little uniformity or means to measure the level of safety achieved. Workers and their unions have been told to trust that railroads are monitoring and addressing cyber threats, but the railroads have provided no proof of this. Anecdotal evidence shows that train enthusiasts are able to access detailed information regarding when and where specific rail equipment will be moving. Many of these train enthusiasts post videos to social media to show specific cars, locomotives, or other rail equipment. It is not a significant leap to think that if individual enthusiasts can access schedule and equipment information that they could also access information on materials being carried, including hazardous materials such as diesel or chlorine. Further, if individuals with benign, hobby interests in the history of the railroad industry and rail operations can access this information, so can individuals with malicious intent.
TSA Question B.4: Are the actions you discussed in response to question B.1. based on any of the standards identified in section I.H. of this ANPRM? If so, please specify which standard. If your response is based on standards not identified in section I.H. of this ANPRM, please identify the standard and provide a link or other information to assist TSA in gaining a better understanding of the scope and benefits of the standard.
Currently, if an operator thought there was suspicious activity occurring, the operator would radio the dispatcher to make the dispatcher aware of the situation and make a report. This employee would not hear any further updates regarding the situation unless it affected the operating status of the train. The operator would not be warned to be vigilant to further anomalies that could indicate a cyber threat.
If a dispatcher needed to communicate a threat to a moving train, such communication could be done through system bulletins or mandatory directives in the Positive Train Control (PTC) system. However, only locomotive engineers have full access to mandatory directives. Conductors do not directly receive that information. Dispatchers could also utilize radios to communicate with the train operators. If the radio system were down, however, there would not be a backup direct communication method. There are significant portions of the rail network that do not get sufficient cellular signal to make or receive calls.
In the case where the dispatcher was aware of a threat, but could not contact the moving train, the train would continue moving until encountering a red signal. However, signals can be locally manipulated to override a dispatcher’s red signal, which provides an additional layer of concern.
TSA Question C.2: Does your CRM include aspects of system protection, system penetration testing, security monitoring, incident response, incident forensic analysis, and a plan for restoration of operations? If not, which features does your CRM address? What are the challenges for incorporating any missing facets? Are some parts of CRM developed in-house while a third-party develops other pieces? If so, why and what advantages do either of these approaches offer?
Rail labor has never been made aware of railroads conducting penetration testing, or any similar proactive security testing. As stated above, rail labor has not been made aware and workers have not received training in any incident response plans. Workers have not been trained in any specific return to operations procedures. Further, rail labor has no knowledge of any procedures for conducting after incident investigations.
TSA Question C.5: What cybersecurity personnel training and security awareness and skills education should pipeline and rail owner/operators be required to provide, and to which employees (i.e., should it apply to all employees or just those with specific responsibilities, such as cybersecurity personnel, those with access to certain systems, etc.)? Please provide relevant information regarding what CRM training courses are available and the duration of each course, as well as how much it costs you to develop and conduct or otherwise provide CRM training and update current courses and training requirements. This information should include costs for owner/operators to create or procure course content for the types of employees identified.
Employee CRM training should, at a minimum, discuss vulnerabilities, signs and symptoms of system breaches and interference, when to notify supervisors, and operational changes that indicate further problems. The employees who most need this training would include operating crafts, dispatchers, signalmen, and maintenance of way employees. TTD is not aware of any specific courses that are commercially available; however, TTD and our member unions are eager to work with TSA and the railroads to identify courses that are sufficient. We wish to note that the cost of such training would be minimal to the potential cost of a security breach. Investments in training directly correlate to employee safety, and in the case of cybersecurity, this would include public safety due to the inherent risks of operating 16,000-ton trains at speed in communities, often carrying hazardous materials.
TSA Question D.1: In addition to the requirement to report cybersecurity incidents, should pipeline and rail owner/operators be required to make attempts to recover stolen information or restore information systems within a specific timeframe? If so, what would be an appropriate timeframe?
Rail owners and operators should absolutely be required to recover or render obsolete any stolen information. Stolen information could include manifests, schedules, and route information. This could include maps showing route information for hazardous materials running through major cities. Railroads should be required to understand what information was stolen and mitigate any risks associated with the breach. This could include recovering stolen information, though given the immediacy of rail operations, it would almost certainly be necessary to change schedules to render stolen information obsolete to mitigate risk.
TSA Question D.2: From a regulatory perspective, TSA is most interested in actions that could be taken to protect pipeline and rail systems by ensuring appropriate safeguards of critical cyber systems within IT and OT systems. What types of critical cyber systems do you recommend that regulations address and what would be the impact if the scope included systems that directly connect with these critical cyber systems? Please provide sufficient details to allow TSA to identify where and how your recommendations relate to our current requirements or recommendations, as discussed in Section I.E.
Railroad operations rely on many critical cyber systems, including but not limited to: the PTC system, Trip Optimizer or Electronic Train Management System (ETMS), electronic routing systems, and remote switching operation systems.
TSA Question D.3: Recognizing that there are both evolving threats and emerging capabilities to address known threats, how could owner/operators adjust their vulnerability assessments and capabilities if TSA were to issue periodic benchmarks to pipeline and rail owner/operators on the scope of vulnerability assessments that are informed by the latest technologies and evolving threats? The purpose of the periodic guidance and assessments would be to facilitate the owner/operator’s evaluation of vulnerabilities and capabilities based on the most current technologies and threats.
TSA should absolutely impose benchmarks to ensure that vulnerability assessments are covering ever-evolving threats and vulnerabilities. Additionally, there should be procedures to ensure that railroads that fail to meet those benchmarks come into compliance quickly.
TSA Question D.5: What would be the benefits and challenges for the pipeline and rail sectors if owner/operators were required to use an accredited third-party certifier to conduct audits/assessments to determine effectiveness of the owner/operator’s cybersecurity measures and/or compliance with existing requirements? What would be the costs of implementing a requirement to use a third-party certifier?
There would be significant benefit to utilizing an accredited, third-party certifier to conduct audits of rail cybersecurity measures and compliance. Most notably, it would increase trust in the compliance due to the neutrality of the third-party certifier. Railroads have eroded public and worker trust significantly in recent years through policies such as Precision Scheduled Railroading, draconian attendance policies, workforce cuts, attempting to subvert safety regulations, and prioritizing profits over worker quality of life. Any cost associated with third-party certification would be a fraction of the unprecedented profits that railroads have made in recent years on the backs of their workers. Additionally, such certification is entirely warranted considering the vast amount of critical infrastructure that railroads maintain. The country became all too familiar with the consequences of supply chain failures during the pandemic, and TTD knows that the pandemic supply chain problems would pale in comparison to what would happen if a cybersecurity attack halted the nation’s rail system.
TSA Question D.7: Should pipeline and rail owner/operators be required to conduct third-party penetration testing to identify weakness or gaps in CRM programs? Please address the identified costs and benefits of this action, and any legal, security, privacy, or other issues and concerns that may arise during the testing process or prevent third-party penetration testing.
Railroads should be required to conduct periodic third-party penetration testing to identify weaknesses and gaps in security. This would serve as something of a “cybersecurity fire drill” to assess the capability and effectiveness of mitigation measures and the response of incident management plans. During penetration testing, risks to the public could be controlled while identifying weaknesses that would be catastrophic in a real scenario.
TSA Question D.9: Should pipeline and rail owner/operators designate a single individual (such as a chief information security officer) with overall authority and responsibility for leading and managing implementation of the CRM? Or should they designate a group of individuals as responsible for implementation or parts thereof?
Railroads have a responsibility to ensure that they have the best information regarding cybersecurity vulnerabilities possible. To have full visibility into vulnerabilities, it is unavoidable to include the perspectives of workers on the ground. Labor representatives should be included in any assessment, planning, and decision-making regarding cybersecurity. This is simply a best practice to ensure robust security operations that recognize the railroads’ legal liability to ensure that their facilities are safe and secure.
TSA Question D.10: Should the individuals who you identified under D.8. (sic) be required to have certain qualifications or experience related to cybersecurity, and if so, what type of qualifications or experience should be required? If not, what specific requirements should there be for who would implement a pipeline and rail owner/operators’ CRM program? Would implementing this type of requirement necessitate hiring additional staff? If so, how many and at what level and occupation?
Individuals responsible for assessing, planning, and responding to cyber vulnerabilities should absolutely have training and expertise related to cybersecurity. Any railroad chief operators with such duties should have specific education, experience, or certifications similar to those used in other industries with critical infrastructure.
TSA Question D.11: Should pipeline and rail owner/operators be required to monitor and limit the access that individuals have to OT and IT systems in order to protect information and restrict access to those who have a demonstrated need for access to information and/or control? Actions include limiting user access privileges to control systems to individuals with a demonstrated need-to-know and using processes and tools to create, assign, manage, and revoke access credentials for user, administrator, and service accounts for enterprise assets and software. What would be the cost of implementing this type of requirement?
Access to information technology (IT) and operation technology (OT) systems should be strictly limited to individuals with a demonstrated occupational need to know. This is how most industries operate today with individual user profiles given limited, revocable access to only needed information. This type of security is even more important in managing the safety of critical infrastructure, much of which is physically exposed. Physical access to facilities should be considered equally as important as electronic access.
TSA Question D.12: What CRM security controls should pipeline and rail owner/operators be required to maintain, and in what manner? Please address each of the following:
Defense-in-depth strategies (including physical and logical security controls);
Separation of IT and OT systems;
Encrypting sensitive data both in transit over external networks and at rest;
Operating antivirus and anti-malware programs;
Testing and applying security patches and updates within a set timeframe for IT and OT systems; and
Implementing, integrating, and validating zero-trust policies and architecture
TTD recognizes rail operations as critical infrastructure that delivers vital goods, including vaccines, energy, and food. As such high-priority infrastructure, extensive effort should be taken to ensure that it operates safely, effectively, and efficiently. Industry-standard cybersecurity measures such as defense-in-depth strategies, network segmentation, multi-factor authentication, data encryption, antivirus software, timely security patch updates, and zero-trust architecture are no-brainers. Because rail operations include extensive physical operations, equipment movement, remote communications, track switches, and more, separating IT and OT systems may require consultation with cybersecurity professionals. However, to the extent that separation is possible, these systems should be separated to ensure that breaches are minimized and localized.
TSA Question D.14: What baseline level of physical security of CRM architecture should pipeline and rail owner/operators be required to maintain, including ensuring that physical access to systems, facilities, equipment, and other infrastructure assets is limited to authorized users and secured against risks associated with the physical environment? How much would it cost to implement the baseline physical security measures you identified in your response? How many of the identified measures are currently maintained (if such information has not already been provided to TSA)?
Due to the highly exposed nature of rail operations, physical security is a vulnerability that would be particularly simple to compromise. Common sense measures should be taken to secure physical access to properties and equipment. Some basic steps that could be taken to secure yards and other facilities are: requiring visible employee identification, controlled and revocable individual access to facilities, access logs, and locked fences with gates at entry and exit points. It is common practice in workplaces that do not have critical infrastructure to have controlled access to facilities with a log of all employees and visitors who enter and exit. Given how critical the rail system is, as discussed above and evidenced by transportation and movement of goods and services being included in multiple primary mission essential functions, access to these facilities should be at least as secure as an average non-essential workplace.
TSA Question D.16: What minimum cybersecurity practices should pipeline and rail owner/operators require that their third-party service providers meet in order to do business with pipeline and rail owner/operators? What due diligence with respect to cybersecurity is involved in selecting a third-party provider? For example, do pipeline and rail owner/operators include contractual provisions that specifically require third-party service providers to maintain an adequate CRM program? Should TSA require such provisions, and if so, for what pipeline and rail segments and under what circumstances?
In accordance with zero-trust policies, all contractors, including software and hardware, should be vetted by rigorous standards. There can be no assumed integrity. Zero-trust is an industry-trusted strategy for supply chain risk management.
TTD welcomes TSA’s surface cybersecurity rulemaking. Workers and their unions have historically been left out of these critical discussions, and we are eager to correct this. The front-line workers on the ground are in the best position to identify and respond quickly to cybersecurity vulnerabilities. It is unacceptable that these workers are currently put at risk due to lack of training and transparency from railroad management. We look forward to furthering this conversation and working with TSA on these important issues.
 Attached is a list of TTD’s affiliated unions