January 31, 2023
Transportation Security Administration
U.S. Department of Transportation
1200 New Jersey Avenue SE
West Building Ground Floor, Room W12-140
Washington, DC 20590-0001
Submitted via electronic filing through www.regulations.gov
RE: Operational Technology Cybersecurity Coalition’s Response to Docket No. TSA-2022-0001, Advance Notice of Proposed Rulemaking on Enhancing Surface Cyber Risk Management
TSA Surface Transportation Policy Team:
The Operational Technology Cybersecurity Coalition (OT Coalition) appreciates the opportunity to submit comments to the Surface Transportation Policy Team at the Transportation Security Administration (TSA) in response to the Advance Notice of Proposed Rulemaking (ANPRM) under Docket Number TSA-2022-0001, Enhancing Surface Cyber Risk Management.
The OT Coalition is a diverse group of leading industrial control systems (ICS) and operational technology (OT) cybersecurity vendors, with decades of experience defending our country from cybersecurity threats. We have joined together to improve the cybersecurity of OT environments, driven by the belief that the strongest, most effective approach to securing our collective defense is one that is open, vendor-neutral, and allows for diverse solutions and information sharing without compromising cybersecurity defenses.
The ANPRM asks for respondents to address several questions that deal with specific aspects of strengthening cybersecurity and resiliency in the pipeline and rail sectors. However, the OT Coalition believes there are a number of strategic, cross-cutting issues that TSA should consider as it looks to update cybersecurity and resiliency regulations for the pipeline and rail sectors.
Updated Cybersecurity Regulations Must Embrace Vendor Neutrality
Any updated cybersecurity guidance or requirements for these sectors must embrace vendor neutrality to reduce the technical friction and cost that would be associated with allowing non-interoperable approaches, and to mitigate the negative impact that proprietary approaches would have on collecting and managing the relevant data during an ongoing incident.
As TSA is aware, data must be pulled and analyzed from multiple devices and applications to establish a baseline for network traffic. Many of the devices and applications used in the pipeline and rail sectors today were either developed by competing manufacturers or, especially in the case of legacy infrastructure, were designed with the presumption they would be air gapped. Even those devices that were not designed with native IP-based components ultimately can end up being connected to other devices that are networked themselves.
Establishing continuous visibility within this disparate universe of components and applications and ensuring tools designed to monitor and react to traffic between them can do so in real time will be an essential factor to securing operational networks. Whether this is done through sensors at electronic access points (EAPs) or otherwise, the ability to quickly collect data, detect anomalies, analyze signals, and notify appropriate stakeholders will be hampered, and sometimes impossible, if a vendor-specific platform, approach, or data format is permitted.
Proprietary approaches to ICS and OT security would also result in the sectors suffering from silos or otherwise closed-wall environments, forcing asset owners and operators to settle among specific or sole solution providers. For less-resourced asset owners and operators, this would be unsustainable. The artificially limited availability of solution providers will impact technology and workforce decisions as increasingly specialized tools and talents will be required, without alternatives. This will harm the ability to develop collective-defense capabilities within the surface transportation sector as a whole.
Any regulations intending to enhance surface cyber risk management should explicitly embrace and support the concept of vendor neutrality to allow the sector to take advantage of the experiences and knowledge of all sector participants, without limitation.
Cybersecurity Regulations Must Encourage Automation
The architecture associated with pipeline and rail cyber systems should, to the extent possible, take advantage and encourage the adoption of automation throughout the process, permitting the use of up-to-date information and standards formats for sharing intelligence across sector participants.
The increasing attack surface of pipeline and rail sector participants, by its nature, threatens cyber systems connected to or otherwise remotely accessible from targeted networks. With unique circumstances present in the pipeline and rail sectors due to their reliance on physical and cyber infrastructure, organizational and technological complexity can quickly reach a level where even the largest asset owners and operators will struggle to manage a manual process. This can result in smaller or less-resourced participants choosing to either settle for a cybersecurity provider that makes unrealistic promises or recommends the cheapest path to compliance, or ultimately work to qualify for an exemption.
Through standardization, consistency in and automation of compliance-related actions can be supported and scaled effectively. Automation permitted through standardization will also encourage vendor neutrality, which will be necessary to develop the solutions that will be affordable while maintaining a degree of modularity and permitting owners and operators from shifting solutions when desired or necessary. It will also facilitate implementing emerging but necessary cybersecurity technologies, such as those that take advantage of artificial intelligence and machine learning.
Any regulations intending to enhance surface cyber risk management should ensure they can be optimized to encourage automation to provide, among other benefits, improved information collection and sharing across the sector as a whole.
Leverage Work Already Done by Other SRMAs
While many challenges faced by the pipeline and rail sectors are unique to those sectors, most of the risks to ICS and OT networks are shared by virtually every critical infrastructure sector that manages physical systems. Other sector risk management agencies (SRMAs) have already developed effective guidance for the deployment of vendor-neutral and interoperable technologies and systems that provide asset and network visibility, indicators of compromise, threat detections, and warnings with actionable intelligence.
Collaboration between industry and government is crucial for increasing standards for managing digital assets in operational environments to secure national security and critical infrastructure. Industry has the necessary expertise and experience to apply cybersecurity best practices from the IT sector, such as change and configuration management, safely and effectively in OT environments to secure cyber-physical systems.
Collectively, we should pursue deeper, richer asset data practices to ensure a more complete picture of the attack surface so that actions can be taken to mitigate threats.
For example, DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has posted a list of “Considerations for ICS/OT Cybersecurity Monitoring Technologies.” We believe that these represent a good start in considering which technologies to deploy on ICS and OT networks. To expand that list, we offer the following additional suggestions:
Technologies that discover and maintain an updated asset inventory of critical systems core to maintaining safety and resiliency that draw on industry-recognized and supported standards, including CIS CSC, ISA/IEC 62443, NIST SP 800-53, and NIST SP 800-82.
Technologies that include continuous threat and vulnerability intelligence feeds focused on the access, exploitation, and protection of ICS and OT environments and entities.
Technology that has analytic and detection capabilities, which are dynamically updatable (either on-premises or cloud-based), leveraging timely, validated, and trusted external or internal threat intelligence through a repository of known vulnerabilities and exposures of assets core to maintaining safety and resilience which, to the extent possible, leverage CVSS Base Score Metrics, Temporal Score Metrics, and Environmental Score Metrics as outlined by the National Vulnerability Database scoring methodology.
In addition, as many sectors experience similar risks, TSA should review existing risk management guidance issued in other sectors and look to replicate it and harmonize those regulations, both nationally and internationally, in order to reduce the reporting and regulatory burden on companies.
Updated Cybersecurity Regulations Must Specify Risk Management Practices
While cohesive guidance and standards across the pipeline and rail sectors have benefits, TSA needs to consider the differing levels of maturity within the sector and provide risk management practices that meet organizations where they are. In addition, TSA should develop guidance, not set requirements, that advises an organization based on its corresponding maturity level, in order to implement controls that will be the most effective at managing risk.
TSA should leverage existing use cases and work done by the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) on industrial cybersecurity to provide a wider range of tools to organizations.
For example, in May 2020, NIST Special Publication 1800-23C was published following the energy sector’s request for an automated OT asset management solution. The result was a Practice Guide that provides examples of how energy organizations can use commercially available technologies that are consistent with cybersecurity standards to establish, enhance, and automate their OT asset management. NCCoE announced a similar effort for the Water and Wastewater Systems (WWS) sector in November 2022. As with leveraging the work already done by other SMRAs, NCCoE’s work can also help inform TSA’s solutions as it works to strengthen cybersecurity and resiliency in the pipeline and rail sectors.
Again, the OT Coalition thanks TSA for the opportunity to provide feedback that should inform the important work your organization is undertaking to protect our nation’s pipeline and rail networks. We welcome questions on our feedback and look forward to continuing to be a part of this discussion as it develops.
Executive Director, Operational Technology Cybersecurity Coalition