Responding to TSA’s Cybersecurity Directive: Principles and Tactics to Begin Your Cybersecurity Journey

Feb. 15, 2022

In December 2021, The United States Transportation Security Administration (TSA) released two cybersecurity-focused directives applicable to the rail industry. These directives further underscore the focus by TSA, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), on prescribing specific cybersecurity requirements on industry to protect critical infrastructure.

In addition to the Security Directives, TSA also introduced an Information Circular providing similar guidance (strong recommendations) to ALL surface transportation organizations. However, not a directive, the guidance found in the Information Circular mirrors the previously released Security Directives.

Where should organizations impacted by these directives and circulars begin their journey?

The directives and circulars require applicable organizations to implement ownership and accountability measures for managing and reporting incidents; furthermore, it requires that organizations effectively assess and mitigate their overall risk exposure. This is no small feat! Organizations should begin by adhering to the following three core principles:

Cyber Risk is Business Risk. Cyber risk goes far beyond the purview of the IT organization. Human Resources, Sales, Marcom, Legal, Operations, Finance, and others play a critical role in preventing and effectively managing cyber risk.

Law of Diminishing Returns. Organizations must recognize complete risk elimination is unattainable and that dollars invested beyond the elusive “optimal point” provide diminishing value. There are countless examples of organizations that have spent millions upon millions of dollars implementing measures to reduce risk only to find themselves victims of cybercrime.

Program vs. Project. There are two constants in cybersecurity: 1) the business landscape of an organization is likely to change, and 2) the threat landscape will most certainly change. Organizations that address cybersecurity as an ongoing risk program initiative are historically far more successful than those that address cybersecurity as a one-time project. Managing risk never ends; projects do.

Are there established best practices for developing a comprehensive cybersecurity plan?

TSA recommends following best practices found within the NIST Cybersecurity Framework, a uniform set of rules, guidelines, and standards for organizations to manage better and reduce cybersecurity risk (NIST 800-171). NIST best practices are comprehensive, containing 110 controls across 14 control families. Organizations with limited resources will likely experience difficulty interpreting, applying, and prioritizing the NIST controls within their environment; therefore, to meet the requirements of the directives and circulars, Secuvant recommends a three-phased approach to implementing a Risk Management Program based on NIST:

  • First, base-level compliance with each NIST 800-171 control directly tied to the four requirements listed in the Security Directive.
  • Second, formation of a formal Risk Management Program with an initial focus on ensuring a) incident response plans remain updated and relevant, b) incident response plans are tested regularly through scenario-based tabletop exercises that extend beyond IT to the executive suite, and c) implementation of a Threat Vulnerability Management program ensuring the organization is apprised of ongoing vulnerabilities.
  • Third, a comprehensive NIST 800-171 Gap and Risk Assessment performance across all 110 controls. The objective of this exercise is threefold: a) understand and prioritize the control gaps within your environment, b) establish a maturity score baseline for ongoing measurement and improvement, and c) establish a multi-year security roadmap based on prioritized risk findings.

Available security resources and budgets have traditionally been a challenge; how might agencies overcome limited resources to address TSA mandates?

The cybersecurity industry finds itself in uncharted territory. It was projected that in 2021 there would be 3.5 million unfilled cybersecurity jobs (source: cybersecurity ventures). This poses a significant challenge for agencies who find themselves competing with large enterprises for the same security talent. For this reason, in March 2021, experts further predicted roughly 70 percent of organizations were planning to outsource security to a security provider during the next year (source: Kaspersky’s Global Corporate IT Security Risks Survey).

Agencies would do well to follow the trend of outsourcing security services.

The transportation industry anticipates unprecedented funding due to the $1-Trillion Infrastructure Bill. Additional funding for cybersecurity initiatives is available to agencies via federal grants assuming agencies can demonstrate effective use of the funds.

Secuvant is well-positioned to assist transit agencies in securing funding and addressing the TSA cybersecurity-demanding mandates. Secuvant is staffed with cybersecurity professionals and transportation industry veterans with decades of experience working in aviation, transit (rail and bus operations), plus new mobility services (on-demand, microtransit, autonomous mobility, and more). As a result, Secuvant has successfully created security service bundles that directly align with the three-phased approach referenced herein for implementing a NIST-based Risk Management Program. To engage in a conversation about how we might assist you in becoming both compliant and secure, kindly reach out to us at 855-732-8826 to speak with a risk consultant or visit us online at www.secuvant.com.

About the Author

Ryan Layton | Founder and CEO, Secuvant, LLC

Ryan is an accomplished business and technology professional with 20+ years of experience working with C-Level executives within the Fortune 1000 space.

As Co-founder and CEO of Secuvant, Ryan oversees vision, strategy and execution efforts for the firm.

Prior to Secuvant, Ryan spent 14 years in Sales and Services at Forsythe Technologies, where he built and managed a client portfolio producing revenues in excess of $40 Million annually. He has a proven track record utilizing his business and financial background to understand and leverage technology to meet business objectives. He further credits his success to his ability to build relationships based on integrity and trust.

Ryan holds a BS degree in Accounting from the University of Utah and an MS degree in Business Information Systems from Utah State University.