Building cyber secure Railway Infrastructure

The European Union Agency for Cybersecurity (ENISA) delivers a joint report with the European Rail Information Sharing and Analysis Center (ISAC) to support the sectorial implementation of the NIS Directive.

The report released is designed to give guidance on building cybersecurity zones and conduits for a railway system.

The approach taken is based on the recently published CENELEC Technical Specification 50701 and is complemented with a guidance to help railway operators with the practical implementation of the zoning process.

The work gathers the experience of the European Rail ISAC and of their members such as European infrastructure managers and railway undertakings, which are Operators of Essential Services (OES) as defined in the Security of Network and Information Systems (NIS) directive and is designed to help them implement the cybersecurity measures needed in the zoning and conduits processes.

A number of requirements are set, such as:

- Identification of all assets and of basic process demands;
- Identification of global corporate risks;
- Performing zoning;
- Checking threats.

A risk assessment process is developed based on standards for the identification of assets and the system considered, and for the partitioning of zones and conduits. The report also addresses the cybersecurity requirements in terms of documentation and suggests a step-by-step approach to follow.

The report is released on the occasion of the General Assembly meeting of the European Rail ISAC which is taking place today.

The EU Agency for Cybersecurity engages closely with the European Rail Agency (ERA) to support the railway sector and is to host a joint event with ERA later this year.

TSA leaders share tips to get through airport security during the pandemic

There are a handful of actions that travelers can take in an effort to get through Transportation Security Administration (TSA) airport checkpoints during the pandemic in ways that may help reduce the likelihood of contracting COVID-19.

While security is TSA’s top priority, the health and safety of TSA employees and the traveling public is of utmost importance. TSA remains in close communication with medical professionals, the CDC, and various government agencies as we continue to carry out its security mission during the pandemic.

Here are a few suggestions that TSA Federal Security Directors want to share with travelers who are scheduled to fly during the pandemic.

  • John Bambury, TSA Federal Security Director for John F. Kennedy International Airport: “You’ve heard it a thousand times—wear a mask. I wear a mask every single day at the airport, which is one of the top recommendations from the CDC. If you’re flying, you should also consider carrying an extra mask so that if the elastic band snaps on your mask, you’ve got a spare one handy. Also, you may want to change into a fresh mask upon arrival at your destination. If you don’t have a mask, the TSA officer at the travel document checking podium will offer you one for free. When you get to the travel document podium, the TSA officer will ask you to remove your mask for just a few seconds to verify that your face matches the ID that you are presenting.”
  • Scott T. Johnson, TSA Federal Security Director for Washington Dulles International and Ronald Reagan Washington National Airports: “Consider enrolling in TSA PreCheck® because it gets you through the checkpoint conveniently and more quickly than a standard checkpoint lane, making it even more valuable in today’s travel climate. TSA PreCheck passengers spend less time waiting in line and keep their shoes, belts and jackets on during screening and electronics in their carry-ons, reducing overall contact during screening. Travelers in the program also are permitted to leave their 3-1-1 liquids bag in their carry-on bags.”
  • Gerardo Spero, TSA Federal Security Director for Philadelphia International Airport: “Know before you go. By that I mean that you need to know what is in your carry-on bag before you head to the airport to ensure that you have nothing prohibited with you. Prohibited items such as large liquids, knives, pepper spray, loose ammunition, and other prohibited items result in our need to open your carry-on bag and remove them. This keeps you in the checkpoint for an extra few minutes while one of our TSA officers opens your carry-on to search and eventually remove the item. We want to get you through the security checkpoint efficiently and quickly. Prohibited items slow you down.”
  • Thomas Carter, TSA Federal Security Director for Newark Liberty International Airport: “The CDC recommends washing your hands frequently. Consider washing your hands before and after completing the security screening process. If it is not possible to wash your hands, please use hand sanitizer. TSA has instituted a temporary exemption from the 3-1-1 rule, that permits travelers to carry up to one 12-ounce container of liquid hand sanitizer per passenger, in carry-on bags. You can also bring individual hand wipes or a large tub of hand wipes with you to help wipe down your hands and even handles of your carry-on bags.”
  • John C. Allen, TSA Federal Security Director for Yeager Airport: “Do your best to socially distance from others whenever possible. By that I mean, leave some extra space between the traveler in line ahead of you. Take that an extra step back. After you go through the checkpoint scanner, that’s another opportunity to take an extra step back while you wait for your carry-on items along the conveyor belt. Look around, see where you can wait for your carry-on items a little farther away from fellow passengers. Then take your belongings off to the side to put on your shoes, jacket and other items so that you’ve got some extra space of your own to recompose.”
  • Grant Goodlett, TSA Federal Security director for Baltimore/Washington International-Thurgood Marshall Airport: “If you haven’t traveled in a while, you will notice that TSA has installed acrylic shields in checkpoints in an effort to make the screening process safer for passengers and our workforce by reducing the potential of exposure to the coronavirus. Please don’t walk around these acrylic shields to interact with our TSA officers. The shields have small vents to allow for conversation, questions and answers to be shared.”

[Source: TSA]

DHS Announces New Cybersecurity Requirements for Surface Transportation Owners and Operators

DHS’s Transportation Security Administration (TSA) has announced two new Security Directives and additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to surface transportation systems and associated infrastructure. These actions are among several steps DHS is taking to increase the cybersecurity of U.S. critical infrastructure.

“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” said Secretary of Homeland Security Alejandro N. Mayorkas. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”

TSA is increasing the cybersecurity of the transportation sector through Security Directives, appropriately tailored regulations, and voluntary engagement with key stakeholders. In developing its approach, including these new Security Directives, TSA sought input from industry stakeholders and federal partners, including the Department’s Cybersecurity and Infrastructure Security Agency (CISA), which provided expert guidance on cybersecurity threats to the transportation network and countermeasures to defend against them.

The TSA Security Directives announced today target higher-risk freight railroads, passenger rail, and rail transit, based on a determination that these requirements need to be issued immediately to protect transportation security. These Directives require owners and operators to:

- designate a cybersecurity coordinator;
- report cybersecurity incidents to CISA within 24 hours;
- develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption; and,
- complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.

TSA is also releasing guidance recommending that all other lower-risk surface transportation owners and operators voluntarily implement the same measures. Further, TSA recently updated its aviation security programs to require that airport and airline operators implement the first two provisions above. TSA intends to expand the requirements for the aviation sector and issue guidance to smaller operators. TSA also expects to initiate a rule-making process for certain surface transportation entities to increase their cybersecurity resiliency.

These efforts are part of a series of new steps to prioritize cybersecurity across DHS. Secretary Mayorkas first outlined his vision for the Department’s cybersecurity priorities in March, which included a series of focused 60-day sprints designed to elevate existing work, remove roadblocks to progress, and launch new initiatives and partnerships to achieve DHS’s cybersecurity mission and implement Biden-Harris Administration priorities. To learn more about the sprints, please visit www.dhs.gov/cybersecurity.

Risk Management: Helping the EU Railways Catch the Cybersecurity Train

European railway undertakings (RUs) and infrastructure managers (IMs) need to address cyber risks in a systematic way as part of their risk management processes. This need has become even more urgent since the Network and Information Security (NIS) Directive came into force in 2016.

Objectives of the Railway Cybersecurity report

The purpose of the report is to provide European RUs and IMs with applicable methods and practical examples on how to assess and mitigate cyber risks.

The good practices presented are based on feedback from railway stakeholders. They include tools, such as assets and services list, cyber threat scenarios and applicable cybersecurity measures, based on the standards and good practices used in the sector. These resources can be used as a basis for cyber risk management for railway companies. They are therefore intended to be a reference point and to promote collaboration between railway stakeholders across the EU while raising awareness on relevant threats.

The main takeaways

  • Existing risk management approaches vary for railway IT and OT systems

For the risk management of railway Information Technology (IT) systems, the most cited approaches were the requirements of NIS Directive at a national level, the ISO 2700x family of standards, and the NIST cybersecurity framework.

For Operational Technology (OT) systems, the frameworks cited were ISA/IEC 62443, CLC/TS 50701, and the recommendations of the Shift2Rail project X2Rail-3, or the ones from the CYRail Project.

Those standards or approaches are often used in a complementary way to adequately address both IT and OT systems. While IT systems are normally evaluated with broader and more generic methods (such as ISO 2700x or NIS Directive), OT systems need specific methods and frameworks that have been designed for industrial train systems.

There is no unified approach available to railway cyber risk management yet. Stakeholders who participated in this study indicated that they use a combination of the abovementioned international and European approaches to tackle risk management, which they then complement with national frameworks and methodologies.

  • Asset taxonomies

For RUs and IMs to manage cyber risks, identifying what needs protection is essential. In this report, a comprehensive list is broken down to 5 areas; the services that stakeholders provide, the devices (technological systems) that support these services, the physical equipment used to provide these services, the people that maintain or use them, and the data used.

  • Threats taxonomies and risk scenarios

RUs and IMs need to identify which cyber threats are applicable to their assets and services. The report reviews available threat taxonomies, and provides a list of threats that can be used as the basis.

Examples of cyber risk scenarios are also analysed, which can assist railway stakeholders when performing a risk analysis. They show how asset and threat taxonomies can be used together and are based on the known incidents of the sector and the feedback received during the workshops.

  • Applying cybersecurity measures

Each scenario is associated with a list of relevant security measures. The report includes cybersecurity measures derived from the NIS Directive, current standards (ISO/IEC 27002, IEC 62443) and good practises (NIST’s cybersecurity framework).

TSA checkpoint at Capital Region International Airport gets new credential authentication technology unit

A credential authentication technology (CAT) unit has been installed and is in use at the Transportation Security Administration checkpoint at Capital Region International Airport (LAN).

“The new credential authentication technology unit enhances our detection capabilities for identifying fraudulent ID documents and improves the passenger’s experience by increasing efficiency during the checkpoint experience,” said Michigan TSA Federal Security Director Steve Lorincz. “The CAT unit also reduces touchpoints at the checkpoint, which benefits both officers and travelers during this pandemic.”

Passengers will approach the travel document checking station at the checkpoint and listen to the instructions of the TSA officer, who will insert the personal identification into the scanner for authentication.

Passengers will not have to hand over their boarding pass (electronic or paper), thus reducing a touchpoint. Instead, they should have their boarding pass ready in the event that the TSA officer requests visual inspection. The CAT unit will verify that the traveler is prescreened to travel out of the airport for a flight that day; however, a boarding pass may be requested for travelers under the age of 18 and/or those without IDs or with damaged IDs.

“We are pleased that TSA is taking steps to enhance the technology to ensure the safety and security of our travelers here at the Capital Region International Airport (LAN),” said Nicole Noll-Williams, president and CEO of the Capital Region Airport Authority.

Even with TSA’s use of CAT, travelers still need to check-in with their airline in advance and bring their boarding pass to their gate agent to show the airline representative before boarding their flight.

This technology will enhance detection capabilities for identifying fraudulent documents at the security checkpoint. CAT units authenticate several thousand types of IDs including passports, military common access cards, retired military ID cards, Department of Homeland Security Trusted Traveler ID cards, uniformed services ID cards, permanent resident cards, U.S. visas, and driver’s licenses and photo IDs issued by state motor vehicle departments.

TSA Could Better Monitor Its Efforts to Reduce Infectious Disease Spread at Checkpoints

Within TSA, approximately 46,000 TSOs stationed across the nation's commercial airports perform screening and other activities that often require close interaction with passengers. As a result, both passengers and TSOs may be at an increased risk of infection during pandemics such as COVID-19.
The CARES Act included a provision for GAO to conduct monitoring and oversight of the federal government's response to the COVID-19 pandemic. This report identifies 1) what steps TSA has taken to reduce the spread of COVID-19 at passenger screening checkpoints; and 2) how TSA is monitoring TSOs' implementation of amended safety and screening procedures, among other objectives.
GAO analyzed TSA data on TSOs' use of paid leave, reviewed documentation on policies and procedures, and interviewed TSA officials at headquarters and eight U.S. airports. We selected these airports to reflect diversity in the number of COVID-19 cases among TSOs, airport size, and geographic region. In addition, for six of these airports, GAO reviewed closed circuit television footage to observe how TSOs were implementing COVID-19 procedural changes.
To reduce the spread of COVID-19 at passenger checkpoints, Transportation Security Administration (TSA) officials issued amended safety measures to require that Transportation Security Officers (TSOs) use surgical masks and face shields, change gloves after pat-downs, and physically distance themselves from coworkers and passengers as practicable. TSA also adjusted some screening procedures, such as asking passengers to remove more items from carry-on baggage to reduce the potential for alarms that require bag searches. In addition, TSA modified the use of certain checkpoint screening technologies, and granted TSOs additional paid leave. In January 2021, TSA began an employee vaccination program, and is in the process of vaccinating TSA employees, including TSOs.
TSA's monitoring and analysis of its measures to reduce the spread of COVID-19 is limited. For example, supervisors' operational checklists do not specifically include the revised COVID-19 procedures, and the data that TSO monitors collect (e.g., on whether TSOs are properly wearing masks or changing gloves) reflect implementation at a point in time rather than throughout a shift. Conducting more complete monitoring would help TSA ensure that its TSOs are properly implementing COVID-19 procedures. In addition, TSA field leadership analyzes available monitoring data for different subsets of airports to understand how COVID-19 procedures are being implemented. However, TSA headquarters officials said they had no plans at the time of our review to analyze this data across all airports nationwide to identify common implementation problems, such as incorrectly wearing face shields and challenges with maintaining physical distance. Analyzing monitoring data across all airports would help TSA identify and address any system-wide deficiencies in implementing COVID-19 procedures, so that it may better protect its workforce and the traveling public.

Autonomous driving systems: A long road ahead

Substantive regulatory progress has been made since last year, despite the global COVID-19 pandemic that paralyzed supply chains in some industries around the world and shifted the mobility landscape considerably.
Still, progress towards fully autonomous driving has been slow. Five levels have been established within the industry for assisted, automated and autonomous driving. Fully autonomous driving is represented by only Level 5.
SAE levels of automation
Here are the top three takeaways from the recent Symposium on the Future Networked Car 2021:
1. Regulatory efforts are advancing in preparation for Autonomous Driving Systems (ADS)
The past year has seen considerable progress at the global, regional and national levels. The shared nature of most transport infrastructure and automotive supply chains means that common standards and interoperability in the manufacture and communication capabilities of different types of vehicles will be vital.
At the global level, two new regulations were introduced recently from United Nations’ Economic Commission for Europe (UNECE) on Cybersecurity (UN Regulation 155) and Software Updates (UN Regulation 156). A new UN Regulation 157 on Automated Lane Keeping Systems for highly automated driving up to 60 kph on motorways was recently approved.
Regulatory preparedness is mostly being developed at the regional level, with vehicle type approval, product liability and general product safety, and roadworthiness tests developed by the European Union and also in the Asia-Pacific region.
At the national level, developments include liability, traffic rules, regulatory mandates, trials, and infrastructure. For example, Finland has authorized Level 5 driving, and Germany has already authorized the use of automated vehicles on its motorways.
2. Fully Autonomous Driving Systems (ADS) are still a long way off
Currently, mainly only Level 2 vehicles are available on the market (other than autonomous shuttles and an autonomous taxi service operating in Phoenix, Arizona, the United States since October 2020). However, Honda recently announced its first Level 3 driving system, due to be launched later this year.
The car industry, highways agencies and transport regulators are working together to overcome the significant challenges introduced by autonomous driving. Chief among these are safety considerations – and what constitutes ‘acceptable risk’ for car occupants, as well as the broader public.
Data challenges also persist, from the capture and preservation of data to its interpretation and protection. Improving the physical environment with markers to make a more intelligent environment for automated, let alone autonomous, vehicles is another challenge, as well as collaboration that would enable intelligent vehicles to function across borders.
Other major challenges include the introduction of self-learning artificial intelligence (AI) systems in automated driving systems, as well as cybersecurity considerations – how to prevent unauthorized or illegal intrusions into connected cars or their networks.
3. The communication and data demands of ADS will be enormous
The changes driven by the advent of ADS are many and large. Even cars already on the road today are said to be running over 150 million lines of code. Many participants emphasized the changes needed in physical infrastructure, such as 5G masts and improved road markings, as well as the information needs and data demands, for mapping and object identification, for instance.
5G will be instrumental in improving automated driving and its communication needs like smart parking, but also V2V (vehicle-to-vehicle) and V2I (vehicle-to-infrastructure) communications. A host of innovations and improvements are needed throughout the vehicle ecosystem to help create an optimal real-world environment for automated driving systems. ITU is working with all stakeholders to help realize these innovations in the interests of smarter and safer mobility.
[Source: ITU]

IAEA Helps Romania Enhance Exercises on Transport Security

Strengthening the security of nuclear and other radioactive material in transport, and developing practical skills for planning, conducting and evaluating transport security exercises was the focus of a recent IAEA workshop held in Romania.
“Nuclear and other radioactive material is regularly transported from one place to another for various uses, such as for medical applications, agriculture, nuclear power and scientific research,” said Elena Buglova, IAEA Director of Nuclear Security. “When this material is in transport, whether nationally or internationally, it is potentially vulnerable to security threats, for which we need to be vigilant.”
The four day workshop included classroom presentations and field demonstrations, as well as a virtual exercise in which participants watched a simulated event involving an attempted malicious interception of a vehicle transporting a radioactive source, and practiced evaluating the situation and developing an appropriate course of action in a realistic and interactive way. These actions included summoning additional response forces and executing evasive and protective maneuvers to prevent the adversaries from achieving their objective.
“Romania experiences a high number of nuclear and other radioactive material shipments both within and across its borders,” said Sorin Repanovici, Senior Expert at the Romanian National Commission for Nuclear Activities Control (CNCAN). “Ensuring that our response plans are effective and that all national stakeholders are fully trained to rapidly respond to a nuclear security event during the transport of these materials is of utmost importance.”
“By practicing scenarios during exercises and assessing our capabilities, we can establish good practices, as well as identify areas needing improvement, so we can then make targeted efforts to strengthen our national nuclear security regime,” he added.
It is estimated that worldwide, around 20 million shipments of radioactive materials are transported every year. The IAEA assists Member States to enhance their capabilities to help ensure both the safety and security of nuclear and other radioactive material during transport. Safety, in this context, refers to protecting the public from the radioactive contents of a package, whereas security refers to guarding nuclear and other radioactive material with locks, seals and other technologies and methods to prevent it from falling into the wrong hands.
Nineteen participants from national stakeholder organizations involved in nuclear security took part in the workshop, including nuclear security response forces, the national regulator, and nuclear facility operators and carriers. Discussions focused on the need for robust coordination among stakeholders and the importance of conducting and learning from regular transport security exercises, in order to properly evaluate the readiness of response forces to deal with a nuclear security event during transport.
The workshop was conducted in a hybrid format, which included in-person presentations from local and IAEA instructors, as well as virtual contributions from experts in the United Kingdom and the United States. The Romanian Horia Hulubei National Institute of Physics and Nuclear Engineering and the General Inspectorate of the Gendarmerie provided a practical demonstration of a radioactive material transport vehicle and the physical protection equipment used by response forces. The virtual transport security exercise was conducted remotely with the assistance of experts from Oak Ridge National Laboratory in the United States, who used newly developed innovative exercise software to portray the hypothetical nuclear security event using advanced high-resolution satellite imagery.