February_2022 - 11

Sponsored by
Responding to TSA's Cybersecurity Directive:
Principles and Tactics to Begin
Your Cybersecurity Journey
IN DECEMBER 2021, THE UNITED STATES
Transportation Security Administration
(TSA) released two cybersecurity-focused
directives applicable to the rail industry
underscoring the focus by TSA, the Department
of Homeland Security (DHS)
Cybersecurity and Infrastructure Security
Agency (CISA), on prescribing specific
cybersecurity requirements on industry
to protect critical infrastructure.
In addition to the Security Directives,
TSA also introduced an Information Circular
providing similar guidance (strong
recommendations) to ALL surface transportation
organizations. While not a directive,
the guidance found in the Information
Circular mirrors the previously
released Security Directives.
Where should organizations
impacted by these directives and
circulars begin their journey?
The directives and circulars require applicable
organizations to implement ownership
and accountability measures for
managing and reporting incidents; furthermore,
it requires that organizations
effectively assess and mitigate their overall
risk exposure. This is no small feat!
Organizations should begin by adhering
to the following three core principles:
Cyber Risk is Business Risk. Cyber
risk goes far beyond the purview of the IT
organization. Human Resources, Sales,
Marcom, Legal, Operations, Finance and
others play a critical role in preventing
and effectively managing cyber risk.
Law of Diminishing Returns. Organizations
must recognize complete risk
elimination is unattainable and that dollars
invested beyond the elusive " optimal
point " provide diminishing value. There
are countless examples of organizations
that have spent millions of dollars implementing
measures to reduce risk only to
find themselves victims of cybercrime.
Program vs. Project. There are two
constants in cybersecurity: 1) the business
landscape of an organization is likely to
change, and 2) the threat landscape will
most certainly change. Organizations that
address cybersecurity as an ongoing risk
program initiative are historically far
more successful than those that address
cybersecurity as a one-time project. Managing
risk never ends; projects do.
Are there established best practices
for developing a comprehensive
cybersecurity plan?
TSA recommends following best practices
found within the NIST Cybersecurity
Framework, a uniform set of rules, guidelines,
and standards for organizations to
manage better and reduce cybersecurity
risk (NIST 800-171). NIST best practices
are comprehensive, containing 110 controls
across 14 control families. Organizations
with limited resources will likely experience
difficulty interpreting, applying,
and prioritizing the NIST controls within
their environment; therefore, to meet the
requirements of the directives and circulars,
Secuvant recommends a three-phased
approach to implementing a Risk Management
Program based on NIST:
* First, base-level compliance with each
NIST 800-171 control directly tied to the
four requirements listed in the Security
Directive.
* Second, formation of a formal Risk
Management Program with an initial
focus on ensuring a) incident response
plans remain updated and relevant, b)
incident response plans are tested regularly
through scenario-based tabletop
exercises that extend beyond IT to the
executive suite, and c) implementation
of a Threat Vulnerability Management
program ensuring the organization is
apprised of ongoing vulnerabilities.
* Third, a comprehensive NIST 800-171
Gap and Risk Assessment performance
across all 110 controls. The objective of
this exercise is threefold: a) understand
and prioritize the control gaps within
your environment, b) establish a maturity
score baseline for ongoing measurement
and improvement, and c) establish
a multi-year security roadmap based on
prioritized risk findings.
How might agencies overcome limited
resources to address TSA mandates?
The cybersecurity industry finds itself
in uncharted territory. It was projected
that in 2021 there would be 3.5 million
unfilled cybersecurity jobs (source:
cybersecurity ventures). This poses a
significant challenge for agencies who
find themselves competing with large
enterprises for the same talent. For this
reason, in March 2021, experts further
predicted roughly 70 percent of organizations
were planning to outsource security
to a security provider during the
next year (source: Kaspersky's Global
Corporate IT Security Risks Survey).
Agencies would do well to follow the
trend of outsourcing security services.
The transportation industry anticipates
unprecedented funding due to the
$1-trillion infrastructure bill. Additional
funding for cybersecurity initiatives
is available to agencies via federal grants
assuming agencies can demonstrate effective
use of the funds.
Secuvant is well-positioned to assist
in securing funding
transit agencies
and addressing the TSA cybersecurity-demanding
mandates. Secuvant is
staffed with cybersecurity professionals
and transportation industry veterans
who have successfully created security
service bundles that directly align with
the three-phased approach referenced
herein for implementing a NIST-based
Risk Management Program.
Ryan Layton
CEO, Secuvant, LLC
Secuvant
855-732-8826
www.secuvant.com
FEBRUARY 2022 | MassTransitmag.com | Mass Transit | 11
http://www.secuvant.com http://www.MassTransitmag.com

February_2022

Table of Contents for the Digital Edition of February_2022

Editor’s Notebook
People & Places
SkyTrain
Bolstering the Mobility Toolbox
2022 Mobility Outlook
Outfitting Networks with Improved Connectivity to Create a Better Rider Experience
Products
February_2022 - 1
February_2022 - 2
February_2022 - 3
February_2022 - 4
February_2022 - 5
February_2022 - Editor’s Notebook
February_2022 - 7
February_2022 - People & Places
February_2022 - 9
February_2022 - 10
February_2022 - 11
February_2022 - SkyTrain
February_2022 - 13
February_2022 - 14
February_2022 - 15
February_2022 - 16
February_2022 - 17
February_2022 - 18
February_2022 - 19
February_2022 - Bolstering the Mobility Toolbox
February_2022 - 21
February_2022 - 22
February_2022 - 23
February_2022 - 24
February_2022 - 25
February_2022 - 2022 Mobility Outlook
February_2022 - 27
February_2022 - 28
February_2022 - 29
February_2022 - Outfitting Networks with Improved Connectivity to Create a Better Rider Experience
February_2022 - 31
February_2022 - 32
February_2022 - Products
February_2022 - 34
February_2022 - 35
February_2022 - 36
https://www.nxtbook.com/endeavor/masstransit/september-october-2022
https://www.nxtbook.com/endeavor/masstransit/july-august-2022
https://www.nxtbook.com/endeavor/masstransit/june_2022
https://www.nxtbook.com/endeavor/masstransit/april-may_2022
https://www.nxtbook.com/endeavor/masstransit/march_2022
https://www.nxtbook.com/endeavor/masstransit/february_2022
https://www.nxtbook.com/endeavor/masstransit/at-the-show-2021
https://www.nxtbook.com/endeavor/masstransit/december-2021-january-2022
https://www.nxtbook.com/endeavor/masstransit/november-2021
https://www.nxtbook.com/endeavor/masstransit/september-october_2021
https://www.nxtbook.com/endeavor/masstransit/july-august_2021
https://www.nxtbook.com/endeavor/masstransit/mass_transit_june_2021
https://www.nxtbook.com/endeavor/masstransit/aprilmay2021
https://www.nxtbook.com/endeavor/masstransit/december2020january2021
https://www.nxtbook.com/endeavor/masstransit/november2020
https://www.nxtbook.com/endeavor/masstransit/septemberoctober2020
https://www.nxtbook.com/endeavor/masstransit/julyaugust2020
https://www.nxtbook.com/endeavor/masstransit/june2020
https://www.nxtbook.com/endeavor/masstransit/aprilmay2020
https://www.nxtbook.com/endeavor/masstransit/Mass_Transit_March_2020
https://www.nxtbook.com/endeavor/masstransit/february2020
https://www.nxtbook.com/endeavor/masstransit/december2019january2020
https://www.nxtbook.com/endeavor/masstransit/november2019
https://www.nxtbook.com/endeavor/masstransit/Mass_Transit_September_2019
https://www.nxtbook.com/endeavor/masstransit/julyaugust2019
https://www.nxtbook.com/endeavor/masstransit/2019railproductguide
https://www.nxtbook.com/endeavor/masstransit/june2019
https://www.nxtbook.com/endeavor/masstransit/2019busandparatransitproductguide
https://www.nxtbook.com/endeavor/masstransit/aprilmay2019
https://www.nxtbook.com/endeavor/masstransit/march2019
https://www.nxtbook.com/endeavor/masstransit/february2019
https://www.nxtbookmedia.com