Friday the DOT’s Federal Railroad Administration (FRA) published a notice of proposed rulemaking (NPRM) in the Federal Register (85 FR 82400-82425) outlining changes to the regulations concerning positive train control systems (PTC) reporting processes. The proposed changes include:
• Modifying the
process under 49
CFR 236.1021 by which a host railroad must submit a request for amendment
(RFA) to FRA before making certain changes to its PTC Safety Plan (PTCSP) and
FRA-certified PTC system,
• Expanding an
existing reporting requirement by increasing the frequency from annual to
biannual,
• Broadening the
reporting requirement to encompass positive performance-related information,
not just failure-related information, and
• Requiring host railroads to utilize a new, standardized Biannual Report of PTC System Performance (Form FRA F 6180.152).
Public Comments
The FRA is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FRA-2019-0075). Comments should be submitted by February 16th, 2021.
Commentary
The FRA is to be commended for recognizing that the completion of the initial implementation of the PTC program (at long last) should mark a change in the way that it oversees the program. This proposed rulemaking goes a long way to providing the FRA with the necessary information that it needs to perform its regulatory oversight function. Unfortunately, with the recent news about the SUNBURST attacks, it is clear that all federal agencies must step up their activities related to cybersecurity. The PTC safety system is one such area where the FRA must proactively address cybersecurity needs.
A comprehensive attempt to address the cybersecurity challenges related to the PTC system will probably require a stand-alone rulemaking, but this NPRM provides a good place for the FRA to make a cybersecurity down payment on the system.
The FRA already notes the importance of reporting of software defects in 49 CFR 263.1023(b). The scope of that requirement needs to be enlarged to include notifications of 3rd party reports of software and firmware vulnerabilities, but that is outside the scope of this rulemaking. The reporting requirements of that section, however, should be included in the biannual reporting requirements being addressed in this rulemaking. This could be addressed by inserting a new subparagraph (iii):
“(iii) Any reports from hardware or software suppliers or vendors under §263.1023(b) about software failures or reported vulnerabilities.”
The FRA should also specify that changes to PTC software or firmware specifically requires approval under the proposed revised processes. This would allow the FRA to keep control of an important part of the PTC environment. It could be achieved by adding a new subparagraph (5) under §263.1021(h):
“(5) Any change in PTC component software or firmware.”
One other area that should be addressed by the FRA is adding a requirement for reporting unusual operation of the PTC systems. Such incidents can provide indications that they system has been attacked or breached. Ideally, this would include adding the phrase “or demonstrates indicators of compromise” after the word “malfunctions” in 49 USC 20157(j)(2), but that is clearly beyond the scope of rulemaking. Having said that, this could be implemented by revising the proposed definition for ‘malfunction’ at §236.1003(b) by inserting the following language after “PTCSP”:
“, or any indication of unauthorized system access or other indicators of compromise described by system suppliers or vendors.”
These changes would be a first step in increasing the efforts to be taken by the FRA to ensure that cybersecurity of PTC systems is being addressed in a proactive manner.
A copy of this post will be submitted as a comment on this
NPRM.
No comments:
Post a Comment