Growing necessity for rail industry to keep cybersecurity concerns ‘on track’

Technological advancements in the rail industry have increased system interconnections, signaling, control, and telemetry, leading to the overall cybersecurity posture becoming more vulnerable to cyberattacks. Given the haphazard manner of these improvements, expansive nature of the rail infrastructure, and the need to drive operational efficiency, these modifications have given rise to massive inconsistencies in how the global rail industry is securing locomotives, rolling stock, and the rail infrastructure against the threats of terrorism, vandalism, and cyberattacks. 

The railway infrastructure in Belarus was recently targeted by hacktivists with political motivation, as geopolitical tensions built up around the Russia-Ukraine dispute. Hackers said at the time that they had infected the network of Belarus Railway, the country’s state-run railroad system, with ransomware. The attackers said they would provide the decryption key only if Belarus President Alexander Lukashenko stopped aiding Russian troops ahead of a possible invasion of Ukraine. Other cybersecurity incidents targeting the rail infrastructure have also occurred in Denmark, Germany, and New York. 

Most cybersecurity incidents intend to install ransomware on breached networks, which can subsequently be exploited for data exfiltration and financial gain. With the growing number of recent incidents, it is clear that cybercriminals are interested in getting into, accessing, and potentially manipulating rail networks, thereby enhancing pressure on rail operators to respond to the evolving threat landscape. 

A Siemens whitepaper pointed to the need to calculate security risks, threats, and vulnerabilities. It also suggested carrying out risk assessments for the rail industry through gap assessment, maturity assessment, vulnerability assessments, penetration testing, internal and external audits, and automated tool-based security scans. Given the complex and widely distributed nature of the rail sector, asset owners and operators need to start with a digital asset inventory to help them know their assets, ascertain their current and historical status, compute the software or firmware versions of the components, and identify how the assets are interconnected. 

Industrial Cyber reached out to experts in the rail cybersecurity sector to assess how rail operators are working on balancing security, competitiveness, and operational efficiency.

“The rail industry is undergoing a period of significant digitalization, making trains safer, more comfortable and generally more efficient, but also widening the potential cyber-attack vector – leaving the railway and metro systems potentially more vulnerable as a result,” Amir Levintal, CEO of Cylus, told Industrial Cyber. “The continued use of legacy systems and the geographic spread of railway infrastructure have created unique challenges for the rail industry that require specialized cybersecurity solutions,” he added. 

As rail infrastructure grows more and more connected with widening access points and vulnerabilities, the demand is rising for cybersecurity solutions that are tailor-made to protect both their IT and OT components, according to Levintal. “By implementing cybersecurity technology specifically designed for the rail environment, railway companies can effectively prioritize security and safety and by extension, ensure competitiveness and operational efficiency,” he added.

The mix of legacy and new is being carefully balanced, Patrick Miller, president and CEO at Ampere Industrial Security, told Industrial Cyber. “There is still a need to be able to operate the rail system (particularly long-haul and freight) manually, without any supporting technology. So, there will always be some legacy – or better stated manual/analog gear as a fallback measure in some environments. Most systems are run to a ‘state of good repair’ and replaced,” he added. 

The new systems often have a much higher degree of technology, which brings greater efficiency but also comes with new risks, Miller added.

Increased connectivity in rail infrastructure has resulted in the need for industry players to build adaptive and responsive organizations, enabling them to stay ahead of evolving cybersecurity threats.

“The rail sector and the government – particularly in the US – are currently working together to tighten security measures, with recent legislation out of Washington D.C reinforcing the need for a united front in the face of the expanding cyber-threat landscape,” Levintal said. “Many rail providers are already implementing comprehensive cybersecurity solutions, ensuring that security and safety remain the number one priority by meeting continually evolving regulatory measures and standards,” he added.

Many railroad operators have an extensive monitoring environment and a Security Operations Center (SOC) that works in tandem with dispatch and other elements of operations, according to Miller. “OT-specific training is worked in to ensure that the operational technologies are included in the overall security program in a manner that reflects their functional differences,” he added. 

“In addition to training and purchasing OT equipment with better security features, many operators are running security incident response drills,” Miller said. “They are working together through the Rail Security Committee under the American Association of Railroads and with their Surface Transportation Information Sharing and Analysis Center (ST-ISAC).” 

Addressing the issue of how the rail industry deals with issues of low cybersecurity awareness and differences in culture, especially among safety and operations personnel, Levintal pointed out that the lack of cybersecurity awareness is an issue across all industries, including critical infrastructure. 

“Gaps in cybersecurity knowledge and the disruptions they can cause have knock-on effects for rail companies, passengers, and businesses that rely on rail transport,” Levintal said. “Disruptions and attacks are costly for rail companies – the damage to reputation and the consequential lost income are significant. On top of that, the process of investigating a cyber incident can also be time-consuming and expensive,” he added.

“Personnel are a key link in the cybersecurity chain, especially in terms of information security,” according to Levintal. “Therefore, not only do rail companies have an obligation to implement cybersecurity solutions, it’s also equally important that they educate their employees on security standards and measures.”

Like many other industrial sectors, there is still the pervasive OT and IT divisiveness but as technology creeps closer to a blend of OT and IT this is slowly breaking down, Miller said. “Some organizations are performing cross-training or work shadowing to help both sides understand each other better, increase awareness and improve the working relationship around security. A few incidents have happened recently and those are being used as ‘real world’ examples of what can happen,” he added.

In the U.S., initial voluntary cybersecurity rules ​​for surface transportation systems and associated infrastructure have been imposed at the end of 2021. The security directives require owners and operators to designate a cybersecurity coordinator, report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours and develop and implement a cybersecurity incident response plan to reduce the risk of operational disruption. Owners and operators of ​​surface transportation systems and associated infrastructure will also have to complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.

“The most challenging of these directives is the 24 hour reporting for cybersecurity incidents,” Miller said. “There is some guidance here, but it’s basically contingent upon time of detection which suffers from various interpretations. Note that these directives are voluntary at this time, but this is about as close as you can get to regulation and are often seen as future regulation. It’s only a matter of time. Obviously, any successful attacks on the sector will speed up this process,” he added.

In addition to raising the December TSA directive, Levintal also flagged that in January 2022, “the Senate passed two cyber-related bills – one that would train feds who work in acquisition on how to manage cybersecurity risk in the supply chain, and another that would provide new federal resources to state and local governments under siege from cyber criminals.” President Joe Biden has laid out his priorities for cybersecurity in the form of a Memorandum, which was later cemented by the Strengthening American Cybersecurity Act, intended to significantly enhance the US’s cybersecurity protection for all critical infrastructure, he added. 

Levintal also mentioned that the European Union published last August TS 50701, a set of cybersecurity standards specifically for rail, with participation from the ENISA (EU Agency For Cybersecurity) and ERA (EU Agency for Railways). The publication outlined the nature of IT/OT convergence and its subsequent threat landscape and cybersecurity requirements. “Ongoing public-private cooperation between the government and rail industry seems to be the best path forward for ensuring maximum protection for our railways,” he added.

Although the U.S. has not enacted widespread regulation, such as the European Union’s General Data Protection Regulation, American railroad operator Union Pacific Railroad has put together a patchwork of state laws and regulations governing personal data collection and use. 

“Union Pacific developed a program to comply with the California Privacy Act, the most comprehensive state law, which took effect Jan. 1, 2020,” the operator said in its ‘2020 Building America’ report. “Specifically, Union Pacific worked to increase transparency around our data collection and use procedures to enhance our ability to respond to inquiries and requests regarding a person’s data.”