Analysis
Attacks and Vulnerabilities
Critical infrastructure
Features
Regulation, Standards and Compliance
Risk & Compliance
System Design & Architecture
Technology & Solutions
The Skills Gap - Training & Development
Threat Landscape
Training
Transportation
Vendors
Vulnerabilities
Zero Trust

Rail cybersecurity must be bolstered against ransomware attacks, IT/OT integration, geopolitical tensions

July 09, 2023
Rail cybersecurity must be bolstered against ransomware attacks, IT/OT integration, geopolitical tensions

Maintaining rail cybersecurity across the transportation sector has emerged as crucial with cyber adversarial attacks, increased digital transformation, and an increasing need to safeguard legacy cyber systems threatening the operational landscape. Rail operators are increasingly forced to prioritize cybersecurity and implement robust measures to protect against threats, work towards upgrading legacy systems, and invest in training programs to boost resilience, in a bid to enhance the sector’s ability to detect and respond effectively to cyber threats.

Adoption of IoT devices, cloud computing, and automation systems has brought in new cybersecurity risks, which can potentially disrupt operations, encrypt systems, and cause downtime. Adversarial attacks, such as malware infections, ransomware, and phishing, have become increasingly sophisticated and targeted, causing significant damage to rail infrastructure. 

The rail sector faces challenges with outdated cyber systems that were not designed with cybersecurity in mind. Many rail operators have also been slow to invest in cybersecurity measures. Growing recognition of the importance of rail cybersecurity in the transportation sector has made it crucial for rail owners and operators to safeguard legacy cyber systems and protect rail infrastructure from cyber threats.

Rising geopolitical tensions, such as the Russia/Ukraine conflict, could also significantly impact rail cybersecurity. Nation-state-sponsored cyber warfare increases have also made rail systems vulnerable to cyber offensive actions. Rail operators must be aware of these dynamics and strengthen their cybersecurity defenses. Prioritizing rail cybersecurity measures, investing in modern technologies, and staying vigilant against emerging threats can ensure safety, efficiency, and resilience in the sector.

Industrial Cyber reached out to specialists in the rail cybersecurity space to determine the impact that ransomware threats, attacks, and rising geopolitical tensions have had on rail OT security in the past 18 months. Based on their experience, these experts also highlight how motivated and sophisticated adversaries are when it comes to exploiting rail infrastructure.

Marianthi Theocharidou, cybersecurity expert at ENISA
Marianthi Theocharidou, cybersecurity expert at ENISA

ENISA published a cyber threat landscape for the transport sector identifying ransomware as a prime threat in the transport sector, Marianthi Theocharidou, a cybersecurity expert at European Union Agency for Cybersecurity (ENISA) and works to support the NIS Directive implementation in the rail transport sector, told Industrial Cyber. “Ransomware attacks have become the most prominent threat against the sector in 2022, with attacks having almost doubled, rising from 13% in 2021 to 25% in 2022.” 

She added that the majority of attacks on the railway transport sector target IT systems. “Even though OT systems were not targeted directly, what they faced were operational disruptions due to their reliance on IT systems. We have not received reliable information on a cyberattack affecting the safety of railway transport. This is also observed when examining the incidents of significant impact reported under the NIS directive.”

Theocharidou said that the 2022 ENISA Threat Landscape gathered contributing factors that may result in ransomware groups targeting and disrupting OT operations. 

“The factors contributing to this assessment are the ongoing digital transformation in the transport sector and the increased connectivity between IT and OT networks; the increased urgency to pay ransom to avoid any critical business and social impact; the ongoing rebranding of ransomware groups, which increases the chances of malware blending and the development of capabilities to target and disrupt OT networks; the geopolitical situation, as ransomware groups are taking sides and are likely to conduct retaliatory attacks against critical infrastructure; and the increase in the number of newly identified vulnerabilities in OT environments,” according to Theocharidou. “Beyond the use of ransomware, wiper malware is also of concern, such as the case of the meteor wiper malware.”

Miki Shifman, CTO and co-founder at Cylus
Miki Shifman, CTO and co-founder at Cylus

Miki Shifman, CTO and co-founder at Cylus said that digital transformation in the rail industry, while making trains and metros faster, more efficient, and comfortable, is also creating more vectors for malicious cyber attacks in the operational rail technology (rail tech) environments. “Ransomware and rising geopolitical tensions are two of the biggest external concerns of everyone in the railway cybersecurity community – including rail operators, rail integrators, rail industry associations, regulatory bodies, and the cybersecurity vendor community.”

“This heightened attention is resulting in both increasing risk monitoring and management practices to improve rail operations security and reliability and increasing regulatory requirements and security directives,” Shifman told Industrial Cyber. “In the last 12 months alone we’ve seen new TSA Security Directives and rulemaking processes in the US, the proposed Cyber Resiliency Act in Europe, and the development of a new IEC rail standard.”

Shifman also pointed out that ransomware attacks are the most prevalent attack type observed targeting the railway sector according to a 2023 report by the ENISA and mostly these target the IT systems of railways, including passenger services, ticketing systems, mobile and WiFi systems, and display boards. “When successful, these ransomware attacks can cause rail system disruptions due to the unavailability of these services. And unfortunately, ransomware has been steadily increasing according to ENISA,” he added.

“And we know threat actors are becoming more sophisticated. They are targeting – physically and digitally – infrastructure that can cause widespread rail disruption,” Shifman highlights. “These known rail attacks, both physical and cyber, demonstrate that threat actors are gaining in-depth internal knowledge of rail systems and using that knowledge to target rail systems with sophisticated and targeted attacks.”

Israel Baron vice president of customer relations at Cervello
Israel Baron vice president of customer relations at Cervello

“Given recent geopolitical events, every type of critical infrastructure is in increased danger, including, or maybe even ‘especially’, railways due to its undeniable tie to a country’s economy and reputation,” Israel Baron, Cervello’s vice president of customer relations, told Industrial Cyber. “However, we are not only witnessing geopolitical attacks, we are seeing a general rise in rail cyber attacks which stem from the expanding attack surface now present in rail and, of course, the sophistication of threats. Attacks create publicity, they have the potential to endanger the economy and disrupt people’s daily lives so, of course, the motivation is there.” 

Baron added that with that, “I am also witnessing a much greater motivation by rail organizations to adopt cybersecurity solutions. Governments and regulatory agencies are pushing for a change in this as well in order to combat this growing trend.”

Last October, the U.S. Transportation Security Administration (TSA) issued a security directive (SD) that imposed performance-based cybersecurity requirements on higher-risk freight railroads, passenger rail, and rail transit owners/operators. The experts analyze the effect of the SD on the cybersecurity posture of the rail sector and how it has enhanced cybersecurity preparedness and resilience for the nation’s railroad operations. 

Theocharidou said that they “cannot assess the effect of the security directive in the U.S. as ENISA focuses primarily on EU Member States.” 

“In the EU, the NIS2 directive introduces security measures and increased reporting obligations for railway undertakings and infrastructure managers (‘essential entities’), but also for manufacturers (‘important entities’) and service providers,” according to Theocharidou. “We believe that both the EU NIS2 directive and the US security directive will contribute in increasing the cybersecurity posture of the sector. Already the NIS1 directive contributed to this goal.”

Shifman said that the new SDs demonstrate the Biden-Harris Administration’s proactive approach to improving the U.S.’s cybersecurity and defense of critical infrastructures. “These directives present the fundamental shift in how safety and security are viewed in the rail industry and how governments are revisiting and reassessing their rail cybersecurity policies. As rail systems are increasingly recognized as vulnerable critical infrastructure worldwide, we expect to see continued regulatory pressures on the industry. TSA’s SDs join Europe’s NIS Directive and APAC’s rail-specific frameworks in Australia, Singapore, and India,” he added.

“However, according to the TSA, the SDs were developed with input from federal agencies, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Federal Railroad Administration (FRA), and industry stakeholders and rail operators,” according to Shifman. 

In this regard, the SDs combine some of the industry’s existing best practices and continue the direction that the rail industry in the US has already been heading from a rail cybersecurity perspective, Shifman added. “So, while the new TSA SDs are likely to speed the implementation of these cybersecurity best practices at some of the nation’s rail operators, they are less likely to change the ultimate cybersecurity measures that are deployed.”

Baron said that it is too early to make a judgment. “Railways are just learning about how to comply, and at best have performed risk assessments. There is still much to do.”

The executives assess how rail companies build engineering-grade designs, while also ‘futureproofing’ cybersecurity infrastructure for the years ahead. They also analyze the measures that these rail companies need to consider when it comes to incorporating cybersecurity into their design process from the outset. 

Rail transportation vendor Alstom outlined that railway operators must deal with a combination of new and legacy systems. “It’s vital that these assets are included in a comprehensive cybersecurity strategy to minimise risk – both now and in the future. The need for cybersecurity to be a day-one consideration in the development of any new project is therefore stark. Cyber threats are constantly evolving – and so too should strategies to deal with those threats.” 

Theocharidou said that both rail companies and their suppliers have to apply cybersecurity measures to ensure that the future infrastructure meets the challenges of the cyber threat landscape. A sector-wide approach must be adopted, she suggests.

“An ENISA report found that there is no unified approach available for railway cyber risk management yet,” according to Theocharidou. “At the moment, railway companies apply cybersecurity measures derived from the NIS Directive, current standards including ISO/IEC 27002 and IEC 62443, the technical specification CLC TS 50701, and good practices such as the NIST’s cybersecurity framework.”

A supplier of products should also have processes in place that provide quality products regarding cybersecurity, Theocharidou highlighted. “This may mean compliance to multiple standards. For example, a supplier has the infrastructure and organisation relevant for the design, development, manufacturing, and delivery of products and components managed by the requirements of ISO/IEC 27001.” 

She added that a secure development process such as IEC 62443-4-1:2018 is deployed, and technical requirements of products and components are set out in IEC 62443-4-2:2019. “A quality management system ISO 9001 is implemented to continuously improve the quality. Similarly, a system integrator may comply with IEC 62443-2-4:2019, and technical requirements of the system are reflected by IEC 62443-3-3.”

Shifman outlined that the design and build of new rail infrastructure and new rolling stock involve two primary players – the rail operators who issue the technical specifications in an RFP or tender for the design and build of new infrastructure or rolling stock, and – the rail integrators who design and build the project according to the technical specifications that are issued. “And cybersecurity is now embedded into the technical specifications of all new infrastructure and rolling stock projects to different degrees depending on the needs of each project.”

RFP is a formal document used by organizations to announce projects and solicit bids from qualified contractors or vendors. It details projects, outcomes, evaluation criteria, submission guidelines, and contractual terms for organizations to compare proposals and make informed decisions.

Shifman said that the actual development of the technical specifications is usually built based on the combination of three items, the risk management program the rail operator has in place to manage and control known risks, the applicable regulatory requirements like TSA or NIS Security Directives, and the industry standard(s) like IEC 62443 or NIST CSF that the rail operator might use to manage their overall cybersecurity program. 

The NIST Cybersecurity Framework (CSF), designed to evolve overtime, is set to undergo a significant update. ​​Based on stakeholder feedback, the CSF 2.0 is being updated to better reflect the evolving cybersecurity landscape and assist organizations in managing cybersecurity risks.

Baron said that part of the original design of railways must include cybersecurity that extends to all critical systems: such as signaling, rolling stock, infrastructure, and the IT/OT/IoT networks. This is called ‘cybersecurity-by-design.’ 

“The cyber risk must be translated to the potential operational effects on a railway, where the damage may occur, its extent, and recommendations for remediation,” according to Baron. “It should have network segmentation to isolate any suspicious activity and its mitigation from other network parts to prevent service disruption. And it should have vulnerability management and detection of security misconfigurations, with risk scoring and prioritization to understand the impact in a rail operational context.”

Declining to speak to the building engineering-grade designs, Baron said that many railways are upgrading to systems that incorporate software and open systems which of course are more vulnerable to attack. “Consequently, these rail companies should be looking to add cybersecurity solutions which cover their rolling stock, signaling, IT/OT/IoT systems, infrastructure, and assets – including legacy assets. They should also offer cyber solutions that use a zero-trust approach and many various types of cybersecurity including vulnerability management, mitigation of security misconfigurations, threat detection, and incident response.” 

Baron added that asset management is also critical with the ability to perform network segmentation so that rail service isn’t disrupted in the event of a threat. “Most importantly, when it comes to risk management, all risk management systems should be prioritized in the context of the impact on rail operations.”

With the IEC 63452 standard listed as a work item proposal approved by the IEC for the development of an international standard for handling cybersecurity in the railway sector, what are the expectations of different stakeholders in the railway sector from the standard, these rail cybersecurity experts dive into the expected effects of cybersecurity measures proposed by the standard. 

“The first step has been taken by the CENELEC TC9X / WG 26, with the technical Specification CLC TS 50701 published in July 2021,” Theocharidou said. “The IEC 63452 standard is expected in July 2025, and ENISA supports its development by hosting the PT 63452 this upcoming September in Athens. The expectations of the railway are high both from the industry and the railways, especially for increasing the cybersecurity of the OT environment.”

In the meantime, railway companies have other standards and good practices in their arsenal to apply (IEC 62443, ISO family of standards), as they will need to secure their network and information systems to comply with the NIS2 directive, according to Theocharidou. “For example, ENISA together with the European Railway ISAC, has issued a guide on how to build zones and conduits in a railway system. The approach was based on the CLC TS 50701:2021”

Theocharidou further added that the directive does not distinguish between IT and OT systems but refers to ‘network and information systems which those entities use for their operations or the provision of their services’. “Both IT and OT cybersecurity needs to be addressed. While the IEC 63452 standard is aimed primarily on the OT environment of railways, railway companies should not neglect their OT and IT systems, waiting for the standard to be released. Its effect will be seen in a few years after its publication, but the cyber threat landscape is evolving and there is no room for delays,” she added. 

Shifman outlines that operational rail technology systems are bringing optimization, autonomous operations, more automation, and the technology itself could be accountable for safety one day. “And rail industry stakeholders now agree that cyber risk in these environments is business risk, and cybersecurity and safety are inextricably linked,” he added. 

“The challenge has become how to proactively manage cybersecurity across these extremely unique rail environments we call Rail Tech systems including signaling, command & control, auxiliary, comfort, and public applications,” according to Shifman. “These applications exist in rolling stock, trackside, T2G communications, operational control and maintenance centers, and station networks.”

He added that operational rail tech systems like signaling and train control applications are extremely unique and specific to the rail industry. “So from the rail industry’s point of view, cybersecurity frameworks should also be unique and specific to the rail industry. And that is the challenge that the IEC 63452 standard is tackling – to customize and optimize protection and cybersecurity practices and processes for operational Rail Tech systems, especially for those systems most critical to resilient and safe operations.”

Baron said that the standard is still in its formation and not finalized. “We expect it to push in the direction of cybersecurity awareness but it’s a bit early to see the effects,” he concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation