View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Analysis
August 5, 2020updated 24 Aug 2020 9:33am

Cybersecurity in rail: three lessons we learnt from the IRS webinar

Over the past months the railway sector has increasingly become victim of cyberattacks. In this webinar we learnt what this actually means for the industry and how it can protect itself from things escalating even further.

By Ilaria Grasso Macola

Set up by the International Railway Summit (IRS), the ‘Steps to protect critical rail networks in the age of digital transformation’ webinar took place on 28 July and addressed the increasing number of cyberattacks the sector has been facing recently.

Free Whitepaper
img

Never Trust, Always Verify: Is Zero Trust the Next Big Thing in Cybersecurity?

Cyberattacks continue to rise every year and no sector seems to be immune. Hackers target sensitive information such as organizational, client, and financial data, as well as intellectual property (IP) and proprietary functions. As digital transformation becomes a top priority for many organizations, traditional perimeter-based security models are no longer sufficient to address the growing cybersecurity concerns. Against the backdrop, enterprises explore zero trust as it takes a micro-level approach to authenticate and approve access at every point within a network. Reasons to read: The cybersecurity landscape is swiftly changing, and businesses need more awareness to meet the evolving change. The report highlights the current state of play and the future potential of the zero trust approach in cybersecurity to protect critical digital infrastructure of enterprises across sectors such as financial services, healthcare, telecom, and transportation, among others. Read our report and gather insights on the following topics:
  • Traditional vs zero trust protection
  • Key advantages and solution providers
  • Major industries and key players
  • Drivers and challenges
  • Top funded startups and Mergers & Acquisitions
  • Implementation challenges
by GlobalData
Enter your details here to receive your free Whitepaper.

During the conference, cybersecurity experts working in the industry provided several solutions to allow railways to shield themselves from future attacks.

Here are three things we learnt from it.

The railway sector is increasingly under attack

Historically, the railway sector has never been much on the radar of cybercriminals. Things have changed in the last six months when an unprecedented amount of railway-related companies have become victims of cybersecurity attacks.

One recent example is Swiss rolling stock manufacturer Stadler, whose IT systems were attacked in May. The company’s files were also leaked when it refused to pay a $6m ransom.

Yet Stadler’s case was not isolated. More recently, Spanish railway infrastructure manager Adif was allegedly targeted by a cyberattacker who threatened to release 800GB of data.

According to Waterfall Security Solutions Dr Jesus Molina, if cybercriminals realise that data loss is not enough a deterrent for companies to pay ransoms, attacks will escalate, likely hitting operational technology (OT) systems instead.

The situation is so serious that the US Cybersecurity and Infrastructure Agency (Cisa) released an advisory in May, recommending immediate action. In the document, CISA listed the most observed tactics used by cybercriminals, including spear phishing and the deployment of commodity ransomware.

Spear phishing is used to access businesses’ IT networks to eventually gain control of their OT system, while commodity ransomware is used to encrypt data.

One of the reasons behind the recent escalation in cyberattacks is that railway systems are now extremely connected, especially when it comes to controlling centres and IT systems, and have protections that can be easily bypassed and therefore make them highly vulnerable to attacks.

To strengthen the industry, Molina said that cybersecurity preconditions need to be put in place, including a separation between vital and non-vital networks and different levels of criticality.

When compromised, non-critical levels’ business functions and efficiency are hit but the rest of the railway service is safeguarded. On the other hand, operational safety is impaired when safety-critical levels are attacked.

Different levels should be used as layers to avoid criminals accessing the systems’ most critical parts.

According to Molina, unidirectional security gateway is a kind of technology that could help increase protection. Developed as a combination of hardware and software, unidirectional security gateways operate by having hardware send information in one direction, to avoid attackers to trace it back to the source. The software then replicates servers and emulates devices from the OT to the IT, preventing attacks from propagating in the industrial network through the gateway.

“We see the level of attacks has increased because criminals see rail as fragile. So it’s time to better secure these systems,” he added.

The supply chain needs to be included in cybersecurity resilience plans

According to Washington Metropolitan Area Transit Authority chief information security officer (CISO) Kyle Malo it’s fundamental to ensure the safety of the whole supply chain.

The reasons behind this statement lie in the fact that attacks might interfere in the supply chain at a manufacturing level or even exploit weaknesses in the product, resulting in lack of customer safety, data compromise and lost revenue.

Malo explained that in order for the supply chain to be safer simple lessons need to be implemented.

Companies should not wait for state regulations to take action, he added. Regulation is especially a problem in the US, where there are discrepancies between single states and the federal state as regards cybersecurity. Everyone should realise that securing technology systems has become a ‘must and act’, said Malo.

Identifying the key players in the supply chain’s governance is also fundamental as all stakeholders need to implement cybersecurity in order for it to work.

To defend against all potential threats, Malo also advised the sector to develop a spectrum of cybersecurity language and requirements while training employees to understand the difference between OT and IT systems.

Employees, especially contracting officers, have to be trained to particularly recognise the technology in all its forms.

“They don’t [need] to just glaze over it, they have got to ask these tough questions,” he concluded.

The industry should take a more holistic approach when dealing with cybersecurity

Rail leaders need to approach the topic of cybersecurity with a wholesome, 360-degree approach.

This is what we learnt from Massachusetts Bay Transportation Authority CISO Michael  Woodson. The company operates rail networks in the greater Boston area.

According to Woodson’s estimates, the railway cybersecurity market in North America is expected to grow from $1.3bn in 2019 to $2.2bn by 2027.

The reasons behind the drive, said Woodson, are a growing number of registered cyberattacks that are caused by factors including digitalisation and technological complexities.

Cyberattacks are in fact becoming more sophisticated because businesses and private clients are adopting increasingly more up-to-date technologies to protect themselves.

Woodson said that – given the railway sector’s reliance on shared information technology – cybersecurity is a problem that interests everyone, without distinction between freight, passenger or even underground services.

What is needed, he explained, is, therefore, a single strategy to encompass all the elements of railway systems, including corporate and safety operations.

This 360-degree approach needs to be a uniformed programme based on risk analysis where both public and private partnerships are pursued to share as much information as possible. These should include vendors and, in the case of the US, federal government agencies.

Woodson concluded that another step is to train employees to basic ‘cyber hygiene’, teaching everyone to recognise fraudulent practices such as phishing.

 

 

 

Related Companies

Free Whitepaper
img

Never Trust, Always Verify: Is Zero Trust the Next Big Thing in Cybersecurity?

Cyberattacks continue to rise every year and no sector seems to be immune. Hackers target sensitive information such as organizational, client, and financial data, as well as intellectual property (IP) and proprietary functions. As digital transformation becomes a top priority for many organizations, traditional perimeter-based security models are no longer sufficient to address the growing cybersecurity concerns. Against the backdrop, enterprises explore zero trust as it takes a micro-level approach to authenticate and approve access at every point within a network. Reasons to read: The cybersecurity landscape is swiftly changing, and businesses need more awareness to meet the evolving change. The report highlights the current state of play and the future potential of the zero trust approach in cybersecurity to protect critical digital infrastructure of enterprises across sectors such as financial services, healthcare, telecom, and transportation, among others. Read our report and gather insights on the following topics:
  • Traditional vs zero trust protection
  • Key advantages and solution providers
  • Major industries and key players
  • Drivers and challenges
  • Top funded startups and Mergers & Acquisitions
  • Implementation challenges
by GlobalData
Enter your details here to receive your free Whitepaper.

NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. The top stories of the day delivered to you every weekday. A weekly roundup of the latest news and analysis, sent every Friday. The railway industry's most comprehensive news and information delivered every month.
I consent to GlobalData UK Limited collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU

Thank you for subscribing to Railway Technology