Set up by the International Railway Summit (IRS), the ‘Steps to protect critical rail networks in the age of digital transformation’ webinar took place on 28 July and addressed the increasing number of cyberattacks the sector has been facing recently.
During the conference, cybersecurity experts working in the industry provided several solutions to allow railways to shield themselves from future attacks.
Here are three things we learnt from it.
The railway sector is increasingly under attack
Historically, the railway sector has never been much on the radar of cybercriminals. Things have changed in the last six months when an unprecedented amount of railway-related companies have become victims of cybersecurity attacks.
One recent example is Swiss rolling stock manufacturer Stadler, whose IT systems were attacked in May. The company’s files were also leaked when it refused to pay a $6m ransom.
Yet Stadler’s case was not isolated. More recently, Spanish railway infrastructure manager Adif was allegedly targeted by a cyberattacker who threatened to release 800GB of data.
According to Waterfall Security Solutions Dr Jesus Molina, if cybercriminals realise that data loss is not enough a deterrent for companies to pay ransoms, attacks will escalate, likely hitting operational technology (OT) systems instead.
The situation is so serious that the US Cybersecurity and Infrastructure Agency (CISA) released an advisory in May, recommending immediate action. In the document, CISA listed the most observed tactics used by cybercriminals, including spear phishing and the deployment of commodity ransomware.
Spear phishing is used to access businesses’ IT networks to eventually gain control of their OT system, while commodity ransomware is used to encrypt data.
One of the reasons behind the recent escalation in cyberattacks is that railway systems are now extremely connected, especially when it comes to controlling centres and IT systems, and have protections that can be easily bypassed and therefore make them highly vulnerable to attacks.
To strengthen the industry, Molina said that cybersecurity preconditions need to be put in place, including a separation between vital and non-vital networks and different levels of criticality.
When compromised, non-critical levels’ business functions and efficiency are hit but the rest of the railway service is safeguarded. On the other hand, operational safety is impaired when safety-critical levels are attacked.
Different levels should be used as layers to avoid criminals accessing the systems’ most critical parts.
According to Molina, unidirectional security gateway is a kind of technology that could help increase protection. Developed as a combination of hardware and software, unidirectional security gateways operate by having hardware send information in one direction, to avoid attackers to trace it back to the source. The software then replicates servers and emulates devices from the OT to the IT, preventing attacks from propagating in the industrial network through the gateway.
“We see the level of attacks has increased because criminals see rail as fragile. So it’s time to better secure these systems,” he added.
The supply chain needs to be included in cybersecurity resilience plans
According to Washington Metropolitan Area Transit Authority chief information security officer (CISO) Kyle Malo it’s fundamental to ensure the safety of the whole supply chain.
The reasons behind this statement lie in the fact that attacks might interfere in the supply chain at a manufacturing level or even exploit weaknesses in the product, resulting in lack of customer safety, data compromise and lost revenue.
Malo explained that in order for the supply chain to be safer simple lessons need to be implemented.
Companies should not wait for state regulations to take action, he added. Regulation is especially a problem in the US, where there are discrepancies between single states and the federal state as regards cybersecurity. Everyone should realise that securing technology systems has become a ‘must and act’, said Malo.
Identifying the key players in the supply chain’s governance is also fundamental as all stakeholders need to implement cybersecurity in order for it to work.
To defend against all potential threats, Malo also advised the sector to develop a spectrum of cybersecurity language and requirements while training employees to understand the difference between OT and IT systems.
Employees, especially contracting officers, have to be trained to particularly recognise the technology in all its forms.
“They don’t [need] to just glaze over it, they have got to ask these tough questions,” he concluded.
The industry should take a more holistic approach when dealing with cybersecurity
Rail leaders need to approach the topic of cybersecurity with a wholesome, 360-degree approach.
This is what we learnt from Massachusetts Bay Transportation Authority CISO Michael Woodson. The company operates rail networks in the greater Boston area.
According to Woodson’s estimates, the railway cybersecurity market in North America is expected to grow from $1.3bn in 2019 to $2.2bn by 2027.
The reasons behind the drive, said Woodson, are a growing number of registered cyberattacks that are caused by factors including digitalisation and technological complexities.
Cyberattacks are in fact becoming more sophisticated because businesses and private clients are adopting increasingly more up-to-date technologies to protect themselves.
Woodson said that – given the railway sector’s reliance on shared information technology – cybersecurity is a problem that interests everyone, without distinction between freight, passenger or even underground services.
What is needed, he explained, is, therefore, a single strategy to encompass all the elements of railway systems, including corporate and safety operations.
This 360-degree approach needs to be a uniformed programme based on risk analysis where both public and private partnerships are pursued to share as much information as possible. These should include vendors and, in the case of the US, federal government agencies.
Woodson concluded that another step is to train employees to basic ‘cyber hygiene’, teaching everyone to recognise fraudulent practices such as phishing.