Amir Levintal is the CEO and co-founder of Cylus, an Israeli cybersecurity firm specialised in the rail industry. His company’s signature CylusOne continuous monitoring solution was recently paired with competitor Waterfall Security Solutions’ Unidirectional Security Gateways to create a product that aims to protect critical rail systems from cyber-attacks.
While in London for the Rail Cyber Security Summit, he sat down with Future Rail magazine to discuss cybersecurity on metro networks like the Underground, what differentiates them from traditional rail systems, how operators are preparing for cyber threats and more.
Adele Berti: What are the current cybersecurity threats to large metro networks like the London Underground?
Amir Levintal: Over the last few years there have been more and more new technologies introduced and adopted by the rail industry. There’s now wireless communication everywhere; there is Wi-Fi on trains and at stations and the operational control centre (OCC) can now operate trains through wireless systems such as the European Railway Traffic Management System (ERTMS) and communications-based train control (CBTC) signalling.
But all these new technologies expose the trains to cyber-attacks, so when there is wireless communication, it makes sense that an attacker can leverage it to cause disruption. As a result, attackers can do anything – the minimum being causing disruption and stopping a train, the worst being interrupting operations on the whole network. Another aspect is that if the attacker is able to control the switches of the tracks, or the speed of the train, they could cause serious accidents. [They could also cause accidents by] disabling the braking systems, opening the doors and so on.
Sometimes rail companies think that if they are safe, they are also secure but they need to understand that security is not safety. If the network is safe, it only means that everything works.
AB: Are metro networks prepared enough to meet cybersecurity threats?
AL: They need to understand if an attacker is currently within the net. Up until recently, [operators] were under the assumption that their networks were isolated from the external factors. When this axiom changed and attackers showed that they can get into their networks, [operators] didn’t have any security measures capable of detecting them within the network because they had assumed that no one will get into them.
It’s like in the physical world – your garden may have fences, so you assume no one will get into it but if someone manages to do it, you want to have CCTV cameras or similar to detect them [in the future].
This is the first thing that they need to do, they need to understand that attackers can break within the network and once they do, they can do whatever they want because there are no other security measures.
AB: What are the most successful strategies large metro networks should adopt to protect themselves from hackers?
AL: First of all, they need to have better visibility of their networks and understand their assets. Theoretically, we can assume that operators understand exactly what their assets are and how they are connected but practically, that’s not the case – they probably won’t even know if someone connected a computer to the OCC.
The second thing is that they need to have security measures that are able to detect malicious activities within the network. So, from a technological point of view, they must understand if there are traces of attackers with the internet.
From the passenger’s point of view, they need to raise awareness because rail companies serve tens of thousands of people and even one person can have a big impact on the network. Finally, from the processes’ point of view, they need to assess the network once in a while in accordance with the [European Commission’s EU] Network and Information Security (NIS) directive.
AB: What differentiates metro systems from rail networks in these regards? Which one is more vulnerable to cyber-attacks?
AL: Mainline intercity networks are spread over large [sections] of land and people are everywhere so anyone who can intercept the wireless communication can attack that. This opens up new kinds of vulnerabilities. It’s not easy to even physically protect all these tracks, let alone technologically.
As for urban networks, it depends on the specific network but generally, once you stop a train you can create a ripple effect that causes huge disruption across the whole network, as opposed to mainline services where usually you have only two tracks and alternative routes. With timings between one train and the next so short, creating huge disruption in metro undergrounds is easier while causing safety incidents is easier on mainlines.
AB: 5G is one of the most anticipated technologies set to revolutionise the world, including these metro networks. Does its arrival represent an extra challenge and if so, how can it be tackled?
AL: The uniqueness of 5G is that it’s able to provide multiple services in one link and it’s very good for the companies that can share information to their customers but we should assume that each link can be penetrated. And once rail companies will start using LTE [long term evolution] data for their operations they will need to understand that.
AB: Cybersecurity is no longer a novelty in the industry, which has often been targeted by hackers – like the 2017 WannaCry attack in Germany. What has been learned about these attacks?
AL: Adding to the Germany case, four cyber-attacks took place on the UK rail network in 2017. Everybody should understand that a hacker is not someone with a hoodie that is working alone. Usually, these are groups of very talented people, highly connected with a lot of resources and with a lot of time at their disposal, so not under pressure.
They have a lot of knowledge and are aware of the fact that railway companies are often public companies and therefore must share all types of information through the internet. Hackers are able to take this information and wait for the specific time to launch their attack. These are not spray-and-pray attacks.
AB: We’re seeing increased use of new technologies like artificial intelligence in operations within the industry. What is their potential in helping to tackle cybersecurity?
AL: These new technologies typically help improve operators’ ability to detect abnormal behaviour within their networks. However, we should remember that it’s not only the protector that has them at its disposal, but also the offenders. We usually think that the defender is one step ahead but attackers have its same abilities.
AB: Can you run me through your recent partnership with Waterfall Security Solutions, and how it could enhance cybersecurity on metro networks in the future?
AL: We both understood that cooperation is key to help rail companies protect their own networks. Waterfall provides a unidirectional gateway to the network from the network, which means that they’re able to send information from an isolated network to another isolated network without breaching the isolation, while we are able to provide the visibility to the network.
These two technologies combined enable rail companies to protect the network in a secure way. In the future, we should all continue to cooperate with other companies because attackers already are cooperating, they are connected, so we must be also connected to each other.
AB: What does the future look like?
AL: The pace of the [rail industry’s evolution] hasn’t been so high until now, but with increased mobility in the transport sector, everything is connected and the pace will be higher.
The rail industry understands that in order to be competitive you need to be faster. This is good for travellers but it exposes networks to two main consequences. The first one is the connectivity that is now in a larger space and dimension. And the second thing [has to do with] the pace of adopting technologies; once you’re adopting more and more technologies and the faster you do it, the harder it will be to do it.