Cybersecuring railway systems from potential attackers must become paramount in the digitization that those systems currently undergo. Their cybersecurity is too closely interlinked with the railway safety to leave the door open to disruption. To make matters worse, they are increasingly being targeted.
Railway systems have long been critical. Mass transit systems move hundreds of thousands of people throughout urban areas each work day. Freight systems move an estimated 40 tons of freight for every person in the U.S. every year. Imagine the chaos if they were disrupted.
These systems have always been challenging to secure. Even urban mass transit systems contain hundreds of miles of track, with thousands of control mechanisms along their routes. And interstate or international systems that move freight and natural resources to where they are needed are even more widely distributed.
For centuries, these systems were strictly mechanical, with whatever electronic controls they used strictly proprietary. Railway operators now, though, increasingly use open-source, commercial off-the-shelf (COTS) control systems. That multiplies the challenge of securing systems from those who wish to disrupt lives or the flow of products and services. Railway systems are highly vulnerable to cyber-kinetic attacks.
I speak from experience. I recently led a team in assessing security for a large rail provider. The results were shocking: we found more than 20 cyber and IEMI ways that attackers could use to instigate kinetic impacts that would cause application of emergency brakes, derailment or crashes.
Other researchers have had similar findings. Their assessments found shockingly poor practices widespread in railway industry security, such as:
- Continuing to use software for which manufacturers no longer provide security patches
- Using hard-coded passwords for remote systems
- Failing to isolate engineering systems from passenger entertainment systems that could provide hackers with access to critical systems
These are only a few vulnerabilities. And they do not go unnoticed by potential attackers.
Many potential attackers
A 2015 “Project HoneyTrain” experiment sought to determine the scope of threats against railway systems. A simulated railway infrastructure was set up to look like a real rail system to online attackers – even down to CCTV feeds, control interfaces and schedules and statuses of trains.
This system contained many of the poor security protections common to real rail systems. The researchers then analyzed traffic these systems received to see how attackers would respond.
In only six weeks, they recorded 2,745,267 attacks. In approximately 10% of them, attackers gained limited control of systems, although none gained control to the point where they could have caused serious damage if the system had been real. But once attackers breached systems, they returned repeatedly to try to penetrate deeper. This experiment shows that knowledgeable attackers actively seek railway targets – and likely find vulnerabilities they could exploit to eventually cause serious damage.
Rail systems are a prime target for terrorists, such as those who conducted the 2004 Madrid railway bombings in which 191 people were killed and more than 1,800 wounded. Al Qaeda has even published instructions online to teach sympathizers ways to derail trains, and which rail lines to target.
Ransomware attacks have made railway systems targets for criminals, too. Extortion attempts on the San Francisco Muni system in 2016 and Deutsche Bahn German railway system in 2017 demonstrated potential for big payouts.
Project Honeytrain demonstrated that attackers see railway systems as desirable targets. And reports from real rail systems demonstrate that those systems are increasingly being targeted.
Digitized systems are new territory with which industry leaders have never dealt. Past mechanical control systems enjoyed a low rate of being compromised. Many analysts are concerned that overconfidence in the industry’s past record with mechanical systems will blind leaders to the increased risks as digital, remote control systems replace mechanical, localized ones. The risk is especially high with COTS systems that are often inadequately secured.
In addition to the standard security vulnerabilities that cyber-physical systems experience, those in railway systems have more. Controls in railway systems require the attention of both safety and security specialists, but each discipline approaches equipment in markedly different ways. This opens the possibility that one group may take actions that inadvertently impairs the efforts of the other.
The shift from mechanical controls to digital also drastically shrinks replacement windows for system components from decades to years, or even months. That greatly increases the amount of attention those components require.
Furthermore, in contrast to safety protocols, attention to systems doesn’t stop where the rail operator’s property ends. With rail lines comprising the property and equipment of multiple operators and potentially crossing multiple jurisdictions, connections between a multitude of stakeholders must be secured, as well as the property and equipment of the individual operator.
Governmental and rail services’ response
Governments are aware of the vulnerabilities that rail systems face and are actively trying to address them. They are developing new standards to help rail services make security a priority as they transition into increasingly digitized systems.
Many rail services, too, are taking up this challenge. The UK’s rail industry body has committed to making cybersecurity an integral part of the industry’s culture and making the UK industry a model for the rest of the world. Individual U.S. rail services are focusing on improving threat monitoring practices or converging IT and OT security staffs into one body for better communication and cooperation.
Here are just a few of best practices to enhance security of railway systems:
- Breaking down the silos between IT and OT (operational technology) domains is vital to cybersecurity, and consequently safety, of railway systems. This is often the hardest task as it means empowering leaders, changing the organizational structure, and changing the long-established culture.
- Increase the materiality of railway systems cyber risks and ensure that cybersecurity decisions are made at the highest level of the organization and play a role in all organizational strategies.
- Build security into the design of every system, ideally on multiple levels; when systems are procured, ensure that their security is strong. In currently popular railway digitization projects ensure that all of your myriad of suppliers and systems integrators are being held accountable for the cybersecurity of their part. But also make sure that there is someone accountable for the overall cybersecurity across all projects and technologies.
- Perform risk assessments, penetration testing and red teaming; don’t let a malicious attack be your cybersecurity’s first test.
- Practice your crisis, incident, and emergency responses to cyber-kinetic attacks or incidents.
- Isolate critical systems from passenger-facing systems, so that easy-to-access passenger systems cannot be used as gateways into critical ones. Segment all your networks following the same principles.
- Develop procedures to identify and mitigate risks in your supply chain.
- Develop procedures to ensure that patching of known security vulnerabilities is conducted in a timely manner.
- Stay informed of threat intelligence so it can fully inform security strategies.
Securing rail systems is not a simple task. This is especially true as they transition to COTS control systems that are accessible remotely via wireless or internet connections.
Many railway operators are taking this threat seriously. Danger exists, though, that systems’ sparse history of attacks will lull operators into a false sense of security that could lead to tragic consequences.
Cybersecuring railway systems from potential attackers must become paramount in the digitization that those systems currently undergo. Their cybersecurity is too closely interlinked with the railway safety to leave the door open to disruption.
Originally published on CSOonline on June 13, 2018.
For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.
He held multiple interim CISO and technology leadership roles in Global 2000 companies.