Railway Competent Cybersecurity Planning Keeps Trains on Schedule
The digital upgrading of railways is bringing many benefits to rail operators in terms of operational efficiency, reliability, and safety. Most passenger experiences are improved as well. But along with these improvements comes exposure to hacking and cybersecurity threats.
As a primary form of transportation for people and goods, railways are part of the lifeblood of a country’s social and economic activity. As such, it’s not too hard to understand that they’ve therefore become attractive targets for cyber attacks due to the enormous impact that can result if rail service is disrupted, even if it’s just for a few hours.
Cyber-crime is a profitable business, and protecting against it can amount to a substantial expense for organizations that need to defend rail operations. Just as legitimate IT workers constantly evolve their capabilities, cyber-criminals are continually honing their skills, forcing rail operators and designated managers of critical rail infrastructure to adapt their methods of threat abatement. Typically, discussion of cybersecurity revolves around technological solutions to address such threats.
With digital transformation comes risk
It should come as no surprise that digitalization is transforming the rail industry just as it’s affecting many other industries. The adoption of Internet of Things (IoT) technologies and IP-based networks is improving rail passenger experiences, increasing operational efficiency, and enhancing safety, which are all positive benefits. At the same time, these very improvements increase the vulnerability of rail operations to cyber attacks.
But technology is only one part of the solution in terms of addressing threats. It’s now become clear that dual layers of protection, both technical and procedural, are needed to keep trains running smoothly. What rail operators likely need to consider going forward is the application of a holistic security strategy that takes into account both technical and process enhancements. To keep up with the new rise in attacks, all rail operators should consider moving from a legacy reactive security infrastructure (i.e., detection and response) to a proactive automated security lifecycle. To implement this strategy, it’s recommended that firms follow a security orchestration, automation, and response (SOAR) method.
With digital transformation comes risk
Numerous factors are driving rail operators to identify and classify risk, to install defenses, and to make preparations for the restoration of service in the wake of an incident as quickly as possible. Regulatory pressures have brought some of this to the forefront. But in the end, failing to address cybersecurity threats is a risk unto itself.
Regulations such as the EU’s Network and Information Security (NIS) mandate require that comprehensive protection be developed, and failure to take such measures can result in substantial fines. While interpretations of NIS vary by country, certain basic standards must be adhered to and maintained. Keeping these preparations updated amidst a quickly evolving regulatory and threat environment isn’t simple.
Mitigation and monitoring
No matter what the specifics are of the regulatory framework under which a railway operates, a successful cybersecurity plan depends on the ability to detect risks ahead of time and mitigate all threats, whether they’re from hostile actors or are simply the result of human errors. Real-time reporting and monitoring capabilities are a minimum requirement to permit security teams to respond to and track emerging events.
More and more, rail operators are examining SOAR solutions in order to provide needed tracking and analysis functions. These solutions can offer a variety of benefits, including the prevention of unauthorized access and system misconfiguration, faster root cause analysis of problems, quicker response via application of predefined rulebooks, and simplified/standardized reporting of incidents to federal and regional security-response teams.
Because they’re usually designed to be vendor-agnostic, SOAR solutions are capable of interacting with numerous vendor-independent technologies used to compile data and trigger specific actions. Via the application of machine learning and advanced analytics, these systems can offer advanced detection and correlation capabilities for precise risk prediction and subsequent root-cause identification. In turn, this can afford a real-time security status, providing greater lead times for the execution of target mitigation.
Likewise, customizable dashboards with broad reporting and search functions can be optimized for individual needs of security management professionals and technical experts. Automated workflows allow the mitigation and investigation of threats, permitting experts to strengthen their response, especially for general intrusions and/or faults.
A classic vulnerability that rail operators (and indeed, all IT networks) can face is unauthorized access to systems via human errors—such as using known or weak passwords. It’s critical to eliminate this security loophole via the use of consistent, robust security policies, along with network-wide, automated security measures, such as mandatory complex passwords and password aging.
Across all network infrastructure, the use of standardized security policies, such as identity management systems for all users of critical networks—including video/text logging for ensuring compliance—can improve security overall. This will help to address increasing needs for rail operators to better track who’s accessed certain network (and when), to enable the identification and source of vulnerabilities, and to ascertain who’s made use of any resulting backdoors. Such long-term forensic capabilities are often required by regulators.
Configuring systems improperly can also result in vulnerabilities. Automating configuration audits can help identify and address risks, giving operators much-valued peace-of-mind. One key element of audits is implementing fully automated error IDing, which can eliminate the need for time-consuming manual scripts and/or processes and allow for better troubleshooting. These steps, if applied both before and after upgrades, can guarantee that changes have been executed correctly and can advise engineers of possible impacts to service before new applications or equipment are turned on. Regularly scheduled configuration checks can identify and eliminate configuration errors, ensure detection of vulnerabilities, and confirm network configuration compliance, improving quality and decreasing service needs before they result in outages or performance degradation.
Internet of Things security
The coming era of IoT will bring much change to railways, just as it will to other industries. With rail, the billions of “things” that will be connected by IoT networks will likely be cameras, monitors, sensors, meters, controllers, and actuators. These devices will have the same security needs as computers, smartphones, and other consumer devices. Their connections will need to be secure, their data will need to be safeguarded, and their privacy will need to be maintained to prevent manipulation, hacking, and other nefarious misuse.
Autonomous operation of such IoT devices brings with it security challenges that are not addressable by security management solutions currently in use for smartphones. Most rail devices that will eventually make up IoT networks are not operated by humans and typically don’t have conventional user interfaces. Also, many of these devices are designed to operate unattended for extremely long periods of time, with no human interaction needed or expected. Fortunately, current IoT security solutions can observe network traffic from these devices and alert operators to any abnormal behavior.
For mission-critical equipment, such as signaling devices, any faults or alerts need to be dealt with in real-time to maintain seamless service continuity. Also, corrective action needs to be initiated automatically—by the devices themselves—based on a rail operator’s security policies. And finally, data transmitted from and to IoT devices must be able to be audited for governance, accuracy, and regulatory compliance.
Many IoT devices are unable to share information with networks on a regular basis; thus, it’s critical that these devices be identified and certified as such when they’re deployed. Both current 4G LTE networks and new 5G networks come with certificate management systems that are designed to address this specific issue.
The LTE standard was devised by the global standards body 3G Partnership Project (3GPP). It includes public key infrastructure (PKI), which enables encryption of all communication traffic from wireless devices to network infrastructure and can permit secure IoT connections. In order to ensure this process is seamless, all devices must be confirmed as trusted before they’re introduced to a network.
Because it originated as a multi-vendor, open framework that integrates a broad array of devices from an unlimited number of suppliers, LTE’s certificate management capabilities are well-suited to securing IoT devices. Certificates provided by manufacturers have unique, secure identifiers that allow operators to detect modifications or tampering prior to deployment and identify the devices once they’re in operation.
It should be stated, however, that managing digital certificates brings with it additional complexity; many certificates and a diversity of suppliers (the certificate authorities) may require significant efforts to manage deployment and renewal tasks. To address this, technologies that automate the use of digital certificates can result in operational savings and eliminate costly errors.
Machines and humans—an ideal pairing
When tackling the challenge of rail cybersecurity, strong cooperation between secure technologies and established—yet dynamic—management processes is crucial. It should be recognized that cybersecurity threats are directed by humans, not machines, and rail security personnel therefore have a key role to play in alleviating such threats. But providing these workers with updated, advanced tools to defend networks and systems is just as important for securing all train operations.