Transit agencies are, regrettably, regular targets of cyber threats. Just in the fourth quarter of 2020, cyber-attacks crippled public transit in Canada’s Vancouver and Quebec City. The regional transit authorities of two American cities were also devastated by severe attacks. These events highlight the risk to rail infrastructure. It has never been more important to focus on cybersecurity processes, policies and controls to defend the integrity of rail.
Rail transportation is critical infrastructure and vital to our economy. The popularity of rail as a safe, reliable and efficient way to transport large capacities makes rail vulnerable to dire social and productivity impacts of cyber-attack.
Rail is at risk of:
- Ransomware attacks
- Cyber-physical threats that could endanger people or property
- Supply-chain disruption
- Fraud
- Vulnerabilities associated with the integration of operational technologies (OT) and Internet of Things (IoT)
- Cyber-enabled information operations that could discredit an organisation or cause panic.
Improved customer experiences and optimised systems has increased dependency on digital technologies. The move to interconnected public information systems, CCTV and mission-critical controls systems, is driving the convergence of OT and Information Technology (IT).
In addition, the increasing dependence on commercial-off-the-shelf (COTS) systems and Internet Protocol (IP) networks increases the landscape of cyber threats and vulnerabilities that rail infrastructure operators need to defend.
Threats to the rail sector
The uptake of digitalisation has put the whole value chain at risk with state-sponsored actors, cybercriminal groups, hacktivists and ill-intentioned insiders. Any of these can take advantage of the increasing digitisation of rail technology.
Why is the rail sector at risk?
Rail management systems today often rely on a combination of legacy and advanced technology. This is further complicated by the long technology lifecycle, around 15-20 years on average, which can result in unsupported legacy infrastructure.
Additionally, the transit sector uses multiple products to provide a combination of safety, reliability, availability, and efficiency in the services. Operations are also mostly siloed into design and engineering, operations and maintenance. There’s little communication between them.
The use of digital technology to monitor the movements and conditions of trains has led to increased integration between IT and OT systems.
All these factors enable a large cyber threat landscape and increase the complexity of managing cybersecurity.
Put simply: all this makes rail an easy target.
Security experts created “Project HoneyTrain” as a simulated subway control system to identify what hackers would attack and how. Over six weeks, there were 2.7 million access attempts against the firewalls, CCTV and media servers. In a couple of instances, hackers were able to access the train control systems as well. The project, along with recent cyber-attacks on rail networks, proves hackers possess the knowledge to effectively target critical infrastructure.
The challenge of rail cybersecurity
Managing cyber risks and implementing cyber secure practices for rail systems presents unique challenges, including:
- Use of communications protocols designed without security controls
- Lack of visibility of rail network
- Use of legacy systems and long lifecycles of operational hardware
- Need to test and recertify systems after an update
- Introduction of new IT protocols into operational environments
- Siloed operations and lack of communication
- Shortage of professionals with knowledge of cybersecurity principles and practices.
Cybersecurity protection is only as good as the weakest link in the chain and legacy products were not inherently designed with security in mind. Meanwhile, standards are not keeping up with the pace of change and are often misunderstood in the overall rail system context.
How to protect safety, reliability and people
Cybersecurity is vital in the rail sector. Train operators need to implement more strategies to mitigate risk. To begin, C-suite executives need to realise the threat of cyber risk. Leadership buy-in is critical to drive governance and awareness across the industry.
Individuals throughout the rail sector need familiarity with relevant security standards for industry best practices, guidelines and suggestions. ISA/IEC 62443 is the most referenced industrial security standard within global rail. Other valuable resources include: NIST, EN 50159 (European Standard), and the Rail Industry Safety and Standards Board (RISSB)’s AS 7770 in Australia.
Cybersecurity needs to be embedded into the systems’ lifecycle making assets secure by design. Since most systems have been in service for a while, begin with a risk assessment to determine cyber risk and criticality of each connected asset. Referring to the relevant standards and guidelines allows operators to focus their efforts on critical systems and save on costs when implementing security controls.
Ultimately, cybersecurity is not just technical controls. People and processes also play an important role. Cybersecurity defenses are only as good as the people that use and control them. And employees should be trained in cybersecurity awareness. A simple click on a phishing email can lead to a devastating chain of events. Processes need to be built and implemented to ensure secure practices are followed and managed.
Just as safety has been embedded in rail culture over the years, cybersecurity needs to become a foundational expectation. This may seem daunting given the expanse of the rail networks and systems and the shortage of skilled employees in-house. External security experts can help.
At GHD Digital, we have the cybersecurity, SCADA/OT expertise, and specialised technology partners to help you make the right strategic decisions to protect critical infrastructure – embedding Security by Design. By applying our three-pronged approach to assess, protect and manage, we can help organisations develop bespoke cyber risk strategies.
Utkarsh Bais
Utkarsh is a GHD Digital’s Connected Infrastructure and OT Cybersecurity Consultant. He has over 7 years of expertise in IT/OT industry and profound knowledge and experience in security standards and frameworks, including ISO27001, ISA/IEC 62443, COBIT, SABSA, ITIL, OSSTMM, OWASP, and NIST.
