Rail remains one of the most popular modes of transportation. In a typical year, US freight railroads move around 1.6 billion tons across nearly 140,000 miles of track. US citizens traveled more than 12.5 billion kilometers by rail in 2021. Thousands of railways — from national and regional networks to intra-city light rails — have been built to connect the country and its industries, turning rail into a critical component of the nation’s economy.
Given this enormous volume, and in light of the few available cybersecurity tools designed for rail, the appeal to target railways is obvious.
Consider what would happen if a cyber threat actor decided to disrupt the delivery of life-saving pharmaceuticals in the middle of a pandemic or a nation-state cyber force targets the transport of ammunition to a US Army military base.
Safety vs. Security
The challenge of rail cybersecurity versus traditional enterprise cybersecurity stems from the volume and complexity of the equipment and the number of critical networks — the large size of the rail network, the volume of endpoint devices, the volume of different networks (SCADA, rail, regular IT, dedicated IT, such as ticketing, and more), and the fact that most systems cannot be patched. In addition, most rail infrastructure is 30-plus years old and expensive to replace.
The fact that rail infrastructure is designed for safety puts it in direct conflict with cybersecurity protection. Software systems have been set up to exacting standards by the original equipment manufacturers (OEMs) — Bombardier, Siemens, etc. — and if the internal software is altered in any way, the OEMs can withdraw their safety certifications, rendering the entire rail network inoperable.
In addition, even a single railcar has a vast threat surface that cannot be easily protected. The car’s public Wi-Fi and entertainment network can provide easy access into the operational network, which controls HVAC, brakes, doors, and fire equipment; the signaling system, which may stop the train completely, causing a collision with the train coming up behind it; and, finally, the remote access OEMs use for regular preventative and predictive system maintenance.
It’s also important to remember the vulnerabilities that come with relying on third-party vendors, whose connectivity to the rails can lead to rail shutdowns. In October 2022, a third-party cloud provider to Denmark’s rail network was breached, and as a precaution, the entire railroad needed to be shut down. Recently, the Belt Railway Company of Chicago faced a ransomware attack.
In short, it’s pretty daunting when you think about the potential volume of vulnerabilities across a rail network.
TSA and Rail Cybersecurity
Quite understandably then, in December 2021, the Transportation Security Administration (TSA) put a greater focus on infrastructure cybersecurity, releasing its first set of security directives for rail, which proved too onerous. Less than a year later, in October 2022, the TSA updated its recommendations to Rail Security Directive 1580/82-2022-01 to make it easier for the railways to comply.
The TSA directive was designed to “reduce the risk that cybersecurity threats pose to critical railroad operations and facilities through implementation of layered cybersecurity measures that provide defense-in-depth.” The directive specifies that railroads must provide an annual cybersecurity plan to TSA for approval; the railway will then be evaluated based on its compliance.
Rail systems face greater challenges than most other industries — including other transportation sectors, like aviation, which the TSA also regulates — due to the complexity and age of their systems. Digital connectivity and equipment have grown over time, propelling the industry to undergo digital transformation. Hundreds of different technologies and disparate systems have been combined in unique ways to keep the railroads running and customers satisfied. Unfortunately, it has also expanded the attack surface.
What was once enough for railways in terms of security is no longer sufficient, and getting the details right is where true security lies. Railways must have full visibility of their systems, including interdependencies, external connections to those networks, and zone definitions and network segmentation policies for better visibility of assets and quick incident response. In addition, communication across zones must be controlled and protected to ensure system integrity and prevent compromise when rolling stock is in transit.
Everything must be prioritized based on criticality, consequence, and operational necessity – as in, when a system is breached or a vulnerability is uncovered, where the immediate danger is and where mitigation can wait.
The vastness and complexity of the systems make it difficult for traditional cybersecurity solutions to help railways fully comply with the TSA’s requirements.
Staying on Track
To even begin to comply with TSA directives, the railway must perform network segmentation, subsegmentation, and asset zoning across every single aspect of the railway — OT, IT, IoT, etc. — to discover the external connectivity and operational interdependencies. Discovering and eliminating blind spots within the systems require significant investment of time and resources and intimate knowledge of railway infrastructure.
After all the unknowns become known, railways need to be able to validate each digital interaction to make sure that every asset is safe, secure, and operating as programmed without compromising safety, security, or standard operations — or risking decertification by OEMs.
Preventing and mitigating cyberattacks are the responsibility of every CISO. Managing complexity is an inherent part of any CISO’s responsibilities; it’s the level of complexity that makes the railway CISO’s job especially challenging.
Like most enterprises, railways need to protect their critical systems from cyberattacks. This includes staying on top of both internal and external threats by managing the impact of malicious Web domains, blocking and preventing unauthorized code, establishing access management policies to command-and-control systems, and implementing standard operating procedures, such as automating security patches and updates, data retention, and analysis to be able to investigate threats over time.
May the CISO in charge of your next commute have the necessary cybersecurity tools in place to achieve compliance and get you safely to your destination.