Just like anything else in our world, railway systems are becoming digitalized and more connected. But with increased connectivity and dependence on digital technologies, comes a rise in security threats. Disabled ticketing systems and forged track switching signals are just some of them. What is the wider context of this and what can you do to protect your industry?
What are the main cyber threats to the rail industry?
The most common cyber threats are:
- Malware – piece of software intentionally designed for malicious intent, that may cause disruption or interfere with the user’s computer security and privacy. Applied to railway systems, it may trigger shutdowns or major disruptions, e.g., of ticketing or dispatching systems.
- Ransomware – piece of software designed to render computers inoperable by encrypting important data and extorting money to restore it. An example of such an attack is the incident from 2017, when Deutsche Bahn’s passenger information screens were infected and frozen.
- Targeted ransomware – convincing phishing emails that allow a threat actor to steal login credentials for remote access to steal even more sensitive information. Then they plant and trigger ransomware, crippling operations and demanding money to decrypt the data.
- Intellectual Property piracy or theft – accessing, reverse engineering or replicating a particular piece of software with the explicit intention of sharing it for free or selling it for profit.
To get an idea on how exposed to cybercrimes the railway sector is, British-based computer security firm Sophos, in cooperation with Koramis of Germany, created project Honeytrain. A virtual, yet very realistic, rail infrastructure was reproduced to serve as a honeypot to hackers. In the six weeks of running the project, 2,745,267 attacks were identified! The most attempts originated from China (41%), USA (9%) and France (7%).
As for the forms of a cyberattack themselves, they usually take one of the following forms:
- Tampering with existing binaries
- Running a malicious binary file
- Tampering with existing data files
- Substituting malicious data files
- Attaching a debugger to a running process to understand and/or alter its behavior
- Using valid apps in a malicious way
Why are rail networks so hard to secure and defend?
Given the size, scope and all-presence of the rail industry, coupled with its myriad owners, operators and users, there are many opportunities for exploiting components of transportation systems in unanticipated ways. The main reasons for it being difficult to secure and defend are:
- Environmental – the large spatial scale and geographical distribution of the rail system in combination with multiple touchpoints with other infrastructure make it extremely difficult to secure and defend. The complexity, combined with the major environmental aspects and a large moving fleet doesn’t make it any easier.
- Technological – the railway being complex and sophisticated systems mostly requiring multiple vendors (and their technologies) to come together. Some synergies need to exist between these multi-vendor systems and cybersecurity needs to cover all the different puzzle pieces to defend the railway systems against cyber risks.
- Operational – the lifecycle of railway systems is about 30 years, so the systems in use today are from thirty years ago and in most cases are obsolete from a security point of view. With growing advancement in cybersecurity, the system being deployed now will become obsolete in 30 years’ time. This makes it important to have an agile security system that can be upgraded with the emerging changes.
- Safety – any updates required in the customer environment may need the approval of regulatory bodies and processes to be followed. For people’s safety, all updated components must stay safe and ensure they don’t present exploitable vulnerabilities. This can be both time and resource-intensive and can result in delays.
What are the security standards for the rail industry?
Currently, IEC 62443 – security for industrial automation and control system – is the main standard used for security. Its rail-specific adaptation CENELEC TS-50701 has been approved and released in June 2021.
IEC 62443-2-1:2010 defines the elements necessary to establish a Cyber Security Management System (CSMS) for Industrial Automation and Control Systems (IACS). It also provides guidance on how to develop those elements. The rail-specific derivative of IEC 62443 is TS 50701.
For North America, there are two entities responsible for setting the standards: American Public Transportation Association (APTA) and US-CERT.
- APTA is an industry association that has released the following standards:
- APTA SS-ECS-RP-001-14 Recommended Practice: Cybersecurity Considerations for Public Transit
- APTA SS-CSS-004-16 Securing Control and Communications System in Rail Transit Environments Part III b: Protecting the Operationally Critical Security Zone
- APTA SS-CSS-RP-001-10 Recommended Practice: Securing Control and Communications Systems in Transit Environments Part 1: Elements, Organization and Risk Assessment/Management
The US Computer Emergency Readiness Team (US-CERT), a government body, has issued the following documents:
- Transportation ICS Security Standards Strategy DHS 2013
- ISA/IEC 62443(-2-4) Requirements for IACS Solution Suppliers
- NIST 800 series
For Europe, there is the Rail Cybersecurity Guidance to Industry Department for Transportation:
- UK Railway Safety and Standards Board (RSSB) standards
- European Union Agency for Network and Information Security (ENISA) railway recommendation Industry Specific Guidance
- EN50126 (RAMS) – Railway Applications
- EN50128 (Rail Control and Protection) Safety Critical Development
- EN50129 (Rail Safety Related) Safety Related Communication for Signaling
- EN50159 (Rail Safety Related Communications) Communication, Signaling
For Asia-Pacific region, there is the Rail Cybersecurity Guidance to Industry Department for Transportation:
- AS7770, RISSB – Australia Rail Industry Safety and Standards Board standards
Are traditional IT cybersecurity solutions unfit for rail systems?
The short answer is yes. Security solutions that have been traditionally used in the IT sector are too anchored into a certain computing model. As such, they are tailored to cyber risk profiles which are fundamentally different from those applicable to the railway industry.
How do you build a railway cybersecurity strategy?
You should build your railway cybersecurity strategy using the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This security methodology provides guidance on how an organization can manage and reduce cybersecurity risks, shifting the risk management approach from reactive to proactive. The NIST framework consists of 5 elements:
- Identify – determining organization’s critical assets, current risk management practices and security capabilities.
- Protect – defining the necessary defenses and safeguards that ensure prioritization of the security of both the critical systems and assets. Its role is to minimize the impact of any cybersecurity incident.
- Detect – requiring organizations to have continuous monitoring and threat detection measures in place so that occurrence of security incidents can be promptly identified.
- Respond – developing and implementing security measures against detected cybersecurity incidents, so that the organization can contain and mitigate security incidents.
- Recover – developing and implementing measures to restore any functions or services damaged by a cybersecurity incident. This can be e.g., implementing a disaster recovery and business continuity plan.
How can you protect railways from cyberattacks?
Detecting threats and deploying protection of the railway systems is possible with existing solutions. Depending on the part of the system you want to protect:
- You can define the necessary defenses and safeguards that ensure prioritization of the security of the critical systems and assets. This can be achieved by applying, e.g., the firewall component of our Asset Protection solution.
- To continuously monitor and detect threats, you can implement the Anomaly Detection System (of Asset Protection).
- You can contain and mitigate security incidents by Device Management (of Asset Protection).
Can I get railway security checked after purchasing a solution?
Irdeto’s Connected Transport team can provide in-depth insights, guidance and proven cybersecurity protection.
Cybercriminals have at their disposal sophisticated tools that allow them to wreak havoc in the railway industry. But you’re not facing this challenge alone, reach out to us today for a discussion on how Irdeto can ensure secure connectivity and safety on track.