The Modern Railway Systems: An Analysis of IT and OT Cybersecurity Threats

The Context

As we continue to embrace digital transformations in our #criticalinfrastructure , our transportation networks – particularly railways – have seen massive advancements in terms of automation and control systems. However, these improvements have also exposed railway networks to a host of #cybersecurity #threats . This article will delve into these vulnerabilities with a keen focus on #IT and #OT within the context of modern railway systems.

Traditionally, IT and OT systems in railway networks have been segregated. IT covers data-centric systems such as ticketing, scheduling, and administrative work, while OT pertains to the machinery and equipment that manage the actual movement and operation of the trains.

Today's interconnected and increasingly complex networks have blurred the boundaries between IT and OT, resulting in new points of cyber vulnerability.

What Cyberattacks can happen on Railway Networks?

One incident that exemplifies this threat was the cyber-attack on San Francisco's Municipal Transportation Agency (SFMTA) in 2016. Malware infected the agency's Windows-based workstations and servers, impacting the ticketing system and forcing SFMTA to allow free rides over the weekend. While no safety-critical systems were #compromised , it clearly underscored the susceptibility of IT networks in railway operations.?

A more dire scenario was seen in 2020 when Iranian hackers reportedly targeted Israel's rail infrastructure. According to cybersecurity firm ClearSky, the attack aimed to cause #physical harm by infiltrating control systems linked to railway traffic. This incident illuminates the potential threats to OT systems that control essential railway operations, signaling a shift from data theft and financial gain to actual physical disruption.

The #sophistication of these threats has only escalated in recent years. #APTs , Advanced Persistent Threats are of particular concern, wherein attackers continuously and stealthily try to infiltrate the system. These #attacks , if successful, could potentially disrupt railway operations, cause safety issues, or even bring entire networks to a standstill. As seen in the 2017 CRRC cyber-attack, APTs targeted critical infrastructures of the Chinese rolling stock manufacturer, leading to significant disruptions in both IT and OT networks.

Typical Systems That Needs Protection:

Modern railway networks employ a variety of systems to manage their operations, ensure passenger safety, and maintain efficient and punctual services. Here are some examples of systems found in a typical railway network:

• Signaling System: These are responsible for controlling the safe movement of trains by using signals that dictate when a train can proceed and the speed at which they can travel.
• Railway Infrastructure Management: It handles tasks like inspection, maintenance, and repairs of tracks.
• Train Control Systems: They can be automatic or manual and are used to control the operation and movement of trains. This includes accelerating, braking, and door operation.
• Train Protection Warning System (TPWS): This system automatically stops a train at a red signal or reduces the speed of a train that is approaching a speed restriction too fast.
• Communication-Based Train Control (CBTC) System: A railway signaling system that makes use of the telecommunication between the train and track equipment for the traffic management and infrastructure control.
• Onboard Diagnostics and Monitoring Systems: These systems monitor various parameters of the train’s operation and condition, alerting engineers to any potential issues that need to be addressed.
• Ticketing and Fare Collection Systems: These systems handle the sale and validation of tickets for travel. They may be physical systems or increasingly digital platforms.
• Passenger Information Systems: These systems provide real-time updates to passengers regarding train timings, delays, and other relevant information.
• Centralized Traffic Control (CTC) System: This system allows railway operators to manage train routing and scheduling from a central location.
• CCTV Surveillance System: Used for ensuring the security of passengers and railway assets.
• Power Distribution Systems: These systems manage the power supply for trains and other infrastructure.
• Maintenance Management Systems: They assist in planning, scheduling, and managing maintenance activities for trains and infrastructure.
• Asset Management Systems: They keep track of the railway's physical assets, their conditions, and life cycle.
• Railway Reservation Systems: These systems manage the reservations of seats on trains, including scheduling and inventory management.

How To Protect Such Systems

To counteract these cybersecurity threats, railway companies must adopt a proactive and integrated approach to security.

• Asset Management: As mentioned in the article, keeping an updated inventory of all OT assets, including their configurations and network connections, helps identify potential vulnerabilities. An OT-specific asset management system can be helpful in maintaining this inventory.
• Network Segmentation: Maintain a level of segregation between the IT and OT networks. This reduces the risk of a compromise in one system spreading to the other. Utilize demilitarized zones (DMZs) and internal firewalls to segment the networks.
• Vulnerability Management: Regularly check for vulnerabilities in the OT system, including outdated software and unpatched systems. Vulnerability scanners that are compatible with OT systems can be used for this purpose.
• Patch Management: Ensure regular patching of all OT systems and software. If real-time patching poses a risk to operations, consider using virtual patching or implementing additional controls until the system can be updated.
• Anomaly Detection: Use advanced anomaly detection systems to continuously monitor the network traffic and identify any unusual patterns that may suggest an attack.
• Intrusion Detection: Use advanced IDS systems to monitor and identify unknown actors in the networks. This allows protection against physical security breach and unauthorized access to network equipment and sites.
• Backup and Recovery Plans: Regularly back up critical system data and have a disaster recovery plan in place. This helps ensure that operations can be quickly restored in the event of a successful attack.
• Security Training and Awareness: As the article highlights, human error can often be a weak link in cybersecurity. Regularly training the OT staff on recognizing phishing attempts, safe internet practices, and adhering to security protocols can significantly reduce this risk.
• Defense-in-Depth Strategy: Apart from firewalls and intrusion detection and prevention systems, incorporate additional layers like secure network design, application whitelisting, and physical security controls. Furthermore, use of virtual private networks (VPNs) for secure remote access is recommended.
• Collaboration and Information Sharing: Work closely with cybersecurity firms, industry peers, and governments to share threat intelligence. This collaboration can help in early identification of new threats and in developing effective defenses.
• Incident Response Plan: Have a well-defined incident response plan, which includes steps for identifying, containing, eradicating, and recovering from a cyber-incident. Regularly test and update this plan.
• Third-Party Risk Management: Manage risks associated with third-party vendors who might have access to the OT network. This could include conducting security audits and requiring adherence to strict security standards.

Regulations and Standards

Not all the #governments across the globe mandate a standard for Railway Networks' cybersecurity however, #developed governments have started providing guidelines to operators to ensure #cybersafety of this critical sector. TSA in US and DfT in UK have issued directives to the Railway operators to implement better cybersecurity controls on the critical railway networks and ensure safety of the ICS.

CISA establishes high-level prerequisites and collaborates with pre-existing regulatory authorities within each sector to enforce precise rules. The Transportation Security Agency (TSA) adopts a similar approach for freight and passenger railways.

TSA has recently used CISA's requirements to issue two Security Directives and an Advanced Notice of Proposed Rulemaking (ANPRM). The first directive, released on Dec. 31, 2021, lays the groundwork for railways to report cybersecurity incidents to CISA and coordinate with the TSA. The second directive, released on Oct. 24, 2022, mandates railways to share their Cybersecurity Implementation Plan (CIP), which clarifies their cybersecurity protection level. On Nov. 30, 2022, TSA issued an ANPRM, seeking to understand the status of cybersecurity in the rail sector better and facilitate the development of exhaustive requirements.

Similary, The Department for Transport (DfT) in UK, leveraging powers under the Railways Act 1993 and the Channel Tunnel (Security) Order 1994 (CTSO), issues mandatory counterterrorism and security directives to station and train operators. The aim is to minimize the risk of terrorism incidents, including potential cyber-attacks causing extensive chaos, damage, or loss of life. Besides, DfT offers guidance on security-related matters such as station design, staff recruitment, training, and contingency planning, and disseminates specialized governmental agency security advice within the transport sector.

Numerous nations including many in Europe, along with China and Russia, employ their established standards applicable to the transport sector, including railway networks.

Other countries with expansive railway networks can initiate the implementation of cybersecurity standards by adopting CISA directives. They can also leverage local consultancy firms to create and tailor standards suitable for their domestic networks.

The Importance of Cybersecurity Frameworks

A cybersecurity framework comprises pre-defined controls and serves as a valuable tool for organizations when establishing their cybersecurity programs. While the Security Directives and ANPRM do not mandate a specific cybersecurity framework, leading cybersecurity framework providers like the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) offer widely-used standards.

Companies within the rail industry, recognized as Critical Infrastructure by CISA, must adopt a cybersecurity framework to respond to TSA's directives and the call-to-action through its ANPRM. This approach ensures adequate protection against potential cyber threats, fulfilling the requirements defined by the overarching cybersecurity framework.

Conclusion:

In conclusion, as we continue to see the integration of IT and OT systems in modern railway networks, the associated cybersecurity threats cannot be ignored. Understanding these threats and taking the necessary proactive measures will be paramount in ensuring the safety and reliability of our railway networks moving forward. These efforts must include cooperation between the railway industry, cybersecurity firms, and governments to share threat intelligence and develop robust security frameworks that can withstand these evolving threats.

?