THE railway industry is no stranger to managing security in the physical sense, but as trains increasingly become digital hubs, communication systems become ever more sophisticated and corporate secrets are increasingly stored on web-connected servers, the dangers posed by a lack of digital security are growing exponentially.
Cybersecurity is a subject that has only recently become a major topic of conversation among operators, manufacturers and suppliers. But recent incidents such as the data breaches at Stadler and Spanish infrastructure manager Adif have highlighted the risks to the industry, while other incidents such as the 2015 Ukraine power grid cyberattack show the damaging impact attacks can have on critical infrastructure. The WannaCry attack that brought down German Rail’s (DB) passenger information displays as part of a larger attack that spread around the world in May 2017 also highlights how rail can be caught up in wider indiscriminate attacks.
Technology supplier Ensco Rail says it has received numerous questions from both freight and passenger operators over the past 18 months asking it to confirm that its products comply with various cybersecurity standards, highlighting how this has become a major topic of concern. This is echoed by cybersecurity analysts RazorSecure which says it has been involved in more conversations about cybersecurity over the past 12 months than was previously the norm.
But this awareness and discussion must be translated into concrete action if the industry is to remain ahead of the game - or catch up with threats it has fallen behind.
An alert issued on July 23 by the United States’ National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) emphasised the growing risks, warning that operational technology (OT) infrastructure was becoming an attractive target.
“Legacy OT assets that were not designed to defend against malicious cyber activities, combined with readily available information that identifies OT assets connected via the internet, are creating a ‘perfect storm’ of easy access to unsecured assets; use of common, open-source information about devices; and an extensive list of exploits deployable via common exploit frameworks,” the alert warned. “It is important to note that while the behaviour may not be technically advanced, it is still a serious threat because the potential impact to critical assets is so high.”
“There are some companies that are much further along the path, they’ve quite a strong view on what good cybersecurity looks like, and there are others that are really very much further behind.”Alex Cowan, CEO and founder RazorSecure
The state of cybersecurity in the rail industry, and its ability to respond to these threats, is very much a mixed bag says RazorSecure CEO and founder, Mr Alex Cowan.
“There are some companies that are much further along the path, they’ve been doing it for four or five years and have quite a strong view on what good cybersecurity looks like,” Cowan says. “And there are others that are really very much further behind and are starting to take the first steps, but maybe lack some of the maturity that the others have developed through starting a bit earlier.”
The risks of not taking data protection seriously include loss of intellectual property, the theft of sensitive data, and damage to high value systems and infrastructure.
When it announced the attack on May 7, Stadler said it had immediately initiated the required security measures, involved the responsible authorities and launched a detailed investigation. “Stadler’s internal surveillance services found out that the company’s IT network has been attacked by malware which has most likely led to a data leak,” the company said at the time.
Later that month, internal documents stolen during the cyber-attack were published online after the manufacturer refused to give in to a $US 6m ransom demand, to be paid in Bitcoin. “Stadler is not and was at no time willing to make payments to the blackmailers and has not entered into the negotiations,” the company told IRJ after 4GB of information was published, along with a list of files the hackers had accessed and could potentially have extracted.
The attack on Adif appears to have followed a similar pattern, with hackers claiming to have taken 800GB of data including correspondence and contracts. In a message posted to a leak site related to REvil ransomware, they threatened to publish the data if Adif did not make contact.
“Simultaneously with the publication, the third attack will follow,” the message read. “We will continue to download your data until you contact us.”
Adif confirmed to IRJ that a cyberattack using ransomware software had been controlled by its internal security services.
“The infrastructure has not been affected at any time, and the correct functioning of all its services has been guaranteed,” the company says. “Adif, aware of being the manager of a critical infrastructure such as the exploitation of the railway network, considers cybersecurity as one of the pillars of comprehensive security.”
“People think you open an email attachment and your files immediately start being encrypted but that’s not how it works.”Brett Callow, a Canadian-based threat analyst with New Zealand cybersecurity firm Emsisoft
These are not isolated incidents, with the 2020 IBM Cost of a Data Breach Report finding that the average data breach in the transport industry cost $US 3.58m, up from $US 2.9m in 2015. The average time to identify and contain a breach in the industry was 275 days.
Mr Brett Callow, a Canadian-based threat analyst with New Zealand cybersecurity firm Emsisoft, says it is a common misconception that ransomware attacks are instantaneous. “People think you open an email attachment and your files immediately start being encrypted but that’s not how it works,” he says.
“The deployment of the ransomware and the encryption of the files is very much the last stage in an attack. They will have had access to the network for days, weeks or possibly even months prior to starting to encrypt the files and they’ll have used that time to spread laterally through the network to collect credentials and steal data.”
Callow says there has been an increase in hackers stealing data from companies instead of just encrypting it. This comes despite the increased risks, as there is a greater chance that a company may notice the unusual activity and stop it before the hackers have the opportunity to encrypt the data, leaving them empty handed.
Callow says there are things companies can do to protect their data in order to stop most attacks, or at least limit their scope:
- use multi-factor authentication everywhere it can be used, including on internal administration accounts
- limit admin rights
- disable remote desktop protocol (RDP) if not needed and lock it down if it is, and secure other remote access solutions
- segment networks
- patch in a timely manner
- disable PowerShell, a cross-platform task automation and configuration management framework, when not needed
- continuously conduct security awareness training, and
- assume that perimeters will be breached and ensure the tools and processes are in place to monitor for indications of compromise.
“If you understand what typical activity looks like on your internal network you can spot things that may be abnormal,” Callow says. “Companies need to have the tools and processes in place to enable them to do that.”
Staff play a critical role in ensuring these tools and processes are followed. This was highlighted by a recent incident at Twitter, where multiple major accounts including those of Barack Obama and Elon Musk were compromised and used to promote a bitcoin scam.
The attack was made possible after the alleged United States-based hacker, 17-year-old Graham Ivan Clark, phoned an information technology employee at Twitter and convinced him that he was a colleague who needed login credentials to access the company’s customer support platform. Clark now faces 30 felonies for the attack.
As OT and IT systems become ever more closely connected, the threat of cyberattacks being used against this infrastructure continue to grow. Innovative solutions such as autonomous controls for safety critical systems, Internet of Things (IoT)-connected sensors and real-time communication services have all introduced additional attack vectors that can expand an attacker’s footprint and increase vulnerability.
These new capabilities often require integration into dated architectures and are often reliant upon legacy support systems which can be inherently less secure. Trains are also much more digitalised today than even a few years ago, with more than 100 Internet Protocol (IP) connected systems and up to 10-times as many processors onboard as previous models.
“Part of the challenge [operators and manufacturers] run into is that this adds a lot of additional risk,” Cowan says. “It means that you have an onboard network that itself needs to be secured, you have lots of different systems running a lot of different software on board as well. But there are a lot of existing suppliers that haven’t really considered how they will maintain and manage that software over the whole life of an asset. That’s probably the biggest gap I see in the industry today.”
This complexity can pose real challenges to operators trying to protect their fleets, especially if they’re not aware of just how extensively connected they are and what systems need protecting.
“The thing that I find quite extraordinary is when you listen to train manufacturers and operators, and they openly admit that a lot of operators don’t know what is installed on their train,” says RazorSecure executive chairman, Mr Robert Brown. “They might know 90% of it, but 10% they don’t know. With cybersecurity, unless you know what assets you’re trying to protect, how do you protect them? I think that is really quite a glaring example of how the industry needs to catch up.”
The way this can pose added risks are varied and numerous. RazorSecure has seen multiple instances where devices lack basic passwords or encryption, and there have also been instances where protected devices have been openly available for sale on Ebay. This can pose a major security risk as hackers can use these to decompile the inbuilt software that will allow them to discover vulnerabilities or loopholes to enable future attacks.
One of the most important digital systems currently under development across the railway industry is the Future Railway Mobile Communication System (FRMCS), a successor to GSM-R that will provide wireless train radio voice applications and ETCS data communication between the train and the network.
While GSM-R is a 2G-based system, FRMCS is an IP-based system that will use 5G. “We all know that IP is a good entry door for cyberattacks, unfortunately,” says Mr Jean-Michel Evanghelou, head of telecoms at the International Union of Railways (UIC), which is leading the FRMCS project.
The most likely threat against FRMCS is a Denial-of-Service (DoS) attack, Evanghelou says. A DoS is designed to shut down a machine or network, making it inaccessible to its intended users. This is usually achieved by flooding the target with traffic, or sending it information that triggers a crash. While this is not likely to affect the safety of the railway due to the failsafe systems in place, it would more than likely result in a lack of service.
In order to protect against this, the UIC is looking to bake countermeasures into FRMCS. As part of the technological jump from 2G to 5G, a new Telecom On-Board Architecture (Toba) is being developed to manage telecommunication between the train and the network. “In the design of Toba, particularly speaking of FRMCS, we will have some level of cybersecurity protection,” Evanghelou says. “And we are starting to decide what kind of protection level we will put into the system.
“What we are looking at is having a double layer of protection, not only protection at the communication layer, which is very important, but also additional protection at the application layer, the objective being that when we start to put the first FRMCS products in place that these products are embedded with these levels of protection.”
Evanghelou explains that it is always more difficult to add protection to an existing system than to design one with protection embedded from the start, which is why the development of the FRMCS standard has come at a critical time.
This is not to say that GSM-R is not secure, despite cybersecurity not being a major topic of concern when it was developed around 2000. In fact, the system’s core basic design means it is less impregnable than newer IP-based systems with the biggest vulnerability coming from the IP-based networks it connects with.
“There is always a weakness point when you introduce GSM-R into the IP network of a company,” Evanghelou says. “The good thing now is that the work we are doing with FRMCS will be applied to the existing GSM-R network. What we are being pushed to look at for the future for FRMCS has also pushed us to increase the level of protection of GSM-R.”
A number of suppliers across the industry are working with the UIC on the development of FRMCS, including the cybersecurity development. For this, Cyber Supply Chain Risk Management (C-SCRM) is critical, especially for those suppliers providing technology that is safety critical in nature or involves proprietary information.
“Managing the risks associated with the supply chain requires suppliers to adhere to standards and best practices and participate in vulnerability testing with proof of successful defence mechanisms including attack sensing and warning,” says Mr Ruben Peña, director, government surface transportation at Ensco Rail.
“The good thing now is that the work we are doing with FRMCS will be applied to the existing GSM-R network.”Jean-Michel Evanghelou, head of telecoms at the International Union of Railways (UIC)
“Appropriate incident response measures must be in place throughout the supply chain to contain the problem, communicate effectively with internal and external customers, conduct the necessary forensics, and ultimately determine the root cause and preventative action.”
The way a security flaw can propagate through the supply chain was highlighted by a collection of vulnerabilities called Ripple20. The 19 hackable bugs were identified by Israeli security firm JSOF in code sold by a small Ohio-based company called Treck, which provides software used in IoT devices. JSOF found that a piece of code carrying the bug, which was designed to handle the ubiquitous TCP-IP protocol that connects the device to networks and the internet, was installed in devices from more than 10 different manufacturers, including HP, Intel, Caterpillar and Schneider Electric.
Rail is exposed because the affected devices range from power supply systems in data centres to the programmable logic controllers used in power grids and manufacturing.
JSOF began contacting the affected manufacturers in February. Schneider Electric put out a security bulletin on June 16, followed by a security notification on June 23 and a subsequent patch for some of the vulnerabilities.
“Customers should immediately ensure they have implemented cybersecurity best practices across their operations to protect themselves from possible exploitation of these vulnerabilities,” the security notification says. “Where appropriate, this includes locating their industrial systems and remotely accessible devices behind firewalls; installing physical controls to prevent unauthorised access; preventing mission-critical systems and devices from being accessed from outside networks; and following remediation and general security recommendations.”
With the risk of not taking cybersecurity seriously seemingly so obvious and costly, it would appear logical to embed the highest level of protection possible into systems and fleets. But Brown says it comes down to a simple calculation: money.
With existing fleets, the operator may not have the funding available to install a new cybersecurity system across its trains while with new orders, it depends on whether the company placing the order has included it as a condition when writing the specifications. Building cybersecurity into the fleet may increase the attractiveness of a bid, but it could also add in major new costs that could result in a lower cost competitor providing less security if it is not specified specifically by the tender.
Brown also points out that there is currently a gap between the tenders and specifications being written now, which generally include cybersecurity, and new trains being delivered that may have been tendered five years ago when cybersecurity was less of a concern. During a recent cybersecurity summit in London, a group of cybersecurity experts demonstrated how they were able to expose the vulnerabilities of a control system of a train that had recently been delivered.
“They were able to gain access to the Train Control and Management System (TCMS) and essentially had full privileged access, including to the braking system,” Cowan says. The hackers were also able to demonstrate how they could use the access to one train to then gain access to another train’s TCMS. “There is potentially a very serious event that could occur as a result,” Cowan continues. “They’re not saying that people are in that system today, but they demonstrated that it could be done on a live train that is out running around Britain today.”
Standards to protect against this have already been introduced for some sectors of the industry, including the United States’ National Institute of Standards and Technology (NIST) SP 800-171 as well as accreditation with the International Organisation for Standardisation/International Electrotechnical Commission (ISO/IEC) 27001 standard. Other standards such as the Cenelec TS50701 Cyber Security Technical Specification for the EU rail industry will be published in June 2021. This will help to standardise cybersecurity requirements for rolling stock, signalling and infrastructure, and is designed to become an EN standard that will be used globally.
Washington Metropolitan Area Transit Authority’s (WMATA) senior director of cybersecurity and chief information security officer (CISO), Mr Kyle Malo, says meeting these standards will soon become a requirement, meaning suppliers should look to conform now.
Malo, who was previously CISO at the FBI, says there are two ways a hacker can use the supply chain to compromise a railway. The first is through intentional interference in the supply chain, in order to compromise products and embed sleeper malware than can be activated once these components have been installed. The second is through exploiting simple weaknesses that have not been identified and fixed.
“I don’t think it’s an impossible task. I think it just requires a lot more effort and dedication in order to get there.”Alex Cowan
“The result is the same for us, and that is compromise,” Malo says. “I’m worried about customer safety, I’m worried about our customer’s personal information and their credit card information, and obviously reputation. The conversation I have within our organisation is what happens the day after a cyberattack, what happens to our ridership levels, what does that mean to our revenue.”
This also has major follow-on implications for a supplier if their products are found to be the source of the breach.
“If I’m going to follow a NIST framework and I have to certify that in order to get hundreds of millions of dollars in federal funding, I can tell you that things like the supply chain and how we secure the technology we’re buying is not just something we like to do, it’s now something that we have to do,” Malo says.
Rail is not alone in its fight against cyberattacks, and it is one area where it can look to build partnerships with both the private and public sectors to share information, learn from previous attacks and gain an early understanding of how it could be at risk from future attacks.
Looking at the state of the industry and the wide range of risks posed, the task of protecting the entire rail sector might seem daunting and unachievable. Cowan disagrees.“I don’t think it’s too big, and I don’t think it can be too big,” he says. “There’s a long way to go, and there’s a mix of challenges. In terms of actually delivering and securing the entire rail industry, there are still many years of work ahead. But I don’t think it’s an impossible task. I think it just requires a lot more effort and dedication in order to get there. I think the industry will get there, it’s just a question of timing and money.”
Keeping operational technology secure
WITH critical infrastructure such as rail coming under increased pressure, the United States’ National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) recommends developing an OT resilience plan that allows organisations to:
- immediately disconnect systems from the internet that do not need internet connectivity for safe and reliable operations, and ensure that compensating controls are in place where connectivity cannot be removed
- plan for continued manual operation should the Industrial Control Systems (ICS) become unavailable or need to be deactivated due to hostile takeover
- remove additional functionality that could induce risk and attack surface area
- identify system and operational dependencies
- restore OT devices and services in a timely manner, and assign roles and responsibilities for OT network and device restoration
- back-up “gold copy” resources such as firmware, software, service contracts, product licenses, product keys and configuration information, and verify that all gold copy resources are stored off-network and store at least one copy in a locked tamperproof environment such as a locked safe, and
- test and validate data backups and processes in the event of data loss due to malicious cyber activity.
Before an incident, organisations should develop a well-exercised incident response plan:
- conduct a table top exercise, including executive personnel, to test the existing incident response plan
- include public affairs and legal teams in the exercise in addition to IT, OT, and executive management
- discuss key decision points in the response plan and identify who has the authority to make key decisions under what circumstances, and
- partner with third parties for support, and review service contracts and government services for emergency incident response and recovery support.