Improving railroad cyber-threat resilience

Written by Dr. Mark W. Hartong, The John Hopkins University Applied Physics Laboratory
image description

Railroads are a critical component of America’s transportation infrastructure, and have been making significant investments in advanced networked computer control systems and information technologies. This has enabled the employment of new capabilities such as “Positive Train Control and “Precision Railroading” with increased operational efficiencies and improvements in safety. However, the introduction of these new technologies also results in increased organizational and system vulnerabilities to disruption arising from cyberattacks .

Cyberattacks against critical infrastructure have been increasing dramatically and have been well-reported in the press. What has not been as widely noted is that the nature of the adversary has changed. The term “advanced persistent threat” refers to an adversary that possesses sophisticated levels of expertise and significant resources, which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.[1]

The types of systems and functions being attacked have also changed. No longer are they just information technology systems supporting business functions. Attacks have expanded to industrial control systems, including safety systems, which were long thought to be “off limits.” In June 2017, hackers deployed malicious software, called “Triton,” into the safety control system of a petrochemical facility in Saudi Arabia, enabling them to take over remote control of the facility and disable the safety system. Other widely-reported public examples of successful malicious cyber based disruptions include “Stuxnet” malware, which resulted in centrifuges at an Iranian nuclear plant spinning out of control and destroying themselves, and “CrashOverride” malware, which Russian hackers used in 2016 to disable Ukraine’s power grid. The U.S. has not escaped these sorts of disruptive attacks, and the threat is ongoing. In March 2016, the U.S. Justice Department indicted seven hackers tied to the Iranian regime for staging a coordinated cyberattack that targeted 46 major U.S. financial institutions and a dam outside of New York City. In November 2016, the San Francisco Municipal Transportation Authority (SFMTA) suffered a ransomware attack, encrypting their information systems. In March 2018, the U.S. Department of Homeland Security issued Technical Alert TA18-074A on ongoing Russian cyberattacks targeting U.S. critical infrastructure.

Advanced persistent threats should not be associated just with “nation states,” such as a Russia, Iran, and North Korea. Over the last decade the knowledge needed by threat actors has dramatically decreased as tools and examples for attacks have proliferated. The skills required to attack a cyber system can be as simple as the smart use of Open Source Software (OSS) tools and knowledge gained from information freely available on the Internet coupled with malicious intent[2]. The availability of such malware targeting control systems, and the associated source code that is easily adaptable by people with relatively low programming skills, allows the creation of sophisticated attacks that can rapidly evolve. Further, the unpredictability, extreme uncertainty, and rapid evolution of potential cyber threats leave risk assessment-based cyber security efforts unable to fully address cybersecurity concerns for the systems deployed by the railroads.

The traditional approach of hardening cyber systems against identified threats has proven to be only partially effective. This is especially true in large, complex, and geographically dispersed systems deployed by the railroads. It is difficult to identify all of the critical components to protect, and it becomes increasingly expensive to harden or protect all parts of the system against all types of threats. Increasing cybersecurity of systems must change from a single strategy of prevention, which assumes that all cyberattacks can be reduced or contained (thus making the attacks unsuccessful). A new dual-strategy approach of prevention and mitigation of the impacts of successful cyberattacks by improving the resilience of systems to such attacks is required. Cyber resilience refers to the system’s ability to recover or regenerate its performance after a cyber-attack produces a degradation to its performance[3]. A fundamental assumption of cyber resiliency is that an adversary cannot always be kept out of a system or be quickly detected and removed from that system, despite the quality of the system design, functional effectiveness of the security components, and trustworthiness of the selected components.

Cyber resiliency focuses on capabilities supporting organizational missions or business functions. It maximizes the ability of organizations to complete critical or essential missions or business functions, despite an adversary presence in their systems and infrastructure threatening mission-critical systems and system components. Shifting from a focus on hardening system components to a comprehensive system recovery allows for efficient allocation of resources. It ensures that protection is implemented across all system domains and spatial components to deceive adversaries and ensure high levels of systems protection, minimizing the asymmetric advantage of cyberattacks. Cyber resilience also refocuses traditional cybersecurity measures that typically emphasize hardening, protection and prevention to more strongly concentrate on response and recovery.

Most railroad systems already have existing resilience features, methods, and requirements to counter unexpected events ranging from extreme weather to operator errors.[4] These can be evaluated, utilized wherever possible, and then expanded to provide resilience against events originating in cyberspace. In many cases, these cyber based events produce the same or similar effects, particularly when the intent is to impact the availability of a resource. Reuse of existing countermeasures is a reasonable initial approach that minimizes system rework.

However, often these countermeasures do not work properly when the originating event occurs in cyberspace, particularly if the event was intentionally designed to circumvent them, and new countermeasures may be required.

A method of evaluating cyber resilience named the Cyber Resilience Review (CRR)[5] was developed in the United States Department of Homeland Security (DHS) on the basis of the National Institute of Standards and Technology (NIST) Cybersecurity Framework[6]. The NIST framework focuses on utilizing an organization’s business processes to guide its cybersecurity activities and internalizing cybersecurity within the organization’s risk management processes. It focuses on protection and sustainment practices within key functions that typically contribute to the overall cyber resilience and is customized as needed. The NIST framework identifies five key functions of cybersecurity – identify (develop understanding of and manage risk to systems, assets, data, and capabilities), protect (develop and implement appropriate safeguards to ensure delivery of critical infrastructure services), detect (identify the occurrence of a cybersecurity event), respond (take action regarding a detected cybersecurity event), and recover (maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event).

The CRR is offered in two formats. The first is a voluntary examination of operational resilience and cyber security practices offered in a DHS facilitated workshop format or as a self-assessment package. The workshop version of the CRR is led by a DHS facilitator at a critical infrastructure facility. All information collected in a facilitated CRR is protected from disclosure by the Protected Critical Infrastructure Information Act of 2002. This information cannot be disclosed through a Freedom of Information Act request, used in civil litigation, or be used for regulatory purposes. The CRR Self-Assessment Package allows an organization to conduct an assessment without the need for DHS assistance and includes an automated data answer capture and report generation tool, a facilitation guide, comprehensive explanation of each question, and a cross reference of CRR practices to the criteria of the NIST Cybersecurity Framework.

Resilience engineering, as described in the NIST Framework, does not fully address all advanced cyber threats. The NIST framework is based on the assumptions that (1) if a disruptive event degrades functionality, the degradation will be detected; (2) responses enable functionality to be recovered; and (3) lessons learned from the experience are applicable to future preparations and responses. However, the assumption that detection is always possible is flawed. An advanced cyber threat can hide or remove evidence of activities; because stealth is intrinsic to the adversary’s plan, the adversary typically avoids creating disruption (in fact, the adversary can even take actions to improve system performance) or creates transient and minor disruptions to trick performance and intrusion detection tools into redefining “normal.” If and when the adversary directs malware to take disruptive actions (e.g., deny service, corrupt data in ways that make it useless, cause physical harm), these may be undetectable by normal means.

NIST has recognized this, and is in the process of developing a set of NIST Special Publications to help address advanced persistent threats and resilience engineering. The first of these is NIST Special Publication 800-160 Volume 1, “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems” and the second is NIST Special Publication 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems.”[7] The information in these publications can be used by railroad systems engineers and security/risk management professionals who can select, adapt, and use some or all of the cyber resiliency constructs as appropriate to the technical, operational, and threat environments.

In the long run, improving cyber security and enhancing cyber resilience can save organizations money. Malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016[8]. The initial purchase and deployment of cyber resiliency capabilities can be more than the initial costs of deploying and maintaining traditional cybersecurity measures alone. However, on a lifecycle-cost basis, the avoidance of the cost of lost revenue from outages, physical and reputational damage, incident recovery, and legal liabilities compared to the cost of implementing cyber resiliency design principles and techniques is what determines whether cyber resiliency is cost effective for the railroad. If the loss from shutdown exceeds the cost of the cyber resiliency measures, then cyber resiliency is a good investment. According to the Ponemon Institute, the average cost of dealing with a cyber incident in the U.S. is approximately $21.2 million per incident, and the time to deal with malicious code is between 49 and 55 days[9].

Even if a cyber resilience-specific investment does not yield a net economic benefit to the railroad, it may still yield an economic benefit at the societal level. As a critical component of the nation’s critical infrastructure, railroads may be able to make a case[10] to local, state, and the Federal government that cyber resiliency is a worthwhile investment and that those governments should cost-share with them the investment. In the case of the Federal government, that would be the DHS and the U.S. Department of Transportation.

Finally, increasing cyber security and resilience also requires railroad decision-makers to recognize that cybersecurity involves a human dimension that is as significant as the necessary technical solutions. Railroads rely on electronic systems that are managed by people more than ever before, and with that increased reliance comes greater vulnerability. Cybersecurity and cyber resilience policies, practices, and training must extend into all elements of the railroad, not only within their railroad organization, but also to supporting vendors and contractors whose lack of preparation could be as damaging as weaknesses within the railroad.

[1] accessed 21 March 2019

[2] Publicly available tools generally fall into five categories – remote access trojans (RATs), web shells, credential stealers, lateral movement frameworks, and command and control (C2) obfuscators.  A RAT is a program that, once installed on a victim’s machine, allows remote administrative control.  Web shells are malicious scripts that are uploaded to a target host after an initial compromise and grant an actor remote administrative capability.  Credential stealers collect the credentials of other users logged in to a targeted machine and then reuse them to give access to other machines on a network. Lateral movement frameworks provide an attacker with the ability to escalate privileges, harvest credentials, exfiltrate information and move laterally across a network. C2 obfuscation tools disguise the attacker’s location when compromising a target.  (source: “Joint Report on Publicly Available Hacking Tools,” National Cyber Security Centre, UK. See accessed 21 March 2019)

[3] Cyber Resilience White Paper- An Information Technology Sector Perspective, March 2017.  See accessed 22 March 2019

[4] See, for example, Transportation Research Board TRB’s E-Circular 226: Transportation System Resilience: Preparation, Recovery, and Adaptation accessed 21 March 2019

[5] There are alternative approaches to the CRR, for example the MITRE Corporation “Structured Cyber Resiliency Analysis Methodology (SCRAM).  See  accessed 21 March 2019.  SCRAM is based on MITRE’s Cyber Resiliency Engineering Framework (CREF)  See accessed 21 March 2019.  The International Standard Organization (ISO) addresses security, risk and resilience in the ISO/IEC 27000 family of standards on information security management, ISO 31000:2009, and ISO ISO/DIS 22316 guidelines for organizational resilience.

[6] accessed 21 March 2019

[7] Other guidance documents in the series are NIST Special Publication 800-160, Volume 3 “Systems Security Engineering Software Assurance Considerations for the Engineering of Trustworthy Secure Systems” planned for release in December 2019, and NIST Special Publication 800-160, Volume 4 “Systems Security Engineering Hardware Assurance Considerations for the Engineering of Trustworthy Secure Systems” planned for release in December 2020.

[8] “The Cost of Malicious Cyber Activity to the U.S. Economy,” The Council of Economic Advisers February 2018 accessed 21 March 2019

[9] 2017 Cost of Cyber Crime Study’ Ponemon Institute (1 Oct 2017) accessed 21 March 2019

[10] One methodology is Computable General Equilibrium (CGE) modeling, see Glyn Wittwer (Editor). Multi-regional Dynamic General Equilibrium Modeling of the U.S. Economy: USAGE-TERM Development and Applications. 1st ed. 2017 Edition

Mark Hartong was the Senior Scientific Technical Advisor for Railroad Electronics at the Federal Railroad Administration and is currently employed at the John Hopkins University Applied Physics Laboratory as a Cyber Systems Engineer. A registered professional engineer, he holds a B.S. in Mechanical Engineering from Iowa State University, a M.Sc. in Computer Science from the Naval Postgraduate School, and an M.Sc. in Software Engineering and a Ph.D in Information Technology from George Mason University.

Categories: Analytics, C&S, Class I, Freight, Intermodal, M/W, PTC, Regulatory, Short Lines & Regionals, Switching & Terminal Tags: