Shift5, an advanced-technology company that sprung from the United States Department of Defense, has established a firm foothold in the U.S. railway industry.
Shift5 says its mission “is to make the world’s fleets smarter and safer. Shift5 is a product company that deploys hardware and software onto civilian and military platforms—from rail and aircraft to maritime, space, and weapons systems. U.S. railways are turning to Shift5’s freight and transit security solution for continuous monitoring of railway vulnerabilities, a rules engine that generates alerts automatically, and work packages that enable rail cybersecurity analysts to address threats immediately. Detection and responsive management of cyber health results in long-term savings.”
Shift5 CEO and Co-founder Josh Lospinoso and President, Chief Growth Officer and Co-Founder Michael Weigand discussed the company’s applications for freight and passenger rail in the areas of mechanical reliability and cybersecurity with MidRail LLC Chairman Gil Lamphere and Railway Age Editor-in-Chief William C. Vantuono.
“We came out of the Department of Defense, where Josh, our co-founder James Correnti (Chief Technology Officer and Vice President of Engineering) and I all served as cyber officers,” says Weigand. “The company was originally formed to help the DOD defend weapons platforms from cyberattack.
Over time, we quickly learned that ground combat vehicles and transportation systems like railroads have a lot in common, when you peel back the skin and you look under the hood at the control systems. We realized that there was applicability for our data acquisition edge computing and cyber monitoring solutions to solve safety and security problems in the commercial transportation market. We could do this efficiently and bring additional value to customers by leveraging data in ways that we’re still exploring and expanding with our rail customers today.”
“We realized that many of the systems that underpin modern society—critical infrastructure, commercial airplanes, locomotives, heavy equipment—have been around for a long time,” adds Lospinoso. “Over time, there have been incremental advances. One of the most important has been replacing analog components with digital components, because it makes economic sense. Heavy assets, like a locomotive or a military weapons system, are networks of computers, though they may not look like it at first blush. We started looking at these things through a couple of lenses. One of them is the cybersecurity properties. Then there’s the push toward autonomous operation of these assets.”
The objective is using data to solve operational and mechanical problems as well as provide protection from cyberattacks. “There’s a real frontier here for the locomotive industry, as well as other industries, to be able to leverage this data to be smarter and safer,” notes Lospinoso.
Cybersecurity, says Gil Lamphere, “has risen to be number one on the ESG (Environmental, Social and Corporate Governance) list. You have to have military-grade cybersecurity and sensibilities about protecting your own cyber software and hardware. That has been a sore point in the data industry. Mobility is next, it’s Cyber 2.1, if you will. But back in 1987, we realized that mechanical was the critical component to reliable service. It was the S in PSR. It was the scheduling and the service reliability that would enable railroads to grow. Now, we’ve come full circle where mechanical again is going to be critical. And that’s where next-generation technology in this area is going to provide us with mechanical data we need to deliver reliable service. That’s the future of railroading. There’s opportunity with the cybersecurity issues, but also on the operational issues. We’re talking about billions of dollars of market value for the industry based on the savings and on the reliability factors that can be achieved through preventive maintenance, which the Shift5 electronics unlock.”
“When Shift5 talks about cybersecurity, we consider cybersecurity of operational technology, of the assets that are actually out in the field—locomotives, powered cars,” says Weigand. “Those are the things we think have been overlooked by the security community when it comes to cyber conversation within the rail industry and other commercial industries. Candidly, the impacts that can be wrought by a motivated and sophisticated attacker against our operational technology assets are devastating. We think about the control systems and the fact that they are tightly coupled with things like acceleration. In some cases, electronic braking is computer controlled on locomotives. Prime-movers are entirely computer controlled. What used to be mechanical overspeed governors are controlled by onboard firmware that can be manipulated. If an attacker were to somehow change that onboard configuration, they could, for example, overspeed a prime-mover. Most mechanical people can envision that, because a lot of them with enough experience have seen it—rods blowing off, a fire in the engine compartment.
“Today, the likelihood and the accessibility are significantly higher and growing every day. And that’s the message that we bring from our DOD experience. We see that as the industry has continued to leverage telematics, to instrument and build connectivity as our global supply chain has become increasingly complex and interdependent, there are easier access factors that now enable a relatively small but motivated adversary to mess with the onboard software and firmware across entire fleets.”
Taking that to the train control level with PTC, there is the possibility of hacking into a PTC system and disrupting how it operates, even though it’s supposed to fail safely. “Cyberattack vulnerabilities are derived from those systems on a locomotive or powered car, which are software-controlled,” says Lospinoso. “If an attacker is able to run code or give instructions to one of these systems that’s electronically controlled, that’s where the concern comes in”
PTC, says Lospinoso, “is a tremendous system that has a lot of potential, not only for solving really critical safety problems, but also a for supporting a wide range of possible use cases. But PTC is underpinned by software, and its components communicate over digital data buses. An attacker could potentially inject malicious traffic into a PTC communications channel and take over a component. From there, it’s really just the limits of their imagination. They have control of the system. Could they tell the operator that everything’s fine when it’s really not, and then create some sort of really unsafe condition? Could you erroneously cause PTC to stop a locomotive in a tunnel and created a dangerous environment for the crew, or to passengers?”
Real-Time Status Monitoring
Modern locomotives today have been instrumented with telematics that can provide real-time health status with tracking. “These are provided by a number of OEMs and third parties,” says Weigand. “They communicate from the locomotives through a variety of communications channels. That’s an area for research, and a conversation that operators need to have with suppliers. Traction motor controllers, engine control units, man-machine interfaces, cab display units: All have a role in making the vehicle do what it’s supposed to do and operate in a safe manner. Ancillary systems as well play a key role: AESS systems, HEP. All these ancillary devices that can be used to degrade, deny, or in some cases disable the ability for a locomotive to accomplish its assigned task.
“There’s a common theme, which is that operators and owners of these locomotive assets have an observability problem,” adds Lospiniso. “These digital components are generating so much data, but we’re just not collecting it. We’re not looking at that data and using it for operational efficiencies to make maintenance smarter so that we can live up to the tenants of PSR, or in the new frontier of cybersecurity, looking at that data and seeing if there is attacker? Is somebody mucking with these systems so that they’re trying to degrade or destroy or deny that system from use? All of these problems are part of one broader class, which is observability. You need to get on these systems with full-take data recorders that tap into the nervous systems on locomotives and powered cars and pull it all back so you can make sense of it. You can run smarter and you can run safer.”
For PSR, locomotive availability and reliability are key. Lamphere stresses that locomotive cannot run to failure, because the whole system breaks down.
“Right now in PSR, we are matching the horsepower of the locomotives in the consist with grade and other considerations to the weight that’s trailing it,” he says. “And we’ve got those pretty well matched up now for fuel reasons, crew reasons. And we run those things on a balance-continuous basis. Everything’s in continual motion. When you have a unplanned locomotive failure, the train consist has to limp into a siding and cut the cars, cut the locomotive, and then continue on its way. Meanwhile, you’ve backed up, in a dense area, maybe 25 trains. You hope there’s a siding there, because the trains have to pass each other. And when you combine it with flooding, snowstorms, freezing, a derailment or any sort of calamity—or just the pickup of economic demand and the railroads throwing more assets into a congested system—you’ve got a real problem with PSR.
“Somewhere along the line, somebody said, ‘Hey, I can save a lot of money by running the locomotives to failure, because I don’t have to pick up the extra insurance policy bringing them in early and making sure they don’t go out with a part that is not reasonably likely to make it to the next 90-day inspection period. And I’m not going to self-insure on that one.’ That person is probably right. You save money—except your entire PSR system breaks down. I’ve done some quick calculations of what the cost is of backing up the system and what it means, and it’s $3 billion or $4 billion of market value to a single railroad, not to mention what it means in terms of customer reliability, not being able to market new, reliable service to the customer.
“What Shift5’s talking about is when you bring them in for repair, you know what’s going on with those mechanical parts. You know exactly what to tackle when that locomotive comes in. And when the locomotive goes out, because you’ve had that precision, hopefully the availability index is met at 93% or whatever the target is for the railroad, but it’s going out with a quality assurance label put on it. We’ve done some preliminary numbers about the savings that would occur in productivity and overtime. If you can bring up the reliability index, we’re talking $1.5-$2 billion of market value to a typical railroad that might have 5,000 locomotives. It’s a huge number, and it doesn’t count the costs of having unplanned line-of-road maintenance failures. Those can add up to another couple billion dollars. We can talk concepts all we want, but people need to understand that you can translate cost savings of avoiding unplanned failures into the multi-billion-dollar range of market value. The CEOs and the boards of directors need to realize that this is an important area, one overlooked in PSR, and now it has come full circle. You’ve got to bring it to that level to get that attention, because otherwise it doesn’t move the needle. And you’ve just got to move the needle.
When Shift5 starts working with a railroad customer, “we sit down with all of the stakeholders: operations maintenance, executive, all the way down to the line maintainers, and the essential maintenance facilities. What are the problems they’re seeking to fix?” says Weigand “We understand the security ones, because we’re generally able to inform that situation, but we also seek to understand the operations and maintenance efficiencies that can be picked up and gained as we tailor where our solution taps into. Then we look at the locomotives and do a system decomposition, looking at all of the onboard electronics, anything that has any silicon in it. We also look at some of the older analog systems that interact with digitized systems, and we put them into several bins or classifications—PTC, telematics nand control systems, which are typically safety critical, and ancillary systems. Then we step back and we ask ourselves, how could an adversary pivot malware, whether itd firmware software or some type of hardware device that would be swapped out during a routine maintenance that would have some type of embedded code, maybe even a special chip, like an FPGA (field-programmable gate array). How could they get that onboard?
“We like to separate things into those bins because we find that there are common cyber themes when it comes to the access factor. That is the way that an attacker gets malware on board. We use the DOD terminology—“deny, degrade, disrupt, deceive, or destroy.” Sometimes, manipulating systems is actually the most damaging, because you can have a manipulative cyberattack that is causing an operational impact that manifests itself as some type of transient condition that would be chalked up to environmental. The key problem in the rail industry right now is this inability to sense. We can’t always tell if anything is good. We have little ability to do configuration management, to sense that we have clean firmware and code on board.”
“We know that a Class I locomotive has been hacked successfully,” says Lospinoso. “But for several thousand dollars, it takes us three hours and we can ensure cybersecurity on that locomotive. We can make sure that it’s cybersecure, and we know our cybersecurity algorithms are secure. Do the math: On 5,000 locomotives, you could hook that up for about $20 million. And remember, a locomotive costs $100,000 annually to maintain. This a one-time charge, $20 million for military-grade, state-of-the-art equipment, and it takes us three hours per locomotive.
“For $80 million or thereabouts, you can fix the whole problem,” says Lamphere. “And you can fix it beginning tomorrow. My challenge to the industry is to say, ‘Okay Gil, I’m going to take your numbers at 10% productivity, and I’m going to take your numbers of reducing 15% overtime assumption. And I’m going to attack your assumptions on the ratio of parts, the labor, in a $100,000 per year for locomotive. And I’m going to look at improving availability by 2%. When I add it all up, I’m going to challenge your labor rate. I’m going to challenge your billion and a half value just on those, not to mention, say a couple hundred million dollars of cost savings because of the unplanned big breakdowns.’ When you tax adjust those, and when multiply them by 27, I’m coming out with $5 billion for a single railroad. But you do the math and see if we aren’t in sort of the same ballpark—but you can be off by quite a number and still make this worthwhile. And you can do it for a relatively small amount of money.”
“It’s worth considering where the railroads want to go,” says Weigand. “Take some of the lessons learned from PTC, the incredible expense that came about from legislation following an awful accident. And it’s taken more than a decade for the industry to implement this technology. We still see some challenges of interoperability, of delays caused by the system malfunctioning. The railroads are looking to recover their PTC investment. And I’ve heard this described as PTC 2.0. We took a lot of this into consideration as we were building out and continue to develop our commercial products because there’s some interesting parallels with the communications paths in the DOD, which spends a lot of money building some very sophisticated communications networks. Now, each of the major railroads has done the same, and they have to keep it operational for compliance and safety reasons. Let’s take advantage of PTC 2.0 and use that unused bandwidth to provide a cyber data monitor and enhance the locomotive interface gateway, and wring as much ROI out of that PTC investment while enhancing safety and get out ahead of this before something happens to that results in another major tax on the industry where everybody’s in a reactionary mode.
“This is really core to Shift5’s thesis: Bring safety and security to the commercial industry, but leverage DOD investments to get ahead of the threat. Do so in a capital efficient manner where this isn’t just a tax, but an upside in cost savings and potential revenue-generating opportunities. We’re exploring those with our current customers.”
“We’re really excited supporting the next generation of professionals that get into railroading,” says Lamphere. “Young folks with degrees in computer science and statistics come to work for a railroad, and they’re able to take rich, incredibly granular data and solve complicated problems because they work with the railroaders, the experts in the industry, the people who have decades of experience and know intuitively how locomotives operate. This can have a huge impact on the bottom line and on the customer experience. It’s not that we have to develop the technology. We don’t have to train a lot of people. We can do it now. Most things in railroading are complex and take a long time. We’ll hook up five of your locomotives and show you everything in the period of three or four months. This can happen today. And that runs my motor.”