Let’s Face It: We’re VulnerableWritten by William C. Vantuono, Editor-in-Chief
RAILWAY AGE MARCH 2022 ISSUE: Cyberattacks are a serious threat that must be faced.
In December 2021, the United States Transportation Security Administration deployed a Security Directive that shined a spotlight on rail cybersecurity following a series of cyberattacks around the globe. The TSA regulations took effect Dec. 31, and rail operators across the U.S. are facing looming deadlines. But achieving compliance across the four required TSA mandates isn’t a quick fix, and the regulations spark additional questions: Why is the federal government rapidly getting involved in rail cybersecurity? What kind of cyberattacks are now targeting rail systems and rolling stock, and what’s next? Are the rail cybersecurity measures in place sufficient to fend off sophisticated attacks? Are existing rail technology platforms such as PTC and onboard/wayside fault detection and health monitoring capable of supporting cybersecurity measures?
There is no question that the North American rail industry is vulnerable, as evidenced by recent attacks on OmniTRAX, CSX and the New York Metropolitan Transportation Authority. There is also no question that, given Russia’s invasion of Ukraine and known activities in cybercrime, and Vladimir Putin’s thuggish obsession with rebuilding the Soviet Union, our industry’s cyberattack protective measures must be ramped up, considerably. Those who prefer to bury their heads in the sand and pretend that this isn’t a serious problem risk being blown away from the neck down.
“The TSA is going through critical infrastructure this year trying to enshrine some sensible baselines for cybersecurity practices across these industries,” says Josh Lospinoso, CEO and Co-Founder of cybersecurity firm Shift5, which has expanded its military-grade cybersecurity systems to the transportation space. “One of the reasons they’ve had such a focus on rail is because it is such a central fixture on the critical infrastructure of the globe, moving people and goods around. With the increase of cyber physical effects that we’ve seen over the past year with Colonial Pipeline and a variety of other examples, and ransomware generally causing really significant disruptions in people’s lives, we’re seeing rail as one of the first sectors to get some attention from TSA and DHS. These sorts of regulations are a reflection of just how important the rail industry is to the functioning of modern society. The government wouldn’t be paying attention if it didn’t believe that.”
“Rail is the second of the 16 critical infrastructure sectors that TSA has gotten to,” says transportation technology and regulatory expert Scott Belcher, CEO of the Telecommunications Industry Association. “This applies to all passenger and transit rail. There’s a corollary directive recommending that all transit operations comply with the same requirements, which are straightforward. It’s that you have cybersecurity professionals available 24 hours a day, seven days a week; that you do a vulnerability assessment and response plan, and that you report incidents within 24 hours. There are some uncertainties around those requirements. But those will get worked out. We realized that, in the past year, not only does the emperor have no clothes, but nobody in the kingdom has any clothes. We are all vulnerable. We’ve seen massive incidents. In my own practice, we did a transit study a year ago, and it was a little bit surprising how unprepared and lacking in appreciation for its own cyber vulnerability the industry is. Some 70% of transit respondents said that they hadn’t had a cyberattack in the past year. That’s off-the-charts crazy, because if you look at any industry assessment that’s been done, we’re getting hit all the time. It’s our job is to manage it—not to prevent it, because it’s going to happen.”
“We’re getting intrusion attempts higher than six digits on a weekly basis,” notes Rafi Khan, Chief Information Security Officer at New Jersey Transit. “Being a critical infrastructure transit system, we are a moving target all the time. These regulations are achievable. They’re very critical in enforcing specific guidelines so that transit systems around the country are safe and secure and the ridership is protected. That’s an operations conversation for me, but it is very much about how we change the way work gets done within a secure environment because of the millions of intrusion attempts that many transit agencies are facing. How do we change, and include cybersecurity awareness and continue to deliver service in innovative ways within those boundaries so that we are protected? This requires cybersecurity leaders to be cognitive in managing business enablement, but yet, set those environments in a secure and guarded way.”
Longtime freight rail industry investor and Class I board member Gil Lamphere, Chairman of MidRail LLC, sees the big picture as “moving data to moving objects, and moving objects means there are human beings involved. The head of M16 Security Training School recently told me, ‘The past has no predictive value of the future because this is all new. What it does tell us though is that these things go creep, creep, creep, creep, creep; this has been creeping for a long time, and then it goes kaboom.’ Obviously, we have a new urgency that goes up to the CEO and board level in terms of fiduciary and governance issues. This is very, very serious. It can happen at any time. We know we’re vulnerable. There are a lot of smart people at the Class I’s dealing with it. But time is not safety’s friend. It never has been. Cybersecurity should be an enterprise risk management activity of an executive team and board. It is a fiduciary responsibility.”
“What has changed is the realization that you have to have the equivalent of military grade software,” says Lospinoso. “People who are sophisticated in the ‘dark side’ of the vulnerability spectrum know that the bar has been raised. The banks are going to realize this; the insurance companies will see this in terms of Directors & Officers liability insurance. Corporate boards are going to have to educate themselves that it’s no longer enough for the management to say, ‘I think we’ve got this covered’ or ‘We’re doing everything possible.’ We know now as experts that the bar has been raised, and you’re dealing with people in the dark spectrum. This goes right up to the board because it hits the board on fiduciary and governance issues. Obviously, that’s the responsibility of the CEO, but it’s a board discussion.”
“There are two cybersecurity frameworks in place for railway operators to plan, analyze and implement effective measures to protect their assets,” explains Marco Berger, Senior Director Solutions and Applications Management at Ribbon Communications. “The recently published CLC/TS 50701 combines data security and railway safety aspects, while the older IEC 62443 focuses on ICS (Industrial Control Systems), i.e. the rail electricity, signaling, level crossing and interlocking systems. True, most of the recently published cyberattacks used ransomware vectors, but a number of attacks that went unreported focused on the strict and highly isolated OT rail network systems.”
Ribbon’s IP Wave, says Berger, “is a comprehensive IP Optical portfolio ideal for next-generation rail networks. The portfolio meets stringent network capacity, performance, and resiliency demands while minimizing operations expense and complexity. It includes optical networking (Apollo), IP routing and packet transport (Neptune), domain orchestration (Muse), and professional services optimized to the needs of rail operators.”
“We need to think about rail system cybersecurity and other critical functions in terms of IT/OT system modernization,” Berger notes. “Critical safety and security systems connected to the telecom network include the video surveillance systems that provide facial recognition and weapons detection, as well as the signaling and control systems at crossings and telemetry systems for managing speed, acceleration and traffic. Your cybersecurity is only as good as your IT/OT systems and workforce.
“These days, rail operators rely on their communications network to support an increasingly varied and numerous set of legacy and modernized systems. There is access control, ticketing, information kiosks and display screens. There is video surveillance to monitor footfall, support facial recognition, assist in weapons detection, and provide information for crowd control. There is Wi-Fi and mobile connectivity in stations and on trains. And, of course, there are the general alarm and warning systems, signaling and control systems, telemetry systems, dispatch systems based on TETRA/Push-To-Talk technology and not least, communications-based train control (CBTC), and supervision and monitoring systems.
“Existing networks are based on TDM, SONET and SDH technologies. These have proven to be robust and reliable, but they are quickly nearing the end of their effective life cycle. Outdated networks are more expensive and difficult to maintain than newer systems and cannot support the latest, most effective cybersecurity systems.
“This is due to the evolution of and migration of large fixed and cellular telephony networks to IP and WDM-based technologies, thereby reducing the demand for TDM, SONET and SDH technology and systems components, thereby reducing production and developments in these technologies. Thus, the simple maintenance and operation of these networks become increasingly expensive and difficult.
“One of the downsides of modernization is the increased possibility of cyberattacks. Individual hackers, governments and private organizations are investing many resources in targeting, paralyzing and obstructing critical infrastructure. Utility companies, rail and air systems, energy producers and transporters, and even governments are all in the crosshairs. North America, Poland, Ukraine and the U.K. have all suffered attacks recently, and no doubt others are being planned.
“So, any telecoms infrastructure modernization has to be supported by a risk and vulnerability analysis, before implementing systems to detect and prevent cyberattacks. This requires a comprehensive multi-layered approach, vision and strategy. For example, state-of-the-art UTMs (Unified Threat Management), firewalls, encryption systems, layer one segmentation (layer 1), layers 3 to 7, and SCADA-focused network anomaly detection systems for zero-day attack prevention and detection—in other words, protection from attacks using malware to penetrate firewalls and anti-virus systems, among others.”
Shift5’s Lospinoso likens the overall approach to cybersecurity as situational awareness. “There’s a variety of terms for this,” he says. “From our perspective, for every single client we work with, we start with a cybersecurity risk assessment survey and answer, in depth, all the questions that arise. You don’t know where you need to head until you know where you are. Getting that risk assessment survey done is absolutely the best thing to do, as a start.”