Perspective: Cyber Derailed? Elements of a Sustainable Cyber Security Approach for Rail Systems

By Tom Poulsen

With the Internet enabling an increasingly connected world and digital systems controlling ever more essential and interconnected operations, protecting trains from cyber-attack is a challenging task. Becoming knowledgeable on the threats to rail systems, as well as achieving a good understanding of all cyber assets and data flows, is essential for protecting the complex and safety-certified systems in the rail industry from cyber-attacks.

In late 2014, a steel mill in Germany suffered massive damage as the result of a cyber-attack that required advanced hacking skills, applied industrial control knowledge and endurance. No one has claimed responsibility for the attack, and the lack of attribution and a clear objective underscore two important facts: Cybersecurity threats are very real, and anyone can become a target without apparent reason.

Unless you have experienced a serious security incident first hand, it is easy to believe such attacks only happen to someone else. But this incident is only one of many examples of successful cyber-attacks on industrial automation and control systems that have been recorded since 2010, when reports surfaced that the Stuxnet computer virus had targeted Iranian nuclear facilities. Not experiencing such an incident, however, does not mean your systems haven’t been compromised.

According to a report from KPMG from 2014, it is more likely than not that information is being exfiltrated by malware from your office networks without your knowledge. KPMG studied 14 companies and found that data was actively stolen from 10 of them without their knowledge. Protecting trains from cyber-attacks can be an even more challenging task, as there are control systems collaborating on many levels and in different geographic locations.

Train systems include SCADA applications controlling the power and the track side of things, and they usually involve long distances and complex interlocking scenarios with multiple operators. There are also onboard train applications controlling the train, local infotainments, and train-to-track applications that push data from the train to centralized application, or pull data for local processing.

Safety system vulnerabilities

All railway operational applications are safety-classified, which means they are type tested very carefully in the factory and then locked down. Considering the nature of cyber-attacks — which is finding and exploiting weaknesses in all designs — safety-certified solutions are actually welcome targets, because they are not allowed to change without a rigorous re-certification process. Any identified weakness in one system, therefore, is likely to exist in other systems of the same type.

So how do you protect complex and safety-certified systems from cyber-attacks? Cybersecurity standardization efforts are one option that is just beginning to bear fruit. However, standardizing cyber protection is not without peril.

Security-related standards have been around for decades now, but the critical infrastructure (the operational technology) domain has been largely spared from cyber incidents. Stuxnet was kind of a compelling event to start paying attention. Standards regarding cyber security for all industries, including rail, are emerging from an impressive number of already existing security standards. These are specifically designed to help asset owners improve rail security throughout the system lifecycle by providing guidance and requirements framework for manufacturers, integrators and owners.

As a result, security-related certifications have been developed to measure compliance with standards, but as NERC-CIP has already proven for utilities in North America, compliance and security is not the same thing. In fact, compliance may, in the worst case, lead to a weakened security posture because of the intrinsic constraints the certifications imply.

It is only possible to certify what you know, and after a specific requirement has been approved, the realization of that requirement cannot change without a re-certification. This is a very static and inflexible approach as a response to address something that is both unknown to some degree, and rapidly changing. At the same time, industries need metrics to know if they are going in the right direction and doing the right thing.

Cyber security knowledge and skills

To really put up a good fight and protect the cyber-physical assets that represent our critical infrastructure, we all need to understand, appreciate and team up against the cyber threats, instead of negotiating the security posture. We are all interested in keeping the trains on track!

Asset owners must step up and invest in cyber security knowledge and skills rather than depending on security certification. A certificate will never replace a security program, and a well-working security program will soon improve the assets and security architecture well beyond the certificate. An adequate cyber security posture is not a one-off; it is hard and dedicated work done by the collaborative effort of security professionals and system engineers (which of course can be the same persons).

Vendors must stop submitting compliance to security requirements they don’t understand, and start investing in cyber security knowledge and skills as well. Acquiring such knowledge will help them develop products and solutions that are protected by maintainable security controls that actually make sense in the context that they are deployed, rather than check off a technical feature on some list.

In order to play our part in meeting the ever changing cyber threats, Westermo has equipped all WeOS routing switches with cyber defenses that increase the overall security posture of the systems they are deployed on:  filtering (firewall), network segmentation, network-to-network protection, intrusion detection and spoofing protection are built into each device. But not even the most advanced cyber protections will maintain efficiency over time unless tended to by trained personnel.

An efficient and sustainable cyber security posture requires people, dedication and skills in addition to technology. Here are some of the areas of knowledge we believe contribute to a sustainable cyber security approach for rail systems.

Cyber assets and data flows. All efficient cyber security architectures require an absolute understanding of involved cyber assets and how they communicate with each other. This is usually reasonably simple for safety-classified systems and topologies, as they have to be very deterministic. It is not as easy for non-safety-classified systems. However, since data is being exchanged between safety- and non-safety-classified systems, attacks can be propagated through the less known and less deterministic non-safety-classified systems.

Perimeter protection. Looking at the installed base and the legacy systems already in operation, it may be difficult to create a reliable inventory of all cyber assets and data being exchanged between them. Finding system perimeters — for example, the boundaries of a single safety system, is often a good start because data exchanged at the boundary is often easier to identify. Also, given the nature of common malware today, controlling egress or outbound traffic is another aspect of perimeter protection. Unusual outbound traffic is a significant indicator for intrusion, because most malware creates distinct signatures on the network as it either tries to call home or tries to propagate through network-exploitable vulnerabilities on other assets.

Network segregation. Similar to the perimeter protection concept, network segregation implements two layers of defense by 1) only allowing approved traffic, and 2) reporting all other traffic to an intrusion-detection system. Even non-safety-certified systems are deterministic enough to allow detection of suspicious network activities.

Network-to-network protection. Looking at track-side and train-to-track applications, data is often transmitted between physical security zones and sometimes over media controlled by third parties. Unless the data is protected before leaving one physical security zone, like a control room, it can be intercepted and tampered with— even safety-classified data. Protecting this data in transit is critical to assured operation.

All routing WeOS devices, for example, have the capability to create secure channels between themselves and another capable device. The secure channels provide strong logical protection comparable with physical security, and support other security applications like perimeter protection and network segregation over the secure channel.

Physical protection from spoofing. Many cyber-physical control systems are complex and geographically distributed, with many physically exposed cyber assets like network devices. Unless properly protected, an attacker can gain physical access to a network device in the field and stage advanced attacks against the control system itself or against field devices. The attacker does this by masquerading as an existing device in an activity called "spoofing."

Port-based access control can protect network devices from spoofing. Devices connecting physically to a WeOS switch, for example, must provide valid credentials to be allowed onto the network. Without the correct credentials, the connecting device cannot access the network or any cyber assets, which efficiently mitigates all physically based network attacks.

Intrusion detection. Network devices that integrate well with existing intrusion detection systems, like security information and event management systems (SIEMs), allow known and approved traffic and activities to occur during normal operation. But known bad traffic or activities — or unknown activity — can be reported as suspicious.

The KPMG report mentioned earlier is a strong indication that traditional, best-practice cyber defenses — anti-virus protection, perimeter firewalls and network intrusion detection systems based on signatures — are easily circumvented. That report also points to the need for organizational readiness, so action can be taken when malicious code is detected. A good understanding of all cyber assets and how they exchange data with each other is a foundation for protecting the complex systems on which the rail industry depends.

Tom Poulsen is Director of Rail Vertical – Americas for Westermo, a maker of Ethernet infrastructure solutions and network devices for trains, trackside, building automation and more. Westermo’s WeOS software provides a suite of Internet Protocol (IP) networking standards that allow resilient and flexible networks to be created, as well as multiple layers of security to provide protection against cyber-attacks at the network edge.

Click for more cybersecurity articles from Progressive Railroading.