Railroads focus on cybersecurity threats created — often unintentionally — by employees, software vendors

By Daniel Niepow, Associate Editor

As railroaders work to secure their growing network of digital assets, they'll need to keep a close eye on several key threats, including risks posed by their own employees and software vendors, information technology (IT) execs say. With access to a range of confidential information, employees can compromise the security of railroads' numerous systems and databases — whether they intend to or not.

Last year, insider abuse of data led to nearly 10,500 "security incidents" — that is, any event that compromised the integrity, confidentiality or availability of an information asset, according to Verizon Enterprise Solutions’ 2016 Data Breach Investigations Report. The report, which examined more than 100,000 security incidents across several industries, also found that about 11,300 cases stemmed from "unintentional actions," such as employees sending emails or documents to wrong recipients.

The American Public Transportation Association (APTA) also highlighted internal threats in its report on securing control and communications systems.

"The disgruntled insider is a principal source of computer crime," APTA's report states. "Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a target system often allows them to gain unrestricted access to cause damage to the system or to steal system data."

To mount a better defense against insider threats, rail leaders are exploring a number of cybersecurity strategies, which range from establishing better password protocols to conducting more rigorous background checks of new employees. They're also striving to keep their employees abreast of any new cybersecurity threats through continued training and awareness programs.

Spreading awareness

For CN, bolstering cybersecurity ultimately is a "people process," says Vice President and Chief Information Officer Serge Leduc.

"You could have invested in the best technology, but if you have not raised the awareness level at the right place within your organization, you can be a victim," he says. "Technology is not the answer to everything."

CN’s Corporate Information Security Unit (CISU) is one way the railroad promotes cybersecurity awareness among all its employees. The group’s "information security awareness campaign" aims to keep CN workers up to date on various cyber attacks, as well as ways to avoid them. In addition, the CISU is responsible for developing policies and standards, conducting risk assessments, and carrying out incident responses and investigations.

Amtrak IT execs also provide continuous training for staff on the latest attacks and techniques, said Chief Information Security Officer Ron Baklarz in an email.

"We monitor many open source intelligence sources on a daily basis to keep abreast of new and emergent issues," he said.

Meanwhile, CN carefully monitors its dealings with third-party software distributors. Many vulnerabilities in the cybersecurity realm stem from companies working with third parties, Leduc says.

"We’re making sure we have some checks and controls with the external suppliers," he adds.

Public transportation agencies also need to do their due diligence when vetting third-party vendors, says David Hahn, APTA's senior program manager of safety and security. It's especially important as agencies begin introducing mobile ticketing apps, which often are built by outside companies.

As part of their investigations into any new vendors, transit agencies should take the time to find out if the companies have ever been hacked, and if so, how they responded, Hahn says.

Cybersecurity firm LGS Innovations LLC advises its clients to keep close tabs on software provided by third parties, as well. If the developers who built those programs have ulterior motives, they could provide a "backdoor" into a railroad's computer systems, says LGS Innovations Chief Executive Officer Kevin Kelly.

"If you think about the railroad industry, it's not unlike most large industries these days. They're using dozens if not hundreds — some of them even thousands — of different applications that are developed in the commercial market," Kelly says. "Every time you have a group of software developers, you're subject to whatever disciplines they had while developing their own systems. … You have to make a leap of faith that they've provided a system that is sufficient in protecting your data as you employ it in your network."

So, LGS provides a service known as CodeGuardian™, which is designed to remove vulnerabilities or malware in third-party systems.

In March, LGS announced the completion of a comprehensive cybersecurity risk assessment contract with Railinc Corp., marking the cybersecurity firm's first rail industry client. As part of the contract, LGS analyzed the company’s internal and external cybersecurity operations and processes. The project allowed Railinc, a wholly owned subsidiary of the Association of American Railroads, to "validate the cybersecurity framework that governs its business and customer relationships," LGS officials said in a press release.

Working together

Establishing benchmarks with other industries also plays a part in some railroads' cybersecurity strategies. For example, CN shares information with the Canadian Cyber Threat Exchange, which is a non-for-profit organization aimed at helping businesses, governments and research institutions defend against cyber attacks. And, at various conferences and seminars, the Class I meets with IT leaders across several industries to get a better view of the current cybersecurity landscape.

It's a similar refrain at public transit agencies.

"Public transit is probably at the forefront with sharing information across the sector," APTA's Hahn says. "If you look at other critical sectors — such as the chemical sector or the financial sector — they're not as transparent. Transit is really tackling this head-on."

Whether railroads develop cybersecurity strategies on their own or with partners, it's crucial they take the time to examine threats posed by seemingly harmless situations — even something as simple as a handwritten password on an employee's desk.

"Most cyber vulnerabilities are created completely unintentionally," LGS' Kelly says. "It's not the Hollywood version of the dark room hacker that breaks into these devices."