Upping the e-security ante

By Jeff Stagl, Managing Editor

Twenty minutes. That’s how quickly CSX Corp.’s email system would malfunction if the company didn’t filter emails to identify and remove viruses. How about 10 minutes? That’s how fast one of CSX’s personal computers would crash without anti-virus software.

With millions of emails pouring into and out of the company and more than 10,000 PC users uploading and downloading information each day, CSX needs to secure its electronic communications to ward off a growing number of hackers, viruses and other e-threats, which are becoming increasingly sophisticated.

“You need layers on layers of security,” says CSX Director of Information Security Mark Grant. “All it takes is one person at a McDonald’s downloading a screen saver on one of our PCs and leaving the machine on to potentially introduce a virus.”

And it isn’t just email systems and PCs that all railroads need to secure. They also have Web sites, Intranets, personal digital assistants, radio and wireless data transmissions, and other electronic devices and communications to keep watch over.

In many cases, railroads are outsourcing a portion of their information technology (IT) security to ensure they’re tapping into the latest encryption and security protocols, and protecting themselves from business disruptions and lost data.

But railroads haven’t always sought outside help or looked beyond firewalls and filtering software to ensure their e-security is as tight as it could be.

“It’s the railroad culture, the notion that they’re living in a world where they know everybody, but the world is changing,” says Lester Hightower, chief technology officer for 10East Corp., a Software as a Service (SaaS) provider to the North American railroad industry. “Railroads are realizing how Wild West-like the Internet is and developing an appreciation for securing data.”

Whether they’re relying on SaaS providers and other consultants to help boost e-security or taking on the responsibility themselves, railroads need to keep up with viruses that are multiplying daily and hackers who continually are sharing information — such as by providing hacking software that can be downloaded off the Internet — to disrupt electronic communications.

“You don’t need to be a computer expert these days to wreak havoc,” says Robert Wojciechowski, chief technology officer for SSG Innovations Inc., which provides software and electronic technologies to the rail industry, including the Express Yard™ rail-car repair and maintenance solution.

Make it a mind-set, ssg says
Railroads can lock down their electronic communications and systems if they make e-security a mind-set, not an afterthought, and are proactive, not reactive, to protecting themselves against growing threats, says SSG Director of Sales and Support Justin Gillam.

Gillam and Wojciechowski suggest railroads tap into the following, whether or not they outsource e-security:

• end-to-end encryption from the consumer of a product and provider (known as Secure Sockets Layer or SSL encryption);
• a disaster recovery plan incorporating secure backups and archives to protect against natural disasters, thievery and data loss;
• the use of service level agreements to ensure data is always available from a provider;
• compliance with Sarbanes-Oxley (a federal accounting law) to secure financial data;
• physical IT security through hardened facilities and proper access controls;
• software security through user level controls and strict validation of all data;
• the use of firewalls to shield IT infrastructure; and
• the goal of closing as many electronic points of entry as possible.

“A disaster recovery plan is important because if you lose data, it’s the same as someone stealing it,” says Gillam. “But the wrong way to do it is to back up data on the same computer.”

Data should be mirrored, run redundantly at an off-site location, he says. To ensure data compiled by SSG is backed up, the company operates two data centers.

A private matter
Backing up data is one of CSX’s goals. So is complying with Sarbanes-Oxley and the Health Insurance Portability and Accountability Act, or HIPAA, by making sure confidential data, such as employees’ Social Security numbers and customers’ credit card numbers, is secured.

“A couple of years ago, viruses were the biggest threat,” says CSX’s Grant. “But now, we worry more about privacy concerns.”

To ensure the security of all things electronic, CSX relies on a three-pronged approach: technology (including filters and anti-virus/spam software), processes (such as how to react to breeches) and people.

“The people part is the toughest,” says Grant. “We have awareness campaigns so employees understand what our policies are, like making sure you lock your PC if you leave your desk and don’t share your passwords with others.”

Technology is a continual focus, requiring constant attention so CSX has the best security tools available, he says. For example, the railroad obtains a list each month from Microsoft of the latest PC vulnerabilities. Because workers use between 10,000 and 12,000 Microsoft PCs, CSX supervisors review the list, determine which apply to the railroad and install a patch or take other corrective action.

“It’s a race with hackers who obtain the same list and want to exploit a vulnerability,” says Grant. “But it’s difficult to coordinate installing a patch when some employees want it done at night when they’re not working and others want it done during the day.”

Back-end backer
When railroads begin using any computer with a browser these days, they immediately open the door to threats, which can affect back-end applications, such as track-control systems, says Robert Sill, president and chief executive officer of Aegis Technologies Inc.

A year ago, Aegis began marketing to freight and passenger railroads the Triton™ series of software suites. The software is designed to upgrade the security and performance of new and legacy control systems, including track-control systems.

The line includes the SCADAsafe™ point-to-point and remote security suite, which can review data coming from a controller to a “smartbox” in the field, authenticate that the information is from an intended source and provide streaming encryption for all data.

“It secures a transaction across the network and improves the throughput of transactions,” says Sill. “It doesn’t matter if you use radio or fiber or microwave. It’s all about security, authenticity and encryption.”

It’s also about data storage, or the size of railroads’ digital archives. As roads store digital video captured by surveillance cameras installed on a locomotive or in a station, they need to determine how many files they can keep and for how long.

U.S. railroads can cite the London Underground bombings in July 2005 as a prime example for archiving, says Ralph Menzano, industry director-transportation for Oracle, which provides databases and software to the transportation industry. London Underground officials studied archived video files to identify and help capture the terrorists who planted the bombs.

“Video surveillance is a hot topic,” says Menzano. “The question is: How much do you archive? That’s the coming thing.”

Risk and reward
CSX’s Grant believes railroads need to take a risk-based approach to their e-security needs to determine what will work best for their particular organization. There are many different ways to boost security and technology changes rapidly, so it’s really a matter of constant self-assessment, he says.

“You have to understand what the threats are to your particular environment and determine how much risk you can take on as a company. The smaller risk you take on, the better off you are,” says Grant. “You’re never done doing that.”