This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
April 2019
Compiled By Pat Foran, Editor
Like every business in every industry, railroads are becoming more and more digitally reliant. They’re also becoming more vulnerable to cyber breaches.
What should rail officials be thinking about these days on the digital vulnerability front? What are the key cybersecurity issues railroads need to address? How can they get better at protecting their systems, their data, their customers’ data — and, so, their businesses?
Last month, we asked a cross section of technology and service providers to share their takes on today’s cybersecurity challenges. We also asked them how their respective firms can help rail customers contend with these challenges. Responses from five companies follow.
A 2018 Symantec Corp. report (“10 Cybersecurity Facts and Statistics for 2018”) shows that cyber attacks are on the rise in the United States, as Collins Aerospace officials noted. According to the report: Among countries, the United States is the world’s No. 1 target of cyber attacks; Internet of Things (IoT) devices can significantly increase network vulnerabilities; and the average time it takes to identify a cyber breach is 196 days.
Difficult to spot initially, targeted cyber attacks crafted for specific organizations can lay dormant “for long periods before executing and once the attack begins, downtime is inevitable,” Collins Aerospace officials said.
With the introduction of new IoT devices, the communication networks may be more vulnerable than ever before. And once an attack begins, and indicators of compromise were never spotted, how does one know when they have eradicated the threat?
“Securing your infrastructure should be every organization’s top priority,”
Collins Aerospace officials said. “Cybersecurity requires people, processes and technology to be combined and implemented to be effective.
Technology can assist in assessing the vulnerability of the communication network, and hardening, monitoring and maintaining its security posture for the long haul. Technology also helps in the identification of indicators of compromise, while “well-defined processes and trained staff will ensure those indicators are investigated and eradicated when necessary,” Collins Aerospace officials said, adding that the company has implemented and currently maintains cybersecurity solutions across North America.
“When attacks are identified, our cybersecurity and response staff are notified via our 24/7 Cybersecurity Operations Center (CSOC),” they said. “Our solutions and CSOC are custom-built for our rail customers, including the knowledge, skill sets and credentials of our engineers and cybersecurity teams.”
“Freight- and passenger-rail companies are sharing more sensitive business and customer data across larger and more complex value chains than ever before,” said Adam Roark, DXC Technology’s general manager of freight/logistics/rail. “Connected transportation systems and emerging technologies are enabling rail companies to step up their defenses against cyber breaches through new threat intelligence capabilities to gain more control, and the ability to detect and respond to threats faster.”
DXC Technology offers security services and solutions designed to meet the needs of companies that move freight and passengers locally, across borders and around the world. Services and solutions include:
• Security assessments to identify risk and strategies for security-oriented transformation, legal and regulatory compliance and managing the security environment.
• Managed security services that enable organizations to “get ahead of threats and avoid costly consequences,” including security roadmaps, monitoring, infrastructure management, incident response planning and threat intelligence, Roark said.
• Mission-critical systems and customized IT solutions designed to help freight and logistics and rail companies secure their complex global supply chains; and deploy virtual operating centers to integrate, synthesize and distribute real-time data on transport hubs, lines, assets and emergency responses. Solutions also are available to help customers integrate security with route planning, risk-level assessment, travel times, scheduling, pricing and costs; track discrete shipments and items to support enhanced compliance and more accurately manage customs and duty reporting and payments; and detect and respond to product counterfeiting and support certification against regulatory requirements such as Payment Card Industry standards.
The following was submitted by Patrick Lortie, partner, surface transportation, North American rail practice lead, and Paul Mee, partner, digital and financial services, cyber platform lead, for Oliver Wyman:
“Many industries and companies are incorporating cybersecurity into their cultures, while building advanced cyber defenses and resiliency programs. Railroads are particularly at risk because they are extensive, dispersed and complex.
“Despite modernization, critical rail infrastructure is still made up of legacy components not originally designed and deployed with cyber resilience in mind. Rail systems also are increasingly interconnected and no longer air-gapped (separated from the internet). For example, the rollout of positive train control is a notable capability that could be of interest to bad actors. Other liabilities include the use of open-source software, software with outdated security patches, exposure to social engineering, and the misuse of portable storage devices.
“The cyber risks for rail are many, including financial losses, compromised infrastructure, scheduling and communications breakdowns, theft of private data, and reputational risk. The most serious concern ... is the physical safety of the rail network, employees, and passengers.”
Cyber resilience, or the ability to prepare for, react to, and move past a cyber attack, “must be high on the agenda of rail executives and board members,” Lortie and Mee said, adding that Oliver Wyman has “extensive experience” working with a broad range of clients on cyber risks to develop cyber defenses and resiliency through the application of a nine-step process.
“Managing cyber risk and building appropriate defenses for railroads are not easy tasks, given the mix of legacy components and the advanced technologies railroads are embracing,” they said. “But make no mistake: Cyber resiliency is a clear and urgent necessity in today’s digital world.”
Like other industries, the rail industry “relies on many vendors and partners to ensure efficiencies within their operations,” said William Dupre, Railinc’s director of security. “With this reliance comes risk. Such risk can manifest itself in third-party negligence when security controls are not properly put in place. But it can also be a concern when purchasing products or services where national security concerns could be at stake.”
As a third-party service provider within an industry deemed critical infrastructure, Railinc “must provide assurances to the rail industry of its own security posture,” Dupre said.
“We do this through our participation in industry security committees and by maintaining a program which aligns to the NIST Cybersecurity Framework,” he said. “The former allows for the sharing of security-related information, including threat intelligence, across the industry; while the latter gives Railinc the ability to speak a common, trusted language with external parties.
With cyber attacks on the rise and the cost of a malware attack averaging more than $2 million, securing infrastructure is “increasingly important,” Siemens Mobility officials said. Infrastructure, particularly rail infrastructure has a long-life cycle, which adds complexity to securing the systems, and vulnerabilities in IT security can deteriorate availability and reliability of infrastructure systems, company officials added.
Traditionally, critical industrial control systems are protected either by a firewall or by an air-gap, meaning they are completely isolated from the remaining network. Both have “significant shortcomings as an air-gap does not allow the real-time flow of information, while firewalls are complicated and susceptible to misconfiguration,” Siemens Mobility officials said, adding that many of the most impactful vulnerability disclosures, such as “Heartbleed,” critically affected almost all the of the top global firewall vendors.
Siemens Mobility offers the Data Capture Unit (DCU), a unidirectional gateway designed to ensure that data only flows in one direction. The DCU hardware “guarantees no direct cooper or optical wired connection between the open network and the critical network — the critical network is physically isolated,” the company said. “As a result, safety-critical networks are always protected from possible cyber attacks. This enables connectivity, compliant with the highest safety and security standards.”
With Siemens’ open IoT operating system, Mindsphere, the data collected from railway systems then is analyzed using artificial intelligence to “optimize operations and availability, providing operators secure real-time access to both data and operational suggestions,” the company said.
Email comments or questions to pat.foran@tradepress.com.
Related Topics: