This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
4/9/2021
Compiled by Progressive Railroading StaffAs the freight transportation realm grows more digitally reliant, every link in the chain can become more vulnerable to cyber attacks. Progressive Railroading recently asked a sampling of technology and service providers for information about their offerings or trends in the field. Emailed responses follow from Siemens and Beryllium LLC. SIEMENS
The rail industry is characterized by legacy systems designed and commissioned before security measures entered into cyber space. And the extremely long lifecycles for infrastructure and vehicles raise significant challenges to adaptability, creating a landscape of high heterogeneity of components and software versions, according to Siemens officials.Even with digitalization’s promise of optimization and more efficiency, exposing railway systems to potential vulnerabilities needs to be weighed heavily against any benefits the data can bring.The past security strategy of physically isolating the equipment worked when most equipment was non-electronic. However, these traditional ways are no longer effective as documented protocols become exposed and more common protocols get adopted.
Today, digital transformation in railways requires the implementation of emerging technologies that securely connect the operational technology (OT) networks of railway systems with IT networks, such as corporate and cloud computing environments. And this connection to the cyber world needs to be fully protected.Software-based firewalls demand time, effort and expense for patch management, constant maintenance, monitoring, and audits to ensure optimal security.
However, a data diode like Siemens CoreShield Data Capture Unit (DCU) does not require rule management because its security function is achieved via hardware. Without a physical connection between the critical and open networks, the DCU offers no opportunity for back doors being left open, and no misconfiguration or software vulnerability can make it insecure, Siemens officials said.
Also, unlike software, data diode hardware security cannot be hacked and the integrity of the tapped data is always guaranteed with encryption, forward error correction and secure servers.BERYLLIUM LLC
The increase in advanced persistent threats and malicious cyber activity targeting rail industry critical infrastructure OT and industrial control systems (ICS) can largely be attributed to the open nature of industrial protocols, such as Ethernet/IP, ModBusTCP, Highway Addressable Remote Transducer (HART), WirelessHART and ProfiNET, said Paul Veeneman, president and chief operating officer of Beryllium, a Minneapolis-based information security and cybersecurity company.Current industrial protocols were ported over from original RS-232, RS-485 and RS-422 communications architecture, allowing for the encapsulation of the serial communications, constructed to operate over TCP/IP Ethernet networks, Veeneman said.These network-based industrial protocols initially were an open architecture lacking authentication or encryption mechanisms. This allowed for quick adoption and integration of distributed environments, wide-area networks and facility networks at the expense of cyber security vulnerabilities, he said.Fast forward to 2010 and the discovery of Stuxnet, a purpose-built malicious code specifically designed to exploit the Supervisory Control and Data Acquisition (SCADA) system and programmable logical controller software and platforms.Manufacturers that serve a significant portion of ICS within the rail industry continue to make cybersecurity integration a primary concern in their product development roadmaps. However, that doesn’t address the 10- to 15-year-old legacy systems and vulnerabilities in operation within the rail industry today, Veeneman noted.To keep pace with the ever-changing landscape of OT and ICS cybersecurity requirements, the rail industry can leverage organizations such as the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC) standards, industry best practices and security frameworks, he said.The ISA99 standards and ISA/IEC 62443 were developed to provide cybersecurity guidance and mitigation of vulnerabilities for industrial automation and control systems environments, and are applicable to the broad operations base of freight- and commuter-rail transportation, he added.Email comments or questions to prograil@tradepress.com.