Category: Rail

More digital rail and transit grow vulnerable in the cyber fight. The industry must build the confidence and standards needed to prevail

Rail and transit manufacturers and suppliers are grappling with increasingly frequent, speedy and sophisticated cyberattacks as their systems and devices become more connected digitally.

“Threat actors” attack vulnerabilities common to everyone dependent on computers and industrial control systems (ICS). Rail must manage unique vulnerabilities.

Efforts to strengthen cyber resilience come as rail struggles, like others, with pressing challenges: economic uncertainty, political instability, the Ukraine war, sustainability imperatives, and Covid’s aftereffects.

“Major disruptive events have tested the resilience of transport organizations as never before,” said Sara Ulrich of PA Consulting, which surveyed 360 European transportation leaders from all modes about their ability to defeat cyberattacks.

Amid the fight, leaders are doubting their general employees’ and cyber specialists’ ability to sustain cyber resilience while others question leaders’ commitment to cyber security.

To press the fight, industry and government agencies globally are collaborating on streamlined cyber resilience strategies.

Flaw in the Foundation

Complicating the fight is a flaw in the foundation of computer-based activity throughout the world: software code.

“We have normalized the acceptance of software that comes full of holes,” U.S. Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly said June 12 on the podcast “On With Kara Swisher.” A May report for cyber firm Immersive Labs said 81 percent of large organizations’ software development teams knowingly release unsecure code. “We’ve accepted it,” Easterly said. CISA and five international allies have launched a campaign to change that.

Cyber’s danger to critical infrastructure, well known in technical circles, became clear to the public on May 7, 2021. Cybercriminals told Colonial Pipeline (the largest U.S. oil pipeline operator) they had stolen nearly 100 gigabytes of accounting and billing data, encrypted it and would release unencrypted versions unless paid a nearly $5 million ransom.

Concerned the crooks’ had penetrated operating systems, Colonial shut its 5,500-mile (8,850-km) pipeline. It supplies about 45 percent of the eastern U.S.’s fuel. Colonial quickly paid the ransom (as 80 percent of companies do, experts told Transport Security International). It got decryption codes, but seven days passed before pipeline flow was normal. By then, panic had ensued. Americans snaked through long gas lines, filling whatever would hold fuel, uncertain when more might flow.

With that attack, “the vulnerability of our highly connected society became a nationwide reality,” Easterly and Southern Company executive chairman Tom Fanning (CISA’s Cybersecurity Advisory Committee chair) wrote in a CISA blog.

Rail’s Digital Revolution

In the wake of rail’s digital revolution, cyberattacks against the sector have increased by 220 percent over the last five years, according to a report by rail cybersecurity specialist Cylus. Those attacks resulted in billions of dollars in losses.

“Rail systems are quality targets for threat actors,” Cylus chief technology officer Miki Shifman said. “Rail operators that are usually critical national infrastructure are on the radar.”

A case in point: Denmark State Railways halted passenger service for hours on Oct. 29 after a vendor, Supeo, suspended its Digital Backpack 2 electronic safety/security work documents service, which rail personnel tap through tablets or phones. The reason: ransomware. Restoring long-distance service took a day.

Beyond ransomware, cyberattacks draw on traditional tactics like malware, phishing (the most common initial one), and intellectual property piracy. On the rise is social engineering (“human hacking”), which uses psychology to manipulate people into revealing passwords, downloading software, or otherwise compromising security.

“Cyber attackers are becoming much more sophisticated in their techniques,” Scott Swanson, security advisory practice leader at the risk management consultancy Aon, said. “They’ve got more resources and capabilities to target critical infrastructure systems.”

Attackers are making more use of prefabricated tools, he said, and leveraging “advanced persistent threats.” These gain access undetected and loiter in networks and systems, seeking weaknesses, stealing data, and disrupting functions.

Volt Typhoon

In May, Microsoft reported that a threat actor linked with China, dubbed Volt Typhoon and active since mid-2021, has targeted critical infrastructure in Guam and elsewhere in the U.S.

Volt Typhoon has hit sectors from communications and government to information technology (IT) and transportation. Microsoft said the threat actor intends to spy and maintain access undetected for as long as possible by “living off the land,” using normal Windows systems, network activities, and administration tools for its objectives. This lets it avoid “endpoint detection and response (EDR) products that would alert” on a third-party application’s presence; Volt Typhoon’s behavioral indicators could be legitimate Windows commands that appear benign.

Better safeguards drive attackers’ growing sophistication. Some have turned to high-level executives and their families. A report for the digital protection firm BlackCloak found 42 percent of information technology and IT security professionals surveyed said cybercriminals had attacked executives or family members, with tactics ranging from malware and doxing to extortion and physical attack.

As security improves, cybercriminals increasingly target the private lives of “C-suite executives, board members, senior and executive leadership teams and other key personnel,” the report said. They have attacked home networks and compromised unsecured vectors from address books to social media accounts.

Cyberattacks are getting faster. A 2018 distributed denial-of-service (DDoS) attack on the software developer platform GitHub was considered a record, flooding it with commands at 1.3 terabits per second (Tbps). Commonly now, DDoS attacks approach 2 Tbps. A May 2022 DDoS attack on Microsoft Azure cloud computing platform peaked at 3.25 Tbps. Experts also said attacks are getting longer. Immersive Labs cyber vice president Max Vetter said it’s not uncommon to hear of attacks lasting nine months or more.

Cybercriminals’ growing sophistication and capabilities stem from their evolution from loosely affiliated groups to highly organized ones. “These aren’t just teenagers doing this in their bedroom,” Vetter said. “This is the work of advanced hacking groups.”

Supply Chain Vulnerabilities

Rail and transit share the cyber exposures, or attack surfaces, of others dependent on IT and the operational technology (OT) that runs their equipment. One example? Supply chain vulnerabilities.

Vendor cybersecurity is one of the most difficult challenges, Robert Silvers, U.S. Homeland Security undersecretary for strategy, policy, and plans, said. “It’s hard enough to protect your four corners,” he said. Understanding supplier vulnerabilities “is daunting at a minimum.”

Subsystems providers, like everyone in rail, are modernizing products with digital capabilities, Randy Mitzelfelt, head of North America rail cyber security business development for RazorSecure, said. Components that had been just hardware — brake systems, coupler systems — are digitized. “Subsystems that previously weren’t part of a network now are.”

When it comes to vulnerabilities, “there are lots of unique things about rail,” Cylus’ Shifman said. He outlined several.

Rail’s rolling stock and infrastructure is built for 30 years or more; computer systems aren’t designed for such long lives. Rail’s stringent safety constraints “make it very hard to patch systems or add security software.”

Over 80 percent of traffic relies on proprietary, industry-specific communications unsuitable for IT security measures, he said. The industry is just implementing cybersecurity standards, so operators can’t make assumptions about a system’s security level.

Trains run over remote stretches where communications may fade to low bandwidth and physical security of wayside components is difficult. They rely on wireless train-to-ground communication prone to cyberattacks.

Rail supports commands that can override a network’s safety logic. Trains may include hidden maintenance and troubleshooting applications. These are potential attack vectors.

Cybershield consulting managing director Christian Schlehuber added, “Almost everything in the rail system needs to be accessible by passengers.” Airports or nuclear plants can put up fences to keep out unauthorized persons. “For rail, that is hardly possible.”

It is unclear how well rail and transit have absorbed past attack lessons or their sector’s vulnerabilities. PA Consulting’s report, “The always-on advantage,” found that 88 percent of executives surveyed said resilience was a strategic imperative. But only 60 percent of rail executives rated their operational resilience as good or excellent.

That was up from 2019’s 47 percent. But the gap persists between executives’ resilience aspirations and confidence and plans. Despite the resilience’s strategic imperative, 65 percent of leaders told PA Consulting they have no plans to increase investment in resilience.

Transportation’s urgency around resilience is waning, the report said. One in four executives said more disruptive events that force them to prioritize resilience is the top driver of cyber resilience efforts. “Many organizations are waiting for fresh disruption to reignite a sense of urgency.” Only one in eight identified “clear resilience leadership,” as the top driver.

The Immersive Labs report delved deeper into the gap between resilience aspirations and capabilities. The firm surveyed 570 senior security and risk professionals at 1,000-employee-plus U.S., U.K., and German organizations. It found 86 percent of organizations have a cyber resilience program. But only 33 percent said they were confident their workforce is fully prepared to perform the tasks needed to recover from a cyber incident.

That’s an obvious problem.

The Weakest Link

“Humans are the weakest link in getting into a cyber secure organization,” but critical links in establishing and executing plans for responding to cyberattacks, said Augusto Chiaravalloti, Genetec’s industry marketing manager for the public sector, justice and public safety. “That’s why organizations need to educate employees about cybersecurity.”

Best practices, typified by the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework and International Electrotechnical Commission (IEC) guidance, lay out five key steps: Identify critical assets, risk management practices, and security capabilities. Protect, defining prioritized defenses and safeguards for critical assets to minimize an attack’s impact. Detect threats promptly through continuous monitoring. Respond to contain and mitigate security incidents. Recover by restoring any damaged functions or services. Those all depend on employees executing effectively.

“If you have an attack and nobody knows what to do, people are just running around asking everybody who might have some knowledge about things. This is completely uncoordinated,” Schlehuber said. “You have to have a plan for how to react.”

An added benefit of an emergency response plan? Insight. “By planning a response, you find yourself trying to identify your system, your assets, who the owners are, what security mechanisms exist in them, what’s critical to your operation, and what could happen with any disruption,” Shifman said. With that insight, “you can prepare yourself better for the moment.”

Rail and transit organizations have adopted cyber best practices in large part because almost every country has enacted regulations requiring operators to increase security, experts said. The question is how.

One effort to answer that is an international collaboration to draft rail-specific cybersecurity guidelines. The NIST and IEC frameworks help, but they are directed at all ICS users. The new effort, led by the IEC’s Project Team 63452, aims to draft and publish no later than 2025 “an international standard for handling cybersecurity for the whole rail sector,” said Serge Benoliel, Alstom’s cybersecurity governance and expertise director and the team leader. It includes 79 experts from 14 countries. The standard will be based on the rail-specific cybersecurity Technical Specification 50701 published in 2021 by the European Committee for Electrotechnical Standardization (CENELEC).

The New Standard

The new standard “is going to be the future of how operators will secure themselves,” Shifman said.

That work builds on collaboration throughout the industry. “Train builders, suppliers and vendors are putting a lot of time and energy into trying to proactively address the needs of their customer base,” Mitzefelt said. “Among operators and agencies there is a lot of conversation and discussion about cybersecurity. That is at the forefront.”

Talks include CISA. “We’re having very good conversations with technology companies,” Easterly said, “to ensure that they understand what we think safe software products are.” Counterparts in Australia, Canada, the Netherlands, New Zealand, and the U.K. are involved.

Top leadership needs to do more, several experts said. “Until you really have the leadership involved, with tracking key performance indicators, reporting on progress, and embracing an interest in cybersecurity,” Swanson said, “your security posture is a little bit doomed.”

Easterly and Fanning concurred.

“The days of relegating cybersecurity to the chief information officer or chief information security officer must end,” they wrote. “CEOs and boards of directors must embrace cyber risk as a matter of good governance and prioritize cybersecurity as a strategic imperative and business enabler.”

There are approximately 600,000 bridges in the United States. With the growing number and intensity of domestic and international terrorist events in the post 9/11 world, more and more is being done to try to protect them. Terrorists attack critical infrastructure where human casualties and economic consequences are likely to be substantial. Because bridges are an integral cog in the transportation network with a bearing on human lives and economic activity, they are a likely terrorist target. Bridges are easily accessible to the public, have minimal security and provide the opportunity for a high number of casualties and injuries.

An al-Qaeda training manual found in 2000 explicitly endorsed “Blasting and destroying bridges leading into and out of…cities.” A bridge or tunnel collapse during rush hour traffic might kill hundreds or thousands. Overall estimates of the cost to replace a major long-span bridge on a busy interstate highway corridor in the United States could cost billions of dollars, and hamper or divert commerce, industry, agriculture, and investing both locally and nationally.

Secure and Protect

Given their importance, and the potential economic, psychological and human consequences of such attacks, it is crucial that traffic and railway bridges are properly secured and protected from disruption. However, doing this can be challenging. There are no easy security measures to guard against terrorist attacks on bridges. With bridges, the roadway or railroad track has to remain open to allow traffic flow. Bridges are exposed on all sides, making them vulnerable from above, below and at the water’s edge.

Bridge security, like security for any infrastructure asset, includes a broad range of issues that must ensure that adequate measures are taken to protect the asset and the people and goods that utilize the asset. According to a panel formed by the Federal Highway Administration (FHWA) and the American Association of State Highway and Transportation Officials (AASHTO) the consequences of a terrorist attack on a bridge can be expressed as follows:

• Threats to the integrity of the structure (e.g., resulting in replacement of the facility or major repairs).

• Damage that inhibits the structure’s functionality for an extended period of time, such as closure of the facility for 30 days or more.

• Catastrophic failure resulting from an attack based on the threats described above.

Terrorist threats to bridges can include:

• Fire (can lead to buckling of steel beams and spalling of concrete).

• Impact (can lead to damage of piers, causing collapse of the superstructure and failure of hangers, again resulting in collapse of the superstructure).

• Mechanical cutting devices (can lead to cutting of hangers, resulting in collapse of the superstructure).

• Corrosive chemicals.

• Blast or explosion (can lead to severe damage of the structure).

Today, the U.S. Department of Homeland Security (DHS) plays a critical role in bridge security. In addition, the Transportation Research Board (TRB), through its cooperative research programs, had been addressing these security issues prior to 9/11 and substantially expanded its effort after. FHWA has continued to work with TRB in this effort.

After the 9/11 attacks, FHWA started conducting onsite assessments of bridges. In collaboration with other agencies, it began evaluating these structures around the country for their ability to resist attack. There were also several independently sponsored assessment studies and security retrofit projects done at that time on major bridges.

Information gathered from all of this helped fine-tune retrofit measures and increased potential restrictions on proposed countermeasures. The original focus was on vehicle-borne charges, but the engineering assessment teams found alternative attack methods to be feasible, so where possible the researchers factored those into the development of countermeasures.

The field investigations helped identify long-term issues and focus implementation. Other issues considered by the researchers included size and weight limitations on existing structures, especially older ones; material and geometric restrictions; practical restrictions imposed by construction, maintenance and inspection; and the need to coordinate retrofit designs and hardware with those from other retrofits.

Mitigating Damage

What can be done to prevent terrorist attacks on bridges? There is a variety of countermeasures that can be used singly or in combination to reduce attractiveness and/or vulnerability, or to reduce consequences if an attack occurs. Countermeasures are often grouped into actions or technologies to deter attack, deny access, detect presence, defend the facility, or design structural hardening to minimize consequences to an accepted level.

Bridge owners and operators should consider incorporating physical security features, including traffic and pedestrian cameras, increased illumination, restricted access to critical areas, and barriers for bridge piers and pedestrian and bicycle pathways. As structurally deficient bridges are updated or replaced, public safety personnel — emergency managers, planners and others — are encouraged to work closely with engineers and inspectors during the planning stages to contribute security and emergency response considerations.

According to the Office of the Director of National Intelligence, the following observable indicators specific to bridges may create some degree of suspicion of criminal activity. Any determination of possible illicit intent should be supported by additional facts that justify reasonable suspicion. While one activity may be insignificant on its own, the indicators should be looked at “under the totality of the circumstance.” Any indicators creating a strong suspicion of violence when observed in combination with other suspicious behaviors may constitute a basis for reporting.

Watch for:

• Unauthorized persons inside restricted areas or areas not normally accessed by the public.

• Evidence of tampering, cutting or other signs of damage to the structure or its components.

• Unattended or abandoned bags, packages, containers, or other items.

• Surveillance of the bridge or its components either in person or remotely — for example, by using unmanned aircraft systems — without a reasonable explanation.

• Vehicles or water vessels loitering or illegally parked near bridges or critical components.

According to the Department of Transportation the following actions should be considered during the design phase of all structures. In general, public access to bridges should be limited to the traveled way. Example of details to consider include: locating box girder access openings away from abutments where the soffit is close to the ground; providing locking mechanisms on deck access openings; placing screens at soffit vents near abutments, and; preventing access to girder flanges and maintenance walkways at abutments.

Withstanding an Attack

Can bridges be built and retrofitted to better withstand a terrorist attack? In a study funded by the Texas DOT and seven other state transportation agencies, analytical models helped investigate cost-effective and unobtrusive design and retrofit options for a variety of bridges. The researchers collaborated with the U.S. Army Corps of Engineers and private consultants specializing in bridge design and structural response to blast loads. Vehicle bombs are the terrorist weapon of choice worldwide and are a significant concern for highway bridges. Using computer simulations and blast tests on 16 half-scale bridge columns, the researchers were able to see how these critical bridge components respond to various explosion scenarios.

Among the major findings is that the shape of a bridge column can play a large role in how well a bridge withstands blast pressure. In the experiments, circular columns decreased the blast pressure on a bridge by up to 34 percent compared to a square or rectangular column of the same size. The dimensions of bridge columns also had a major impact on the column’s capacity to withstand a close blast. Consequently, the researchers recommended a minimum bridge column diameter of 30 inches in their design guidelines.

In states prone to earthquakes, like California, the impact of the guidelines is not as significant because bridges there are already designed and built to withstand tremors from an earthquake. But in states like Texas, where there is little or no seismic activity, bridge construction may require improved column detailing. In these states, the new guidelines can make a significant difference in improving bridge safety.

U.S. Army Engineer Research and Development Center has Anti-Terrorism Planner for Bridges (ATP-Bridge) software available to provide help. It is a fast-running, engineering-level code for predicting damage to bridge components by explosive, thermal and mechanical threats. ATP-Bridge enables rapid vulnerability assessment for existing bridges and can aid designers to incorporate protective design in new construction. This software is primarily aimed at bridge engineers, but could also help law enforcement or emergency management personnel to assess likely damage to bridge infrastructure from selected human-made intentional or accidental hazards.

With this software, damage predictions are made using a combination of empirical models for localized damage and an explicit time-integration finite element code for column structural response. Models in ATP-Bridge leverage over a decade of physical testing and high-fidelity simulation. A straightforward graphical user interface allows the user to create an inventory of components and threats quickly and easily. The component types that can be modeled cover reinforced concrete (R/C) columns with circular or rectangular cross sections, R/C tower panels, steel tower panels and cables.

Surveillance

Surveillance systems for bridges flooded the market after September 11, but many states lacked guidance for choosing among them. FHWA undertook a research study to determine the latest surveillance technologies and security practices, and develop a protocol to assist in the decision-making processes.

FHWA led a Transportation Pooled Fund effort focusing on the state of current and future surveillance and monitoring technologies available both within the United States and abroad. Researchers surveyed bridge and tunnel owners about their existing surveillance and security capabilities, including their experiences with these technologies.

The research also included site visits to examine existing systems. The study produced a report, Bridge and Tunnel Security and Surveillance Technologies, and a database of available security and surveillance systems. Currently, the report is available by contacting FHWA, and the long-term plan is to make it available through the National Technical Information Service.

Smart thermal cameras with integrated video analytics can survey critical infrastructure in the tough outdoor environment that bridges exist in to keep them safe.

Princeton, N.J.-based SightLogix’s SightSensors aid bridge security challenges because they can:

• Detect movement with a high degree of accuracy in the presence of small animals, birds, flowing water or blowing debris.

• Provide early warning of intruders over massive buffer zones beyond the bridge structure itself — detecting intruders and approaching watercraft over hundreds of meters far and wide.

• Operate in complete darkness as well as glare conditions caused by the rising or setting sun, headlights, or reflections off water.

• Employ automatic stabilization to remove camera shake caused by passing trains, traffic and wind.

• Determine the exact location of the intrusion and automatically zoom PTZ cameras to follow the action in real time.

Looking ahead, surveillance and more effective detection and warning systems will help mitigate incidents. Improved designs and effective uses of new materials can help protect structures and ensure that unpreventable damage does not result in complete failure, which could cause major disruption to the economy and possibly numerous lives lost.