More digital rail and transit grow vulnerable in the cyber fight. The industry must build the confidence and standards needed to prevail
Rail and transit manufacturers and suppliers are grappling with increasingly frequent, speedy and sophisticated cyberattacks as their systems and devices become more connected digitally.
“Threat actors” attack vulnerabilities common to everyone dependent on computers and industrial control systems (ICS). Rail must manage unique vulnerabilities.
Efforts to strengthen cyber resilience come as rail struggles, like others, with pressing challenges: economic uncertainty, political instability, the Ukraine war, sustainability imperatives, and Covid’s aftereffects.
“Major disruptive events have tested the resilience of transport organizations as never before,” said Sara Ulrich of PA Consulting, which surveyed 360 European transportation leaders from all modes about their ability to defeat cyberattacks.
Amid the fight, leaders are doubting their general employees’ and cyber specialists’ ability to sustain cyber resilience while others question leaders’ commitment to cyber security.
To press the fight, industry and government agencies globally are collaborating on streamlined cyber resilience strategies.
Flaw in the Foundation
Complicating the fight is a flaw in the foundation of computer-based activity throughout the world: software code.
“We have normalized the acceptance of software that comes full of holes,” U.S. Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly said June 12 on the podcast “On With Kara Swisher.” A May report for cyber firm Immersive Labs said 81 percent of large organizations’ software development teams knowingly release unsecure code. “We’ve accepted it,” Easterly said. CISA and five international allies have launched a campaign to change that.
Cyber’s danger to critical infrastructure, well known in technical circles, became clear to the public on May 7, 2021. Cybercriminals told Colonial Pipeline (the largest U.S. oil pipeline operator) they had stolen nearly 100 gigabytes of accounting and billing data, encrypted it and would release unencrypted versions unless paid a nearly $5 million ransom.
Concerned the crooks’ had penetrated operating systems, Colonial shut its 5,500-mile (8,850-km) pipeline. It supplies about 45 percent of the eastern U.S.’s fuel. Colonial quickly paid the ransom (as 80 percent of companies do, experts told Transport Security International). It got decryption codes, but seven days passed before pipeline flow was normal. By then, panic had ensued. Americans snaked through long gas lines, filling whatever would hold fuel, uncertain when more might flow.
With that attack, “the vulnerability of our highly connected society became a nationwide reality,” Easterly and Southern Company executive chairman Tom Fanning (CISA’s Cybersecurity Advisory Committee chair) wrote in a CISA blog.
Rail’s Digital Revolution
In the wake of rail’s digital revolution, cyberattacks against the sector have increased by 220 percent over the last five years, according to a report by rail cybersecurity specialist Cylus. Those attacks resulted in billions of dollars in losses.
“Rail systems are quality targets for threat actors,” Cylus chief technology officer Miki Shifman said. “Rail operators that are usually critical national infrastructure are on the radar.”
A case in point: Denmark State Railways halted passenger service for hours on Oct. 29 after a vendor, Supeo, suspended its Digital Backpack 2 electronic safety/security work documents service, which rail personnel tap through tablets or phones. The reason: ransomware. Restoring long-distance service took a day.
Beyond ransomware, cyberattacks draw on traditional tactics like malware, phishing (the most common initial one), and intellectual property piracy. On the rise is social engineering (“human hacking”), which uses psychology to manipulate people into revealing passwords, downloading software, or otherwise compromising security.
“Cyber attackers are becoming much more sophisticated in their techniques,” Scott Swanson, security advisory practice leader at the risk management consultancy Aon, said. “They’ve got more resources and capabilities to target critical infrastructure systems.”
Attackers are making more use of prefabricated tools, he said, and leveraging “advanced persistent threats.” These gain access undetected and loiter in networks and systems, seeking weaknesses, stealing data, and disrupting functions.
Volt Typhoon
In May, Microsoft reported that a threat actor linked with China, dubbed Volt Typhoon and active since mid-2021, has targeted critical infrastructure in Guam and elsewhere in the U.S.
Volt Typhoon has hit sectors from communications and government to information technology (IT) and transportation. Microsoft said the threat actor intends to spy and maintain access undetected for as long as possible by “living off the land,” using normal Windows systems, network activities, and administration tools for its objectives. This lets it avoid “endpoint detection and response (EDR) products that would alert” on a third-party application’s presence; Volt Typhoon’s behavioral indicators could be legitimate Windows commands that appear benign.
Better safeguards drive attackers’ growing sophistication. Some have turned to high-level executives and their families. A report for the digital protection firm BlackCloak found 42 percent of information technology and IT security professionals surveyed said cybercriminals had attacked executives or family members, with tactics ranging from malware and doxing to extortion and physical attack.
As security improves, cybercriminals increasingly target the private lives of “C-suite executives, board members, senior and executive leadership teams and other key personnel,” the report said. They have attacked home networks and compromised unsecured vectors from address books to social media accounts.
Cyberattacks are getting faster. A 2018 distributed denial-of-service (DDoS) attack on the software developer platform GitHub was considered a record, flooding it with commands at 1.3 terabits per second (Tbps). Commonly now, DDoS attacks approach 2 Tbps. A May 2022 DDoS attack on Microsoft Azure cloud computing platform peaked at 3.25 Tbps. Experts also said attacks are getting longer. Immersive Labs cyber vice president Max Vetter said it’s not uncommon to hear of attacks lasting nine months or more.
Cybercriminals’ growing sophistication and capabilities stem from their evolution from loosely affiliated groups to highly organized ones. “These aren’t just teenagers doing this in their bedroom,” Vetter said. “This is the work of advanced hacking groups.”
Supply Chain Vulnerabilities
Rail and transit share the cyber exposures, or attack surfaces, of others dependent on IT and the operational technology (OT) that runs their equipment. One example? Supply chain vulnerabilities.
Vendor cybersecurity is one of the most difficult challenges, Robert Silvers, U.S. Homeland Security undersecretary for strategy, policy, and plans, said. “It’s hard enough to protect your four corners,” he said. Understanding supplier vulnerabilities “is daunting at a minimum.”
Subsystems providers, like everyone in rail, are modernizing products with digital capabilities, Randy Mitzelfelt, head of North America rail cyber security business development for RazorSecure, said. Components that had been just hardware — brake systems, coupler systems — are digitized. “Subsystems that previously weren’t part of a network now are.”
When it comes to vulnerabilities, “there are lots of unique things about rail,” Cylus’ Shifman said. He outlined several.
Rail’s rolling stock and infrastructure is built for 30 years or more; computer systems aren’t designed for such long lives. Rail’s stringent safety constraints “make it very hard to patch systems or add security software.”
Over 80 percent of traffic relies on proprietary, industry-specific communications unsuitable for IT security measures, he said. The industry is just implementing cybersecurity standards, so operators can’t make assumptions about a system’s security level.
Trains run over remote stretches where communications may fade to low bandwidth and physical security of wayside components is difficult. They rely on wireless train-to-ground communication prone to cyberattacks.
Rail supports commands that can override a network’s safety logic. Trains may include hidden maintenance and troubleshooting applications. These are potential attack vectors.
Cybershield consulting managing director Christian Schlehuber added, “Almost everything in the rail system needs to be accessible by passengers.” Airports or nuclear plants can put up fences to keep out unauthorized persons. “For rail, that is hardly possible.”
It is unclear how well rail and transit have absorbed past attack lessons or their sector’s vulnerabilities. PA Consulting’s report, “The always-on advantage,” found that 88 percent of executives surveyed said resilience was a strategic imperative. But only 60 percent of rail executives rated their operational resilience as good or excellent.
That was up from 2019’s 47 percent. But the gap persists between executives’ resilience aspirations and confidence and plans. Despite the resilience’s strategic imperative, 65 percent of leaders told PA Consulting they have no plans to increase investment in resilience.
Transportation’s urgency around resilience is waning, the report said. One in four executives said more disruptive events that force them to prioritize resilience is the top driver of cyber resilience efforts. “Many organizations are waiting for fresh disruption to reignite a sense of urgency.” Only one in eight identified “clear resilience leadership,” as the top driver.
The Immersive Labs report delved deeper into the gap between resilience aspirations and capabilities. The firm surveyed 570 senior security and risk professionals at 1,000-employee-plus U.S., U.K., and German organizations. It found 86 percent of organizations have a cyber resilience program. But only 33 percent said they were confident their workforce is fully prepared to perform the tasks needed to recover from a cyber incident.
That’s an obvious problem.
The Weakest Link
“Humans are the weakest link in getting into a cyber secure organization,” but critical links in establishing and executing plans for responding to cyberattacks, said Augusto Chiaravalloti, Genetec’s industry marketing manager for the public sector, justice and public safety. “That’s why organizations need to educate employees about cybersecurity.”
Best practices, typified by the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework and International Electrotechnical Commission (IEC) guidance, lay out five key steps: Identify critical assets, risk management practices, and security capabilities. Protect, defining prioritized defenses and safeguards for critical assets to minimize an attack’s impact. Detect threats promptly through continuous monitoring. Respond to contain and mitigate security incidents. Recover by restoring any damaged functions or services. Those all depend on employees executing effectively.
“If you have an attack and nobody knows what to do, people are just running around asking everybody who might have some knowledge about things. This is completely uncoordinated,” Schlehuber said. “You have to have a plan for how to react.”
An added benefit of an emergency response plan? Insight. “By planning a response, you find yourself trying to identify your system, your assets, who the owners are, what security mechanisms exist in them, what’s critical to your operation, and what could happen with any disruption,” Shifman said. With that insight, “you can prepare yourself better for the moment.”
Rail and transit organizations have adopted cyber best practices in large part because almost every country has enacted regulations requiring operators to increase security, experts said. The question is how.
One effort to answer that is an international collaboration to draft rail-specific cybersecurity guidelines. The NIST and IEC frameworks help, but they are directed at all ICS users. The new effort, led by the IEC’s Project Team 63452, aims to draft and publish no later than 2025 “an international standard for handling cybersecurity for the whole rail sector,” said Serge Benoliel, Alstom’s cybersecurity governance and expertise director and the team leader. It includes 79 experts from 14 countries. The standard will be based on the rail-specific cybersecurity Technical Specification 50701 published in 2021 by the European Committee for Electrotechnical Standardization (CENELEC).
The New Standard
The new standard “is going to be the future of how operators will secure themselves,” Shifman said.
That work builds on collaboration throughout the industry. “Train builders, suppliers and vendors are putting a lot of time and energy into trying to proactively address the needs of their customer base,” Mitzefelt said. “Among operators and agencies there is a lot of conversation and discussion about cybersecurity. That is at the forefront.”
Talks include CISA. “We’re having very good conversations with technology companies,” Easterly said, “to ensure that they understand what we think safe software products are.” Counterparts in Australia, Canada, the Netherlands, New Zealand, and the U.K. are involved.
Top leadership needs to do more, several experts said. “Until you really have the leadership involved, with tracking key performance indicators, reporting on progress, and embracing an interest in cybersecurity,” Swanson said, “your security posture is a little bit doomed.”
Easterly and Fanning concurred.
“The days of relegating cybersecurity to the chief information officer or chief information security officer must end,” they wrote. “CEOs and boards of directors must embrace cyber risk as a matter of good governance and prioritize cybersecurity as a strategic imperative and business enabler.”