Rail operators and their vendors are pressing efforts to counter and mitigate relentless cyber attacks on information technology and digitized operational systems throughout North America and Europe.
Their efforts are driven in part by new U.S. government rules and American and European guidance drawn from lessons of attacks on other areas of critical national infrastructure and aimed at reducing cybersecurity vulnerabilities in the passenger and freight rail sectors.
The experience of NJTransit, the third largest U.S. rail, light rail and bus provider (with service throughout New Jersey and to New York City and Philadelphia), illustrates the current cyber threat environment. Attackers try to infiltrate its computer networks “not in the six digits but a lot higher on a weekly basis,” agency Chief Information Security Officer Rafi Khan told a Jan. 27 webinar. “Being a critical infrastructure transit system, we are a moving target all the time.”
The nature of the cyber threat to computerized systems in general evolves continually, driven by a fluid mix of criminal gangs supplemented by nations’ governments or their agents, according to numerous experts. These malicious actors refine their tactics on an ongoing basis. (Cybersecurity experts refer to those tactics as “tradecraft,” the term traditionally used for the skills and methods of spies.) For instance, the bad actors have shifted from a focus largely on “ransomware,” corrupting a computer network’s code to enable them to lock out vital components like file servers then demanding substantial payments from the network’s owner for the digital key to unlock those components.
Their new approaches include a “double extortion” scheme, in which they demand one payment for the unlocking key and follow that with a second payoff demand for them to refrain from publicly releasing confidential information. “Triple extortion” builds on that by also demanding payment from a network owner’s clients to head off the release of their specific, individual information.
Cyber gangs also have moved beyond targeting individual companies and organizations, particularly in lucrative financial services, to target information technology (IT) suppliers that serve hundreds or thousands of outfits. That was the case when Russian hackers infiltrated the IT management software provider SolarWinds’ supply chain to place code in its Orion products that gave the hackers entry to Orion users’ networks. Investigators later determined that this “back door” resided in the networks of SolarWinds and about 18,000 customers (including U.S. government users) for months before it was discovered in December 2020.
In 2021, another group of Russian hackers gained access to the IT management software provider Kaseya’s Virtual System Administrator (VSA). VSA was popular among managed service providers, which run IT infrastructure for smaller companies that outsource that function and whose businesses grew during the Covid-19 rush to have employees work from home. The attack gave hackers access to the networks and files of those companies, their service providers and Kaseya. Estimates put the affected companies at 1,500.
“In 2022, we will see threat actors embed malicious software throughout the software supply chain,” Justin Fier, director of Cyber Intelligence & Analytics of the Cambridge, U.K.-based cybersecurity artificial intelligence (AI) firm Darktrace, wrote in a January 13 blog. He based that on Darktrace analysis of what it called early indicators of potential cyber attacks, its AI’s autonomous interruption of about 150,000 threats each week against the software supply chain sector last year. “We will likely see further supply chain attacks against software platforms and additional publicized vulnerabilities.”
Fier said increased attacks on software supply chains are likely “because more companies rely on third-party trusted suppliers to handle their data.”
Despite honing their more sophisticated tactics, Darktrace analysts said, hackers will continue to rely on an old, proven technique: email phishing, in which they send fraudulent emails to trick targets to reveal sensitive information. “Darktrace found that the most widely used attack method on the IT sector continues to be phishing,” Fier said, noting IT organizations faced an average of 600 unique email phishing campaigns a month in 2021, with most containing no malicious link or attachment (a past practice that triggered red flags).
This year Darktrace expects hackers will refine email attacks to “use ‘clean’ emails containing normal text, with messages carefully crafted to impersonate a trusted third party to induce recipients to reply and reveal sensitive information.” Email phishing is a common tactic in attacking rail networks as well.
Rail is considered particularly vulnerable to cyber attacks because of its drive over the last decade or so to apply digital efficiencies to a range of operations, such as train tracking and speed monitoring, train control and other safety-critical systems, distributed dispatch and operations control, and train, track and yard management.
The segmented, analog operational technology of old has become in recent years a cyber-physical ecosystem, blending computerized units into legacy components, as operators sought to achieve greater safety and availability from their existing systems. Examples of this include:
• The use of GPS, cellular triangulation and other means of telemetry to track the location and speed of trains;
• Adoption of safety-critical and operations-critical systems such as positive train control (PTC), communications-based train control (CBTC) and automatic train supervision (ATS);
• Digitization of wayside equipment like signals, switches and interface switch equipment,
• Greater use of computerized on-board systems and cab displays for automation, industrial control systems, locomotive control, communications equipment, passenger comfort and environmental control;
• Applying distributed control of dispatch, operations control, maintenance activities, signaling, communications and control systems, and radio communications;
• Implementation of data-related systems and infrastructure for all OT and industrial automation and control system assets in use, and
• Fielding wireless networks to support asset tracking, personnel wearable safety devices, logistics tagging and monitoring, and passenger connectivity.
Like most industries, rail’s security practices for segmenting, protecting and monitoring information technology systems and mitigating cyber attacks on them are well established and applied. Achieving the same for rolling stock and wayside infrastructure — which through the industry’s digital transformation efforts have become diverse and distributed computer systems — poses a new and significant challenge.
“Unfortunately, from a digital perspective, we actually don’t know a lot often times about what’s going on on the rolling stock,” said Josh Lospinoso, CEO and co-founder of the operational technology cybersecurity company Shift5. The company in February raised $50 million in Series B funding, which it plans to use to increase investments in product and hardware development, and to expand its team this year.
Rail locomotives and cars have become “full-blown computer networks, with positive train control (PTC) systems communicating and radio-frequency protocols coming on and off,” Lospinoso said. Still, “we don’t know simple stuff like what software versions are running on the electronic control units on rolling stock and things of that nature.”
That situation presents a major challenge for the industry.
In December, the U.S Transportation Security Administration (TSA) issued new directives and guidance for American rail operators to nail down their processes for identifying cybersecurity vulnerabilities in their operations and fleets, report cyber attacks on their systems, lay out plans for countering such attacks and identify the leader in their organization responsible for such efforts. “These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” said U.S. Homeland Security Secretary Alejandro N. Mayorkas, who oversees TSA.
In February, the European Union Agency for Cybersecurity (ENISA) issued guidance for railway systems to increase their cybersecurity resilience by segmenting their operations into zones and conduits. The guidance requires rail operators to identify all assets, basic processes, and global corporate risks, perform zoning of their operations and check for cyber threats.
ENISA’s documents builds on the CLC/TS 50701 technical specification for railway cybersecurity applications issued in June 2021 by the European Committee for Electrotechnical Standardization, or CENELEC. That is an association of 34 national electro-technical committees from 34 European countries that prepares voluntary standards to facilitate trade between countries, create new markets, cut compliance costs and support the development of a single European market. It called TS 50701 “a major landmark for the European railway sector” that aims to provide requirements and recommendations for handling cybersecurity of communications, signaling, processing, rolling stock and fixed installations in a unified way for the railway sector.
All those measures require rail operators to determine and track the cybersecurity status of their rolling stock, wayside infrastructure and other operational technology.
The TSA directives, which took effect Dec. 31, 2021, required rail operators by March 31, 2022 to complete a vulnerability assessment of both their information technology and their operational technology. “Most rail operators are pretty comfortable with how to do vulnerability assessments on IT. We’ve been doing that for decades,” Lospinoso said. “The idea that a cyber attack [on operational technology] is something that manufacturers need to be worrying about, that’s a new thing. So, this is pretty significant.”
Unlike IT components, much of the operational technology was not designed with cybersecurity principles in mind, he and others said.
As far as the other TSA requirements go, rail operators were to name their cyber security coordinators by Jan. 6. Their critical incident response plans are due to the TSA June 28. The 24-hour requirement for reporting cybersecurity incidents to the TSA appears to have been amended March 15, when President Biden signed into law a bill that included the Cyber Incident Reporting for Critical Infrastructure Act. That law set a 72-hour limit for railroads to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA), and 24 hours to report to CISA whether they had paid a ransom after a cyber attack.
The latest directives, guidance and legislation follow a steady string of cyber attacks on rail operations. In 2021 alone, at least eight rail attacks were reported, according to the global cybersecurity company BlackFog’s “The State of Ransomware in 2021” report. “With damages from cybercrime expected to hit $6 trillion this year (up from $3 trillion in 2015),” the report said, “we expect the number of ransomware attacks to increase and newer forms to become more sophisticated and disruptive.”
In January of that year, Colorado-based rail operator and logistics provider OmniTRAX was hit by a ransomware attack that targeted its corporate parent, Broe Group. Russia’s Conti gang reportedly was behind the attack.
On March 2, 2021, CSX saw a ransomware gang post screenshots of internal files that appeared to contain personal information about employees and retirees to a leak site. CSX in January had taken file-transfer application software offline after its provider, Accellion (now known as Kiteworks), reported a vulnerability in the software. CSX said the incident had no impact on its business operations or its ability to serve customers. (On Jan. 12, 2022, Accellion agreed to pay $8.1 million to settle a class-action lawsuit related to a December 2020 data breach, according to a federal court filing in California.)
April 2021 brought news that the U.K. rail network Merseyrail, which provides train service throughout Liverpool, confirmed that it had been the victim of a cyberattack after a ransomware gang used Merseyrail‘s internal email system to notify employees and journalists about the incident.
Also that month, New York’s Metropolitan Transportation Authority (MTA) confirmed it had been the target of a cyberattack. MTA officials maintained the intrusion posed no risk to employee or customer information and had no impact on train service. The MTA operates subway, commuter rail and bus services in the metropolitan New York area, as well as seven toll bridges and two tunnels. It is the largest public transit authority in the U.S. On April 20, the CISA, the National Security Agency and the FBI issued joint alert that they had discovered a “zero-day vulnerability” (which means no one was aware of the attack at the time it took place). Three of 18 different systems within the MTA reportedly were affected.
On April 17, 2021, a group of hackers claimed to have stolen data from the Santa Clara, Calif. Valley Transportation Authority (VTA) in an apparent ransomware attack that paralyzed agency computer systems for days. VTA officials initially said they believed they had contained the attack. But in an April 22 “dark web” post the hacker group said it had stolen 150 gigabytes of data and threatened to post it publicly.
In July 2021, the government-run Northern Rail transportation network in the U.K. had 600-plus new, touchscreen, self-service ticket machines targeted by a ransomware attack. They had been installed at 420 stations across the north of England two months earlier. The company said no customer or payment data was compromised.
On July 9-10, 2021, Iran’s transport and urbanization ministry went out of service due to a cyberattack on computer systems, the official IRNA news agency reported. Iran’s railways also appeared to have come under cyberattack, with messages about alleged train delays or cancellations posted on display boards at stations across the country. Electronic tracking of trains across Iran reportedly failed.
On Oct. 29, 2021, the Toronto Transit Commission (TTC) suffered a cyberattack in which hackers gained access to information from about 25,000 past and present employees’ files. The attack also knocked out the TTC’s bus and streetcar maintenance management system, vehicle arrival information, online booking systems, and external network connectivity, including e-mail. The TTC said it did not experience a service disruption during the incident. The TTC provides public transit service for up to 1.7 million people each weekday in Toronto and surrounding municipalities.
Those attacks highlight the persistence of the cyber threat, said Rick Peters, chief information security officer, Operational Technology North America for the cybersecurity solutions provider Fortinet
“There’s no planting a flag and declaring success in this,” Peters said in a March 1 podcast. “It’s simply a daily pursuit of being step ahead of or outmaneuvering your adversary.”