Whether for passenger travel or freight transport, railroads are one of the most widely used modes of transportation. They are considered “critical infrastructure” and are vital for both public services and a nation’s economy. Any disruption in their services would understandably have a significant impact on other critical infrastructures, international and domestic trade, supply chain services and public safety.
Like all other industries, the rail industry is undergoing rapid digital transformation. Many new digital technologies are being introduced to increase efficiency and optimize customer service. However, with increased digitalization and system interconnectedness comes a heightened risk of cyberattacks. According to the Cylus 2022 report, cyber-attacks against rail systems have increased by 220% over the last five years, resulting in billions of dollars in estimated losses.
In January 2022, amidst the Russia-Ukraine war crisis, the national railway network of Belarus was infected with ransomware by politically-motivated hacktivists, encrypting the data on its servers and databases, disrupting train services in several cities.
In March 2022, Italy’s national railway company suffered a ransomware attack on its IT systems, which halted ticket sales at railway stations and led to the suspension of passenger train services and freight transport, causing major delays.
In November 2022, a ransomware attack hit Denmark’s Supeo, an IT subcontractor company of Denmark State Railways (DSB), bringing the country’s giant train network to a standstill. As Supeo’s software testing environment had been compromised, DSB was forced to stop operations for several hours to keep passengers safe.
Rapid technological advancements, high-scale IoT adoption, the expansive nature of the rail infrastructure, and the diverse supply chain ecosystem have expanded the threat landscape dramatically. A successful attack on a rail control system or any systems connected to it can have serious consequences, resulting in human casualties, disruption in freight transport, loss of private information, infrastructure damage, and severe financial losses.
In response to the growing concerns around cyber threats in the rail industry, there is now a greater push across North America and Europe to implement more robust and adequate security controls in rail systems and stay on top of emerging threats.
In October 2022, the Transportation Security Administration (TSA) released a security directive outlining critical steps for rail operators towards tightening cybersecurity and protecting critical U.S. transportation infrastructure from attacks. The European Union Agency for Cybersecurity (ENISA) also issued guidance for railway systems in February 2022, requiring rail operators to build cybersecurity zones and conduits for railway systems.
What Makes the Rail Network Vulnerable to Cyberattacks?
- Use of Legacy Operational Systems Prone to Vulnerabilities: The rail industry widely uses proprietary, off-the-shelf components with lifespans as long as 20 or 30 years. These systems often have inadequate security controls and are prone to common vulnerabilities, requiring periodic patching and software updates. However, considering “availability” is a top priority in the rail system, organizations often overlook these upgrades and use components with obsolete software or firmware that pose a serious threat to security.
- Vulnerable Connections Between Rail Safety-Critical Systems and Support Systems: Rail operations require connectivity between systems with varying safety levels. For example, passenger Wi-Fi systems in locomotives are connected to communication systems, which are, in turn, connected to signal control systems and Automatic Train Protection (ATP) systems on the wayside that control train location, movement, and speed. As these systems are built to operate independently, their interoperability with other systems gives rise to security gaps that expose the network to cyberattacks.
- Insecure Communication Channels: The train-to-ground communication for train movement control is based on WLAN technology. The WLAN technology often uses old and outdated encryption standards for communication, exposing the network to man-in-the-middle attacks and allowing attackers to inject malicious commands, leading to train derailment and collisions.
- Growing Number of Connected, Unsecured IoT Devices: IoT components are increasingly used in signaling systems and other wayside machines to harvest real-time data for accurate, data-driven decision-making. But, these connected devices often lack adequate security. Most of these devices are not authenticated for network access. They also use unencrypted connections for communication and run on outdated software versions. Together, these factors leave them exposed for attackers to infiltrate other critical systems.
- Rail Workforce Threat: Lack of cybersecurity awareness among rail employees also creates security weak links. Most rail OT system operators are neither aware of the threat vectors nor trained in cybersecurity practices. As “availability” is a top priority, rail operators always put the continuous operation of systems above the integrity and confidentiality of data, increasing the risk of security breaches.
Considerations for Shoring Up Rail Cybersecurity
As the rail industry continues to modernize digital operations, IT and OT systems are becoming increasingly interconnected and interoperable, creating several access points and vulnerabilities. To defend this complex cyber-physical ecosystem against potential threats, rail operators and vendors need to choose security approaches that are adaptive and responsive and can help them stay ahead of evolving cybersecurity threats.
Here are some of the cybersecurity best practices that rail operators can implement:
- Asset Discovery, Inventory, and Visibility: Given the complex and widely distributed nature of the rail industry, organizations need to start with inventorying assets to gain visibility, ascertain the software or firmware versions of the components, and understand how the assets are interconnected. Complete visibility of assets and the operational environment helps continuously monitor assets, detect vulnerabilities, and respond to threats quickly. It also helps assess risk levels and eliminate rogue components that can compromise security.
- Strong Authentication for Secure Network Access: Adopting zero trust and identity-based security approaches enables effective access control and safeguards the interconnected OT and IT environments from unauthorized access. Every asset in the rail architecture can be secured with a unique digital identity (a PKI certificate) to authenticate it every time it requests network access. Verifying identities ensures that only authorized entities are permitted network access regardless of their location. As the rail industry involves a massive supply chain of vendors, contractors, and integrators, organizations must also define strict security policies and implement role-based access control to provide conditional access and minimize third-party security risks.
- End-to-End Encryption for Communication Networks: To secure the communication network that connects onboard, wayside, station, and back-end control systems, organizations must use strong encryption algorithms and protocols approved by the National Institute of Standards and Technology (NIST) or a similarly recognized standards body. Using the latest encryption standards enables secure machine-to-machine communications and protects the integrity and confidentiality of data.
- Timely Security Patches and Updates: Considering the rail industry relies on legacy equipment running on outdated security, it is essential to regularly review the assets, patch them, and update their operating systems, applications, drivers, and firmware. Regular security patches and updates help shield assets and address vulnerabilities while maximizing their availability and efficiency.
- Hardening IoT Security: When it comes to IoT security, organizations must provision unique digital identities to IoT devices right at the manufacturing stage to prevent device tampering. IoT devices must be authenticated all at stages between manufacturing and installation. All devices must use end-to-end encryption to ensure secure data transfer. Organizations should also practice code signing and firmware signing to enhance software and application security. Appropriate security policies and conditional access must be enforced to ensure all devices are running the latest, most secure software versions and are compliant with industry standards.
- Regular Workforce Cybersecurity Training: Apart from implementing strong security controls, organizations must also pay special attention to training rail employees on practicing cybersecurity hygiene. Awareness programs on ransomware attacks and social engineering threats can help employees identify red flags and steer clear of them. Bridging the knowledge gap between IT and OT cybersecurity among the workforce plays a critical role in defending converged IT-OT environments.
Shape the Future of Mobility with Secure Digital Transformation
Modernization and the rise of connectivity in the rail sector are making trains and systems more efficient, convenient, and safe. Nevertheless, the full benefit of this technological revolution can only be realized when the rail infrastructure is also cyber-secure. To achieve this, rail operators must look to integrate cybersecurity into every aspect of rail operation and focus on building cyber-resilience.
If this spurs you to action, check out AppViewX CERT+ and AppViewX PKI+ – application identity management solutions that enable automated enterprise-wide certificate-based identity provisioning, lifecycle management and crypto policy creation and enforcement. CERT+ and PKI+ are purpose-built to help organizations ensure strong authentication, encrypted data communication, and secure internet transactions – providing the foundation for zero trust.
Need more information? Talk to one of our experts today!