Author: Israel Baron, Director of Business Development, Cervello
Israel Baron is the Director of Business Development at Cervello, an Israeli railway cyber security company – providing revolutionary and proven solutions to secure railways against cyber attacks.
Israel is the former CISO of Israel Railways, bringing over 16 years of expertise in the cyber security domain with vast experience in the Israeli Ministry of Defence (IMOD) as a Senior Information Security & Technology Officer at the D.S.D.E (Directorate of Security of the Defence Establishment) – securing strategic national projects in the Israeli Defence Industries.
Do you feel a sense of awareness with regards to cybersecurity in your industry?
The Rail industry is a traditional industry and I feel that the cyber awareness is rising, but from my experience of being an operator’s CISO it still has not reached the desired level yet. On the one hand we see various cybersecurity experts from different companies trying to tackle this issue, while on the other hand, the top-level management and executives among operators and OEMs have yet to take the necessary actions to change the reality with regards to these immediate threats.
They understand that while the industry is evolving and new railway technologies are adopted among many operators to enable better service, punctuality, productivity and efficiency, these trends expose the rail critical infrastructure to a new landscape of cyber threats.
Are there any specific cybersecurity requirements for rail & metro companies?
In short – yes. Rail & metro systems must have specific cybersecurity requirements in order to provide the resilience level needed for such critical systems and ensure public safety. The challenge is that for most of the organizations today it is unclear what their strategy should be, and in most cases these requirements are not included in the new tenders. If there are any, then they’re only related to the IT domain: Anti-Virus software, normal IDS systems and more. The operational critical systems are left with no cybersecurity demands or protection at all. As a result, systems upon which cyber attacking can actually lead to loss of human lives are left completely defenceless, despite real-life threats, and this must change as soon as possible.
How and at what stage is cybersecurity embedded in the new rail projects?
From my experience, cybersecurity is typically embedded at early stages when dealing with standard railway applications and systems – such as IP networks, Passenger Information Systems (PIS), ticketing services, websites etc.
In general, when it comes to operational technology (OT) systems and networks, cybersecurity demands and requirements are usually implemented, if at all, at a very late stage – most of the time after the system/project is already running. This leads to real difficulty making such changes because of the fact that those exact OT systems are commonly mission-critical systems in the railway domain. Implementing cybersecurity in them requires a long process of testing, deployment and integration methods, and validation – which leads to having such systems completely exposed to cyber attacks in the meantime.
What do you see as the major cybersecurity threats for the railway industry?
I truly believe that the cyber threats to the railway domain are almost all types of cyber threats that are out there. These include, but are not limited to, government-sponsored, organized crime, hacktivists, inside threats, opportunists and internal user errors.
The 2015 project “Honey Train” used a simulated railway infrastructure to look like a real rail system to online attackers. In only 6 weeks the system recorded almost 3,000,000 attacks, which leads to the understanding that many attackers seek out railway systems and infrastructure targets.
Knowing this, in my view, different kinds of cybersecurity threats to the railway industry could cause any of the following:
- Disruption of normal traffic
- Human lives in danger
- Reputational damage
- Financial and sensitive information loss
What do you see as the most important national or international initiatives to enhance cybersecurity in the rail industry?
Internationally speaking, almost all railway infrastructures are changing and moving towards more digital, connected and intelligent systems. The European Horizon2020 is currently the biggest EU Research & Innovation program, with almost 80 billion Euros available for investments in different aspects of the railway industry, and with some major cyber projects such as the CYRAIL project, which received its funding from the Shift2Rail (under the Horizon2020) to address the topic “Threat detection and profile protection definition for cybersecurity assessment”.
At this point, I believe that this project (CYRAIL) is the most important and serious international project in the railway industry relating to cybersecurity.
From a cybersecurity perspective, what are the major differences between a traditional railway infrastructure and the next generation of fully connected and digital trains?
The new age of railway systems enables this fast-growing industry to provide new services and technologies to its customers, including onboard wi-fi, new and improved passenger information systems, advanced passenger entertainment systems, predictive maintenance capabilities, improved punctuality, increased capacity of trains and more.
Until recently, the operation of railway systems has been considered to be performed through closed networks, and this was the base assumption for their safety. This new age of systems is becoming more and more centralized and integrated, hence the assumption that they operate through closed networks with no external threats is no longer sustainable.
At the same time, railway signalling systems have become more and more IT based in a way that is not only using dedicated computers and hardware, but instead uses ordinary computers and COTS (commercial off the shelf) components, which are much more vulnerable to cyber threats. In addition, we see the increased use of network control and automation systems that can be accessed remotely via public and private networks.
All these changes and trends in the railway industry create a new landscape of cross-system internal and external cyber threats.
Do you believe that railway signalling should be cyber protected with a dedicated railway solution, or will any cyber IDS (Intrusion Detection System) do?
From my experience as the former CISO of Israel Railways, and after deeply looking and drilling down into several “regular” IDS solutions, I’m convinced that the only way to cyber protect railway signalling systems is to use rail specific technologies developed by cyber experts with rail experience and best practices, and this is exactly what we offer at Cervello.
This understanding is due to the following:
- Signalling systems use proprietary protocols.
- In order to really defend signalling systems, an IDS should be aware of how a railway operator’s network actually works.
- Rail IDS should use and utilize data of other railways specific systems, such as Train Management Systems and more.
- Standard IDS solutions are based on a learning process, meaning it will give results only at the end of this process – and relying on this phase. IDS for critical rail systems should be able to produce cyber insights from day one.
- Standard IDS solutions assume that at the starting point (time of installation) the system is “clean” or cyber-clear.
The IDS offered in the market today are dedicated to IT systems or generic OT systems. The rail signalling system has a complicated architecture and combines both IT & OT environments. Moreover, the signalling system is a system of systems and includes P2P communication, requiring a deep understanding of railway operational networks. If a railway operator has to deal with too many changes and delays on a daily basis or with a solution that is hard to deploy and integrate, then it is completely useless. The state of mind should be providing peace of mind and embracing a plug & play methodology for this conservative domain.