Rail and Metro Cybersecurity - The First Global Cybersecurity Observatory

Rail and Metro Cybersecurity

Freight, regional, short line, inter-city, commuter, subway, light and high-speed passenger rail systems are all facing the same challenges affecting the whole transportation industry. These challenges are generally related to transportation systems being increasingly reliant on information and communications technology (ICT) for more efficient operation at a lower cost.

Moreover, the referred-to increased connectivity and higher digitalization is coupled with a quickly evolving and very sophisticated threat landscape.

Let’s be clear, the cyber criminals have at their disposal enhanced tools to wreak havoc in the industry while transportation systems, and in this case the railway network, are continuously increasing their attack surface.

While the importance of cybersecurity in railway systems has become increasingly recognized, the exact roadmap to ensuring it is still largely an open problem.

Zones and components of a typical railway system

A successful Defense-in-Depth approach requires segmenting the rail systems into clearly differentiated zones based on specific security requirements. Based on the Department of Homeland Security (DHS) recommended practice to define a security architecture with the end goal of protecting critical zones, we can clearly identify:

The External Zone

It includes internet-accessible services, remote operations and facilities and remote business partners and vendors. The major characteristic is that it is not trusted.

Enterprise or Corporate Zone

The Corporate zone includes

At the Operations Control Center (OCC):

Access Control System
Advertising
Business systems
Fare sales and collection systems
VPN, e-mail servers, web servers, infrastructure servers, central authentication services, etc.
Credit card processing

At the Train Station or the Station Equipment Room:

Access Control / Intrusion Detection
Advertising
Fare Sales / Collection
Passenger Information System
CCTV

Operationally Critical Security Zone

We will find within this zone all those systems that might seriously impact the operations if attacked by cyber criminals. Systems included in this zone:

Dispatch / ATS
Non-Emergency Voice Communications
SCADA
Traction Power
PA System – Passenger Information Display
Vertical Lift Devices
Tunnel Pumping and Draining
Traffic Controller Interface
Train stations and trackside equipment

Fire / Life-Safety Zone (FLSZ)

This zone contains any system whose primary function is to warn, protect or inform in an emergency, including:

Emergency management panel
Emergency ventilation systems
Fire detection and suppression systems
Gas detection systems
Seismic Detection

Safety Critical Security Zone (SCSZ)

The SCSZ contains any system that if attacked by criminals and modified, would cause an immediate threat to life or safety, for instance, a collision or derailment of a train.

Systems included in this zone:

Vital Signalling, Automatic Train Protection (ATP)
Vital Communications Based Train Control (CBTC)
Platform Gate Control
Crossing Gates

Existing threats to rail systems

Rail systems have been in operation for more than 100 years, dealing with a vast array of issues and threats with an excellent record of safety, on-time performance and reliability. The challenge today is to add cybersecurity awareness and cyber defense measures to the rail industry culture in the same manner that safety has been added to the culture of manufacturing and transportation.

This will reduce the risks to rail and metro companies and their supplier base from cybersecurity incidents and possible liability should an incident take place.

Just to put the existing threats to rail infrastructure into perspective, it is interesting to discuss the Project Honeytrain initiative.

Project Honeytrain was set up to learn how attacks on rail systems could be performed and also to gather information regarding the existing cyber criminal community. A virtual rail infrastructure was created reproducing real rail system.

During its first six weeks, 2,745,267 attacks were identified with major focus on the media server and firewall components. While most of the attacks were not sophisticated and leverage automation and existing easily available tools, in a few cases attackers managed to get access to the configuration of industrial components and in one case to the signalling, which as mentioned before is safety critical. This attacker showed deep knowledge of SCADA systems used in the rail infrastructure.

The Characteristics of railway infrastructure make them targets for cyber attacks due to the following :

Increased connectivity within the Digital Train
High degree of integration between IT and Operational Technology (OT)
Distributed architecture
Long lifecycles for equipment and certification processes. Once a component of the system is certified, it might be obsolete from a cybersecurity perspective in particular, considering the quickly evolving threat landscape.
Diversity of supply chain and technology
Traditionally the rail business has been very safety-orientated and there is a difficulty integrating both worlds, cybersecurity and safety.

Figure 1: Key challenges to secure the railway infrastructure

Range of potential attackers

The main threat to railway systems does not come from the so-called script-kiddies but from four different groups of perpetrators in two categories:

1.- Cyber criminals with financial motivation who try to extort money, with ransomware being the main tool. This has become a business model with different types of malware being developed and either sold or rented on the Dark Web.

2.-Criminals who are determined to disrupt or damage operations with other than economic motivations, like:

Terrorists and politically-motivated groups
Nation States
Insiders like disgruntled or terminated employees with access to the systems

International initiatives

We find very interesting initiatives at the international level. The European Union’s Horizon 2020 programme Shift2Rail is currently funding the CYRail Project, which was selected by the European Commission to enhance cybersecurity in the rail industry.

The goal of the CYRail project is to conduct an analysis of threats targeting railway infrastructures as well as the definition of innovative attack detection and alerting techniques. Mitigation plans and countermeasures will also be defined and finally, protection profiles for railway control and signalling applications will be delivered to ensure security by design of new railway infrastructures.

In the US, the NIST published a paper in 2016 covering the “Performance Evaluation of Secure Industrial Control System Design: A Railway Control System Case Study”. The paper is available here.

In the UK, the Department for Transport has issued a guidance document designed to support the rail industry in reducing its vulnerability to cyber attacks. It is a high-level document and sets out the principles and general approach to cyber security, as good practice. It is available here.

Key takeaways

As rail systems go through a modernization process, we need people who understand both the railway business, IT, OT and how cybersecurity needs to be integrated in all those worlds.

Moreover, cybersecurity needs to be integrated at the beginning of any project and security strategies need to be able to evolve alongside the threats they are intended to mitigate. We need to guarantee security by design and to assure that this security level is kept over time.

Finally, consistent governance, risk management strategies and compliance monitoring need to be implemented in order to maintain a reasonable maturity level of cybersecurity in our rail systems and infrastructures.