Rail & Metro Cybersecurity: Where is the Industry Now?
Freight, regional, short line, inter-city, commuter, subway, light and high-speed passenger rail systems are all facing the same challenges affecting the whole transportation industry. These challenges are generally related to transportation systems being increasingly reliant on information and communications technology (ICT) for more efficient operation at a lower cost.
Moreover, the referred-to increased connectivity and higher digitalization is coupled with a quickly evolving and very sophisticated threat landscape.
Let’s be clear, the cyber criminals have at their disposal enhanced tools to wreak havoc in the industry while transportation systems, and in this case the railway network, are continuously increasing their attack surface.
While the importance of cybersecurity in railway systems has become increasingly recognized, the exact roadmap to ensuring it is still largely an open problem.
Zones and components of a typical railway system
A successful Defense-in-Depth approach requires segmenting the rail systems into clearly differentiated zones based on specific security requirements. Based on the Department of Homeland Security (DHS) recommended practice to define a security architecture with the end goal of protecting critical zones, we can clearly identify:
The External Zone
It includes internet-accessible services, remote operations and facilities and remote business partners and vendors. The major characteristic is that it is not trusted.
Enterprise or Corporate Zone
The Corporate zone includes
At the Operations Control Center (OCC):
- Access Control System
- Business systems
- Fare sales and collection systems
- VPN, e-mail servers, web servers, infrastructure servers, central authentication services, etc.
- Credit card processing
At the Train Station or the Station Equipment Room:
- Access Control / Intrusion Detection
- Fare Sales / Collection
- Passenger Information System
Operationally Critical Security Zone
We will find within this zone all those systems that might seriously impact the operations if attacked by cyber criminals. Systems included in this zone:
- Dispatch / ATS
- Non-Emergency Voice Communications
- Traction Power
- PA System – Passenger Information Display
- Vertical Lift Devices
- Tunnel Pumping and Draining
- Traffic Controller Interface
- Train stations and trackside equipment
Fire / Life-Safety Zone (FLSZ)
This zone contains any system whose primary function is to warn, protect or inform in an emergency, including:
- Emergency management panel
- Emergency ventilation systems
- Fire detection and suppression systems
- Gas detection systems
- Seismic Detection
Safety Critical Security Zone (SCSZ)
The SCSZ contains any system that if attacked by criminals and modified, would cause an immediate threat to life or safety, for instance, a collision or derailment of a train.
Systems included in this zone:
- Vital Signalling, Automatic Train Protection (ATP)
- Vital Communications Based Train Control (CBTC)
- Platform Gate Control
- Crossing Gates
Existing threats to rail systems
Rail systems have been in operation for more than 100 years, dealing with a vast array of issues and threats with an excellent record of safety, on-time performance and reliability. The challenge today is to add cybersecurity awareness and cyber defense measures to the rail industry culture in the same manner that safety has been added to the culture of manufacturing and transportation.
This will reduce the risks to rail and metro companies and their supplier base from cybersecurity incidents and possible liability should an incident take place.
Just to put the existing threats to rail infrastructure into perspective, it is interesting to discuss the Project Honeytrain initiative.
Project Honeytrain was set up to learn how attacks on rail systems could be performed and also to gather information regarding the existing cyber criminal community. A virtual rail infrastructure was created reproducing real rail system.
During its first six weeks, 2,745,267 attacks were identified with major focus on the media server and firewall components. While most of the attacks were not sophisticated and leverage automation and existing easily available tools, in a few cases attackers managed to get access to the configuration of industrial components and in one case to the signalling, which as mentioned before is safety critical. This attacker showed deep knowledge of SCADA systems used in the rail infrastructure.
The Characteristics of railway infrastructure make them targets for cyber attacks due to the following :
- Increased connectivity within the Digital Train
- High degree of integration between IT and Operational Technology (OT)
- Distributed architecture
- Long lifecycles for equipment and certification processes. Once a component of the system is certified, it might be obsolete from a cybersecurity perspective in particular, considering the quickly evolving threat landscape.
- Diversity of supply chain and technology
- Traditionally the rail business has been very safety-orientated and there is a difficulty integrating both worlds, cybersecurity and safety.
Range of potential attackers
The main threat to railway systems does not come from the so-called script-kiddies but from four different groups of perpetrators in two categories:
1.- Cyber criminals with financial motivation who try to extort money, with ransomware being the main tool. This has become a business model with different types of malware being developed and either sold or rented on the Dark Web.
2.-Criminals who are determined to disrupt or damage operations with other than economic motivations, like:
- Terrorists and politically-motivated groups
- Nation States
- Insiders like disgruntled or terminated employees with access to the systems
We find very interesting initiatives at the international level. The European Union’s Horizon 2020 programme Shift2Rail is currently funding the CYRail Project, which was selected by the European Commission to enhance cybersecurity in the rail industry.
The goal of the CYRail project is to conduct an analysis of threats targeting railway infrastructures as well as the definition of innovative attack detection and alerting techniques. Mitigation plans and countermeasures will also be defined and finally, protection profiles for railway control and signalling applications will be delivered to ensure security by design of new railway infrastructures.
In the UK, the Department for Transport has issued a guidance document designed to support the rail industry in reducing its vulnerability to cyber attacks. It is a high-level document and sets out the principles and general approach to cyber security, as good practice. It is available here.
As rail systems go through a modernization process, we need people who understand both the railway business, IT, OT and how cybersecurity needs to be integrated in all those worlds.
Moreover, cybersecurity needs to be integrated at the beginning of any project and security strategies need to be able to evolve alongside the threats they are intended to mitigate. We need to guarantee security by design and to assure that this security level is kept over time.
Finally, consistent governance, risk management strategies and compliance monitoring need to be implemented in order to maintain a reasonable maturity level of cybersecurity in our rail systems and infrastructures.