Getting on track with rail cybersecurity

Internationally, rail transportation is commonly considered critical infrastructure and is vital to the global economy. Accordingly, rail infrastructure is a prime target for cyberattacks, particularly in times of geopolitically motivated conflict, as demonstrated by major events that occurred in Iran in 2021 and Belarus in 2022, where operations were compromised, causing widespread delays and disruptions to rail services.

Rail infrastructure is at risk of:

• Ransomware attacks
• Cyber-physical threats that may result in safety hazards which may endanger people and property
• Supply-chain disruption and compromise
• Fraud and cybercrime
• Vulnerabilities associated with the integration of operational technologies (OT) and Internet of Things (IoT)
• Cyber-enabled disruption or manipulation of information that could discredit an organisation, or cause panic and operational disruptions.

Increasing passenger demands and expectations has led to further dependency on digital technologies and optimised systems. The transition and modernisation of interconnected public information systems, real-time on-board CCTV, and mission-critical controls systems are driving the convergence of OT and Information Technology (IT) at a significant rate.

Additionally, the increasing dependence on commercial-off-the-shelf (COTS) systems, products and Internet Protocol (IP) enabled-networks further expands attack surfaces and threat landscapes that rail asset owners and operators must defend to minimise exploitation of associated vulnerabilities.

Rapid digitisation of rail systems and infrastructure has exacerbated risks posed by malicious threat actors to value and supply chains, including state-sponsored actors, cybercriminal groups, hacktivists and insiders who seek to exploit vulnerabilities in response to the adoption of new technologies.

Rail management systems today often rely on a combination of legacy and modernised systems to deliver and manage services. This is further complicated by the long technology replacement lifecycles for OT systems, which are typically up to 15-20 years, resulting in the operation and maintenance of unsupported legacy infrastructure that has reached end-of-life. Rail transport operators and infrastructure maintainers are reliant on these legacy and modernised systems to ensure the performance and reliability, availability, maintainability and safety (RAMS) of rail services, in accordance with service level agreements.

Rail entities and their operations are also commonly siloed into separate organisational departments, namely design and engineering, operations and maintenance, which can cause issues in organisational communication and blur accountabilities as there is no dedicated function accountable for cybersecurity. 

The use of digital technology to control, monitor and communicate train movements and network conditions, including for real-time passenger information, has also led to significant advances in IT and OT system convergence and integration.

All these factors contribute to the expansion of cyber threat scenarios and potential risks by increasing the complexity of managing cybersecurity effectively. Put simply, these causal factors are prevalent and make rail an easy and attractive target for malicious threat actors.

In 2015, European security experts created “Project Honey Train” as a simulated subway control system to identify and analyse how cybercriminals would gain access to a railway created wholly online. In short, a model was developed of a fictitious, virtual rail transport control and operating system acting as a ‘honeypot’ to hackers, in order to evaluate the risk of cyberattack. Over a six-week period, there were 2.7 million unauthorised access attempts against the firewalls, CCTV and media servers. In several instances, hackers were successfully able to access the train control systems.

Whilst Project Honey Train is nearly a decade old, cyberattacks and incidents on rail networks continue to occur, proving threat actors possess the necessary knowledge to effectively target and comprise critical infrastructure. 

Managing cyber risks and implementing cyber secure practices for rail systems presents unique challenges, including:

• Use of communications protocols without inherent security controls
• Lack of visibility of connected assets within rail networks
• Use of unsupported legacy systems and operational assets with long replacement lifecycles
• Formal re-test and recertification of systems required after any change or update
• Introduction of new IT protocols and products into OT environments
• Siloed operations with no dedicated function accountable for cybersecurity 
• Shortage of skilled professionals with knowledge and experience of OT cybersecurity principles and practices.

Cybersecurity protection is only as effective as the weakest link in the chain, and legacy systems and associated products were not inherently designed with security in mind. This often results in operational rail systems being implemented with a lack of defence-in-depth techniques, meaning security countermeasures are not applied in a layered or stepwise manner to prevent cyberattacks.

Additionally, adoption and implementation of rail cybersecurity governance, standards, practices and processes can typically be complex and challenging, primarily due to the absence of security operating models that outline how security functions operate within an organisation to help embed Security by Design. Embracing Security by Design as a core principle ensures that cybersecurity becomes an intrinsic part of the infrastructure’s DNA, fortifying critical systems against modern-day cyber adversaries and establishing a proactive defence posture that is more resilient and adaptable to emerging threats.

C-suite executives must realise and understand the material impact of cyber risk. Cybersecurity is vital in the rail sector. Rail operators and infrastructure maintainers need to implement and improve strategies to mitigate risk posed to OT environments. Executive mandates and sponsorship are critical to drive accountability, governance and awareness across the industry.

Know relevant security regulations and standards to adopt industry best practices, guidelines and practices. ISA/IEC 62443 is the most referenced industrial security standard globally within the sector, whilst many other key resources also provide direction and requirements for cybersecurity of railway applications, such as CLC/TS 50701 in Europe, and the Rail Industry Safety and Standards Board’s (RISSB’s) AS 7770 in Australia.

Embed cybersecurity into rail system lifecycles, making assets secure-by-design. Since most systems have been in operational service for a while, it is common practice to begin with a cybersecurity risk assessment to objectively evaluate cyber risk based on criticality of connected assets. Referring to the relevant standards and guidelines allows operators and asset owners to focus their protective efforts on critical systems and save on costs when implementing security controls.

Ensure employee training and awareness are key aspects of any cybersecurity strategy. Contrary to popular belief, ultimately, cybersecurity does not relate exclusively to technology. People and processes also play an important role in securing digital environments. Cybersecurity defences are only as good as the people that use and control them. A simple click by an employee on a phishing email can lead to a devastating chain of events that compromise the integrity and availability of rail services. Processes should be designed and implemented to ensure secure practices are followed and managed across the entire organisation, not just confined to technology departments and personnel. 

Make cybersecurity a foundational expectation, just as safety has been embedded in rail culture over the years. This may seem daunting given the expanse of the rail networks and systems and the shortage of skilled employees in-house. External security expertise can help.

At GHD Digital, we have the skills and specialist knowledge within both OT/SCADA and IT cybersecurity domains, as well specialised technology partners to help organisations make the right strategic decisions to protect their critical infrastructure – embedding Security by Design. By applying our three-pronged approach to assess, protect and manage, we help organisations develop bespoke cyber risk strategies and operational models to defend against cyber threats. Connect with us today.