Security

How Railroads Mitigate Cyberthreats Against Their Networks

The convergence of information technology and operational technology creates security challenges.

Randy Barrett is a freelance writer and editor based in Washington, D.C. A large part of his portfolio career includes teaching banjo and fiddle as well as performing professionally.

What if hackers attacked a rail company 2,745,267 times in just six weeks?

This was the thought experiment conceived by Project Honeytrain, which was created in 2015 by European security experts to analyze how cybercriminals would gain access to a Potemkin railroad created wholly online.

The primary method of assault was millions of automated dictionary attacks, which work to break unknown passwords. Some hackers got inside and wrested control of the headlight system on a hypothetical locomotive. The top country originating the incursions? China.

Since Honeytrain, the threat landscape for real rail companies has only grown. In early November, many trains in Denmark ground to a halt for several hours. The shutdown was traced to a third-party IT vendor called Supeo, which had been hit with a ransomware attack.

And there can hardly be a more enticing target. With 140,000 miles of track, 28,000 locomotives and 100,000 bridges, the U.S. rail industry moves 1.7 billion tons of goods per year — about 40 percent of all American freight. Add to that figure 28 billion passenger kilometers traveled in 2019, and the U.S. rail system lies near the heart of the American economy.

“It is 100 percent old-school infrastructure,” says Charles Henderson, head of X-Force at IBM. “This is the thing that built America.”

Click the banner below to receive customized content by becoming an Insider.

How Are Railroads Required to Secure Their Systems?

In October, the U.S. Transportation Security Administration released the Rail Cybersecurity Mitigation Actions and Testing Directive.

“Recent and evolving intelligence emphasizes the growing sophistication of nefarious persons, organizations, and governments, highlights vulnerabilities, and intensifies the urgency of implementing the requirements of this Security Directive,” according to the TSA.

U.S. rail owners and operators must do the following:

Identify critical cyber systems.
Develop network segmentation policies and controls to ensure that operational technology systems can continue to operate safely in the event that IT systems are compromised.
Create control measures to secure and prevent unauthorized access to critical cyber systems.
Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations.
Reduce the risk of exploitation of vulnerable systems by applying security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
Establish a Cybersecurity Assessment Program and submit the plan annually to the TSA, describing how the rail carrier will proactively and regularly assess the effectiveness of cybersecurity measures and identify and resolve vulnerabilities.

EXPLORE: How Texas is making use of intelligent transportation systems across the state.

“There is no higher priority for the rail industry than the safety and security of our national network,” said Ian Jefferies, president and CEO of the Association of American Railroads, in response to the TSA. “For more than two decades, the industry has been a leader at bringing the right people and information together to address evolving cyber threats. Collaboration between railroads and government partners on these issues has a long, productive history that will continue to maintain and advance the smart, effective solutions to keep our network safe and freight moving.”

In 1999, the industry created the Rail Information Security Committee, comprised of the CISOs and cybersecurity leads from each of the Class I railroads, Amtrak, Genesee & Wyoming, Via Rail and Railinc. The group’s objectives are to improve and maintain the overall information security of each railroad, share threat data, and coordinate incident response analysis and recommendations. For instances of physical sabotage, the Association of American Railroads provides the Railway Alert Network bulletin.

There is no higher priority for the rail industry than the safety and security of our national network.”

Ian Jefferies President and CEO, Association of American Railroads

Does OT-IT Convergence Create Cybersecurity Gaps?

Traditionally, information technology and operational technology lived separately within organizations. IT — networks, servers, workstations — is overseen by a CIO. OT is everything else.

In the case of a railroad, that includes locomotives, track signaling and switching, rail cars, cranes, and every actuator that makes the physical equipment operate. COOs have handled this area in the past, but the pressure is on railroads to meld IT and OT into an integrated whole.

LEARN MORE: How America’s cargo ports defend against cyberthreats.

With advances in technology, that’s getting easier, says Randy Mitzelfelt, head of business development in North America for RazorSecure. “More and more equipment on the OT side is getting digitalized, and there are a lot of telematics that railroads can glean from their equipment,” he says.

RazorSecure provides cybersecurity for locomotives, which are now operated with the help of onboard computers. “It’s a rolling network,” Mitzelfelt says. The 200-ton machines talk to the wayside signaling equipment directly. Rail companies “are aware of the OT challenge,” he adds. “They are working hard to educate themselves and look for viable solutions.”

IBM’s Henderson agrees: “We used to have OT-IT conversations, and they were not the same phone call. Now it’s the same call and the same strategy.”

Are Railroads Vulnerable to Ransomware?

Rail companies, like other pieces of American critical infrastructure, are more likely to pay hefty ransoms to hackers to avoid creating a national emergency, says Henderson.

“It’s no longer a game of isolation. It’s knowing about detection and response and sound planning. If you wait until they’re attacking the OT device, you’ve lost that game,” he adds.

To that end, many rail operators are now running red team exercises to test for IT and OT vulnerabilities and find gaps in detection, Henderson says.

REVIEW: How IoT is boosting efficiency and safety for transit agencies.

“We’re paying very close attention,” says Tim Coogan, director of cybersecurity for the Regional Transportation District in Denver, which operates the city’s light rail system. “So much comes back to basics: good cyber hygiene, inventory of assets and patching.”

The Regional Transportation District follows the National Institute of Standards and Technology’s Cybersecurity Framework and its five pillars: identify, protect, detect, respond and recover. Additionally, the American Public Transportation Association is about to release a model for protecting OT systems.

Coogan sees a strong partnership between the rail industry and the TSA and the Department of Homeland Security: “There’s a lot of collaboration that didn’t exist in the past. That’s really going to help as our critical infrastructure is under attack.”

Smederevac/Getty Images