Defending Railway Signalling Systems Against Cyber Attacks

Defending Railway Signalling Systems Against Cyber Attacks

November 3, 2019
 |
Israel Baron

In this article, I will try to share some of my thoughts and insights about developing fit for purpose railway-specific cyber security solutions that can eliminate or minimize the cyber threat in signaling systems, and why this is the time to act.

This was my second year in a row speaking at the 4th annual Rail Cyber Security Summit - last year as the CISO of Israel Railways, and this year as the Director of Business Development at Cervello - participating this year as the Summit’s Co-Sponsors alongside Siemens. I was very impressed to see that most of the major railway manufacturers and operators decided to send high-level management representatives. We had the opportunity to meet new and existing colleagues, share knowledge and present our solution to protect railways against cyber attacks.

As one of the speakers at the event, I decided that this year I will not talk only about technology and solutions, but rather share my feelings that the time has come to take actual actions to protect rail critical systems against cyber attacks.

The railway infrastructures are changing and evolving into an all new connected era.

New, computerized, connected, collaborative and intelligent systems are integrated deep inside this unique industry to enable it to be much more advanced in fields of predictive maintenance, customer service, punctuality and more. As a result, they pose more opportunities for cyber-criminals and terrorists to attack such critical systems.

With billions of passenger/kilometer per year, the railway industry is one of the major assets in any country’s transportation system across the globe. Until recently, this industry was considered to be safe regarding cyber threats due to the fact it relied on proprietary, segregated networks, with very specific commands and protocols for the signaling systems and networks.

This assumption is not sustainable anymore due to the following reasons:

  1. Railway signaling systems have become more IT based - providing functionalities that not only use dedicated computers and hardware but also use ordinary computers and COTS (commercial off the shelf) components that are much more vulnerable to cyber threats.
  2. There is increased use of network control and automation systems that could be accessed remotely via public and private networks.
  3. Deployment of ETCS, which is the control component of the European Rail Traffic Management System (ERTMS), which uses GSM-R links to transfer lineside data to the cab/locomotive as part of automatic train operation.

During the years, I’ve been in many cyber security events for the rail domain, both as a speaker and as an attendee. I’ve heard and participated in professional panels, read countless articles and posts, and even wrote some of my own. But lately, I have the feeling that we need to do more, that I should do more. Most of the people we know and care about use trains every single day - our friends, our colleagues and our families.

I can’t let go of the thought that every day that goes by, and no one handles this important issue, catastrophic incidents due to a cyber attack are becoming more likely, and this makes me extremely worried.

It’s a known fact at this point in time, that most of the railway operators tackle mainly their IT environments, while the signaling systems are left without any cyber detection capabilities at all - meaning they are a complete blind spot. I have no doubt that in order to defend those critical systems we must first eliminate this blind spot.

To do so, as Israel Railways’ CISO, I’ve examined many cyber solutions that were designed to monitor standard IT systems and OT networks. Unfortunately, none of them were fit to monitor the rail signaling systems and produce the desired cyber insights and alerts of attacks when and before they occur. This led me to the conclusion that to properly protect rail signaling systems, a railway-specific systems should be developed.

After extensive and long research, I have no doubt that only solutions with the characteristics listed below, will have the chance to be adopted/tested in this traditional unique industry in order to make the necessary change to face the upcoming threats.

  1. Railway specific technology
  2. Seamless integration & deployment
  3. Minimum false-positives
  4. Non-intrusive

Furthermore, because of the special characteristics of this industry, integrating cyber defense solutions require a step-by-step approach and should include the following steps before going live:

  1. Cyber survey - map the operator's critical assets to be protected
  2. Learning process - understand the operator’s critical network and special characteristics
  3. Offline POC (Proof of Concept) - an offline installation of the cyber defense solution and the use of recorded data from the operator's network
  4. Connection to a test environment - a live unidirectional connection to the operator’s test environment or lab equipment/resources
  5. Connection to a production environment - in a unidirectional way (the usage of diodes can be evaluated)
  6. SIEM - an optional step, as some operators could ask to integrate the signaling cyber security solution in their existing SIEM/SOC

As shown, developing and integrating cyber security solutions for the railway industry is a challenging task, but nevertheless - it is a possible and important task. One of the first things I’ve learned during my time as a CISO is that we are not only responsible to protect systems and technologies - we are also responsible for public safety!

This is why at Cervello we set our mission to protect global railway operation and passengers by offering a solution that secures all connected rail & metro signaling systems against cyber attacks. With a team that brings decades of experience in cybersecurity and the rail industry, our unique technology and security services support international standards and protocols to provide the most complete, accurate, effective and safe cyber defense solutions. Furthermore, we work closely with OEMs and operators to ensure cyber security will be an integral part of any signaling system, without compromising on safety or productivity.


Posted by:
Israel Baron
Category:
Whitepaper