By Michael Cheng, Director at TXOne Networks & C. Max. Farrell, Senior Technical Marketing Specialist at TXOne Networks
Railways are a critical part of every nation’s vital system. Maintaining the constant operation of railway systems requires protection from many threats, and disruption can harshly impact a nation’s society, economy, and culture. As the critical industry of railways continues to grow, the risk of cyber-attacks has risen sharply.
This creates a need for powerful cybersecurity solutions that can be rapidly and conveniently integrated into routine railway operations to safeguard these critical networks and systems. In addition, these solutions should be resource efficient and transmit data fast enough to keep up with commuter traffic and to accommodate the distributed nature of modern railway technologies.
The vulnerable architecture of railway assets
Cyber attacks on national utilities and transport networks have increased massively recently, but they are by no means new. Back in 2015, security specialists set up a realistic simulated rail network at the CeBIT trade fair in Hannover and put it online to see how much attention it would attract from hackers. Over its 6-week runtime, 2,745,267 cyber attacks were documented, and in “about 10 percent of the attacks” intruders were able to gain control over simulated assets.[1] Would-be attackers’ knowledge of railway systems has progressed even further in the seven years since this experiment.
On the one hand the distributed network architecture of the railway infrastructure allows incredible adaptability and for the use of a wide variety of modular assets. On the other hand, many of these assets are no longer up-to-date or patchable. So, the fast-changing nature of cyber threats clashes with/comes up against the long service life and diversity of equipment, making the enforcement of security policies daunting. The same high-connectivity pathways that increase accessibility for trusted railroad engineers also increase accessibility for malicious intruders, which is why specially designed cybersecurity appliances and software can be so essential.
Every system needs individual protection
Each rail subsystem is a different set of assets with its own individual cybersecurity requirements. Every rail subsystem application classified as security-relevant has been systematically type-tested and secured according to the relevant certifications before leaving the factory. However, the downside of certifications is that they introduce general patterns into defenses that hackers can learn to anticipate and exploit. Defenses for critical services need to go beyond the bare minimum necessary to meet certifications or regulations and include protections that give hackers a hard time. Furthermore, the ongoing support of dedicated security researchers is necessary to adapt these defenses against new cyber threats.
User-friendly tailored solutions
Cybersecurity begins with education of the staff, but the busy day-to-day work of railway personnel rarely leaves space for that. Thus, all defensive solutions must be as failsafe and streamlined as possible to promote ease of use. Ideally railway subsystems need appliances that have the necessary protocol sensitivity to check network traffic for suspicious actions and deny unusual or unlikely behavior. Such appliances have the further benefit of significantly reducing the likelihood of human error.
Each subsystem is dependent on solutions created to meet its specific needs. TXOne Networks suggests an OT zero trust approach to securing operational environments, which includes three phases: segmenting networks, scanning inbound and mobile assets with a portable rapid-scan device, and securing endpoints with defensive solutions tailored to the endpoint’s type (legacy or modernized).
Stop intruders and isolate malware
Traditional intrusion prevention systems (IPSes) were mere filtering systems, which are no longer adequate protection for critical infrastructure networks. Instead, modernized solutions like TXOne’s Edge series of next-generation IPSes and firewalls bring more sophisticated protection to assets at the station and wayside. Edge series defenses, based on the OT zero trust methodology, detect suspicious behavior on legitimate accounts or from legitimate devices, put a virtual patching “shield” around legacy assets that cannot be patched or replaced, and segment networks so that they’re much more defensible.
The access points (APs) that a train uses for mesh or roaming are often running with limited or hardly any security, enabling intruders to potentially affect the signal control system. An EdgeIPS solution is perfect for deployment between the AP and its switch, preventing attackers from accessing or affecting the network.
Safeguarding mobile and stand-alone assets
One common way dangerous threats get into OT environments is devices brought on-site by vendors or maintenance experts. That is why, in addition to routine scans of deployed technology, security experts recommend using dedicated mobile security devices for pre-scans of new devices before they are deployed on the network. Such a device can be used to set up a checkpoint where all laptops and other devices brought on-site are scanned. This requires a solution with the ability to conduct quick scans without the need for software installations so that it can be used for checkpoint scans as well as for sensitive equipment that cannot accept installations.
How to protect fixed-use and legacy assets
For fixed-use systems such as ticket vending machines and on-board computers, a trust list-based ICS endpoint protection application is the ideal solution. Even if malware finds its way into a company’s working hardware, it cannot be executed because of the trust list-based lockdown. For example, applications, configurations, data, and USB devices are all locked down with a trust list. It excludes all unlisted applications from running and unlisted users cannot make changes to data or configurations. Only administrator-approved USB devices can connect to the device, and only an administrator can grant a device one-time permission to connect.
Conclusion
In today’s world bad actors and criminal organizations prefer to conduct their attacks over the internet from the comfort of their computer chairs – which makes them even more dangerous. To secure daily operations and maintain passenger confidence, computation must be protected from disruption while maintaining maximum availability, with no aspect of the exchange using more time or resources than necessary. This is why specially designed cybersecurity appliances and software are so essential to the protection of railway subsystems.
Additional information can be found at www.txone-networks.com and https://www.txone-networks.com/white-papers/content/securing-autonomous-mobile-robots
About the Authors
Michael Cheng is a director at TXOne Networks with 20 years of experience in global product management, software development, quality assurance, and cybersecurity for IT, OT, and ICS environments. He holds an ISA/IEC 62443 Cybersecurity Expert certification.
Michael Cheng can be reached online at [email protected] or at [email protected]
Max Farrell is a senior technical marketing specialist for TXOne Networks, where he has worked from a background in cybersecurity, technology, and business since 2019. He conducts research related to industry-critical technology, economy, and culture.
Max Farrell can be reached online at [email protected] or at [email protected]
[1] Vlad Gostomelsky, “Securing the Railroads from Cyberattacks”, Mass Transit Magazine, Dec 17 2019