The Modern Railway Systems: An Analysis of IT and OT Cybersecurity Threats
The Context
As we continue to embrace digital transformations in our #criticalinfrastructure, our transportation networks – particularly railways – have seen massive advancements in terms of automation and control systems. However, these improvements have also exposed railway networks to a host of #cybersecurity #threats. This article will delve into these vulnerabilities with a keen focus on #IT and #OT within the context of modern railway systems.
Traditionally, IT and OT systems in railway networks have been segregated. IT covers data-centric systems such as ticketing, scheduling, and administrative work, while OT pertains to the machinery and equipment that manage the actual movement and operation of the trains.
Today's interconnected and increasingly complex networks have blurred the boundaries between IT and OT, resulting in new points of cyber vulnerability.
What Cyberattacks can happen on Railway Networks?
One incident that exemplifies this threat was the cyber-attack on San Francisco's Municipal Transportation Agency (SFMTA) in 2016. Malware infected the agency's Windows-based workstations and servers, impacting the ticketing system and forcing SFMTA to allow free rides over the weekend. While no safety-critical systems were #compromised, it clearly underscored the susceptibility of IT networks in railway operations.
A more dire scenario was seen in 2020 when Iranian hackers reportedly targeted Israel's rail infrastructure. According to cybersecurity firm ClearSky, the attack aimed to cause #physical harm by infiltrating control systems linked to railway traffic. This incident illuminates the potential threats to OT systems that control essential railway operations, signaling a shift from data theft and financial gain to actual physical disruption.
The #sophistication of these threats has only escalated in recent years. #APTs, Advanced Persistent Threats
Typical Systems That Needs Protection:
Modern railway networks employ a variety of systems to manage their operations, ensure passenger safety, and maintain efficient and punctual services. Here are some examples of systems found in a typical railway network:
How To Protect Such Systems
To counteract these cybersecurity threats, railway companies must adopt a proactive and integrated approach to security.
Recommended by LinkedIn
Regulations and Standards
Not all the #governments across the globe mandate a standard for Railway Networks' cybersecurity however, #developed governments have started providing guidelines to operators to ensure #cybersafety of this critical sector. TSA in US and DfT in UK have issued directives to the Railway operators to implement better cybersecurity controls on the critical railway networks and ensure safety of the ICS.
CISA establishes high-level prerequisites and collaborates with pre-existing regulatory authorities within each sector to enforce precise rules. The Transportation Security Agency (TSA) adopts a similar approach for freight and passenger railways.
TSA has recently used CISA's requirements to issue two Security Directives and an Advanced Notice of Proposed Rulemaking (ANPRM). The first directive, released on Dec. 31, 2021, lays the groundwork for railways to report cybersecurity incidents to CISA and coordinate with the TSA. The second directive, released on Oct. 24, 2022, mandates railways to share their Cybersecurity Implementation Plan (CIP), which clarifies their cybersecurity protection level. On Nov. 30, 2022, TSA issued an ANPRM, seeking to understand the status of cybersecurity in the rail sector better and facilitate the development of exhaustive requirements.
Similary, The Department for Transport (DfT) in UK, leveraging powers under the Railways Act 1993 and the Channel Tunnel (Security) Order 1994 (CTSO), issues mandatory counterterrorism and security directives to station and train operators. The aim is to minimize the risk of terrorism incidents, including potential cyber-attacks causing extensive chaos, damage, or loss of life. Besides, DfT offers guidance on security-related matters such as station design, staff recruitment, training, and contingency planning, and disseminates specialized governmental agency security advice within the transport sector.
Numerous nations including many in Europe, along with China and Russia, employ their established standards applicable to the transport sector, including railway networks.
Other countries with expansive railway networks can initiate the implementation of cybersecurity standards by adopting CISA directives. They can also leverage local consultancy firms to create and tailor standards suitable for their domestic networks.
The Importance of Cybersecurity Frameworks
A cybersecurity framework comprises pre-defined controls and serves as a valuable tool for organizations when establishing their cybersecurity programs. While the Security Directives and ANPRM do not mandate a specific cybersecurity framework, leading cybersecurity framework providers like the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) offer widely-used standards.
Companies within the rail industry, recognized as Critical Infrastructure by CISA, must adopt a cybersecurity framework to respond to TSA's directives and the call-to-action through its ANPRM. This approach ensures adequate protection against potential cyber threats, fulfilling the requirements defined by the overarching cybersecurity framework.
Conclusion:
In conclusion, as we continue to see the integration of IT and OT systems in modern railway networks, the associated cybersecurity threats cannot be ignored. Understanding these threats and taking the necessary proactive measures will be paramount in ensuring the safety and reliability of our railway networks moving forward. These efforts must include cooperation between the railway industry, cybersecurity firms, and governments to share threat intelligence and develop robust security frameworks that can withstand these evolving threats.
Senior Managing Director
1yMuhammad Ali Azeem Very insightful. Thank you for sharing.
OT/ICS Cyber Security Engineer🔹Certified Ethical Hacker🔹IT/OT Penetration Tester🔹IEC-62443🔹NIST 800-82🔹Vulnerability-Risk-Gap Assessment🔹Aviation Cyber Security🔹Maritime Cyber Security
1yExcellent information 👍