Railway systems – both inter-city and inner-city light rail and metro systems – are considered among the most critical national infrastructure operations in many countries where the bulk of passenger and goods transport is done by rail. And while we have seen in recent years debilitating attacks (primarily ransomware attacks, for extorting a cash ransom) on railway companies’ IT systems, an attack on a railway’s OT networks, e.g. on its signaling system, could lead to loss of life, damage to tracks, trains and transported goods, as well as environmental damages in the case of hauling hazardous materials.
Railway companies’ communications and operations networks are, as in other traditional industrial settings, divided roughly between the IT and OT sides (even though the boundaries between the two have blurred over the years).
On the IT side, much of the protected information is managed by the Passenger Information System (PIS), which encompasses all customer service, ticketing and online operations.
The OT side controls a number of critical systems, which manages (among many other functions):
In addition, OT operations controls various physical security systems such as access control and video surveillance, at stations and on board trains
A listing of OT functions in typical railway systems (Source: ENISA Railway Security Report, 2020)
To make things worse, railways face a unique combination of factors that exacerbate their exposure to cyber-threats:
In addition, at this time of heightened geopolitical tensions and military conflicts, railways, as a national critical infrastructure, may be especially targeted by state-sponsored attackers seeking to wreak havoc on both military and civilian transport using various hacking methods (we have already witnessed a ransomware attack on Belarus’ state-run railway’s computer system , aimed at preventing the transport of Russian troops and artillery to the country, in anticipation of an attack on Ukraine).
US TSA’s security directive 1580-21-01
The above risk factors, as well as the distributed ownership of the American railway infrastructure which has shown to inhibit the reporting of cyber-attacks and cross-operator cooperation in railway security, were the driving force behind the US TSA’s security directive 1580-21-01 for enhancing railway security.
The new TSA’s directive aims at creating a uniform system across the American railway industry for reporting and managing security incidents. This includes:
ENISA’s 2020 Railway Security directive
The concerns and recommended security measures listed in the TSA directive echo those listed in its European counterpart issued a year earlier, the November 2020 Railway Cybersecurity report issued by ENISA (the EU central cybersecurity agency)
The ENISA directive defines the four domains that make up railway operations and the security measures associated with each:
Noteworthy among the security measures indicated in the ENISA directive is the strong recommendation to apply (the relatively new) risk-based approach to OT security, using risk management solutions designed for today’s OT security space, such as Radiflow’s own automated industrial risk assessment and management platform. To this end ENISA published a guide for arranging the OT network logically into Zones and Conduits for railway operations, as specified on the IEC 62443 standard. Applying a risk-based methodology to OT security enables optimizing OT security operations by quantitatively calculating the actual risk the Railway OES may incur following a cyberattack, accounting for the impact of an attack on each and every business unit, as well as for the risk tolerance of the organization.
Security measures for railway operators defined as operators of essential services (OES)
Radiflow’s OT-security suite has been successfully implemented in a number of major ground transportation carriers worldwide.
Radiflow’s multi-prong solution provides anomaly detection and threat monitoring on the OT part of the Railway infrastructure (railway energy provision and BMS) to ensure the detection of breach attempts originating from the IT network. The Radiflow solution further improves network oversight by providing full visibility (via network “maps”) into the OT network, including all and device properties, vulnerabilities, communication protocols and possible intra-network attack vectors.
Once discovered and mapped out, assets are grouped into Zones (connected by Conduits) to facilitate IEC 62443-compliant risk assessment & management, as per ENISA’s guide to Zones & Conduits.
Using multiple data feeds for newly-discovered threats and vulnerabilities, as well as rich contextual information received from signaling and other equipment vendors for cybersecurity analysis, Radiflow’s threat detection and monitoring solution provides operators full control over anomaly alerting and incident handling.
The Radiflow system connects to the railway operator’s enterprise SOC where all incident, event analysis and cyber risk management is performed, and allows for instant access to each and every intrusion detection system in the carriers network. The Radiflow system also integrates with dedicated railway signaling security providers as well as a large array of IT security players, for context enrichment and better threat detection, as well as for easily implementing Radiflow solution within a wide range of data and asset management platforms.
As a renowned compliance enabler, Radiflow accompanies its OT-operator customers through the cyber risk assessment process, in accordance to leading standards, such as IEC 62443 and the new TSA directive for ground transportation. The different steps in the process, which progresses from network discovery to assessment to risk remediation, are defined in both the ENISA guidelines and IEC 62443 as ZCRs (Zone and Conduit Requirements), as follows:
Radiflow’s risk assessment process follows the ZCR methodology used in both IEC 62443 and the ENISA guidelines for railway and other OT organizations
Going beyond threat detection, network visibility and security assessment, Radiflow’s risk management platform empowers users to optimize their cybersecurity expenditure by prioritizing the threats that pose the most risk to the organization as a whole (accounting for the impact of a debilitating attack on each zone/business unit) and subsequently the mitigation measures best suited to reducing the most risk, toward increasing the ROI of the entire cybersecurity operation.
Radiflow’s risk assessment process involves analyzing thousands of data points for network and asset properties, threat intelligence and impact calculation, toward providing various KPIs and full reports for the network’s risk state:
All asset, network, threat and SuC owner-provided data points are used to run numerous breach and attack simulations (Radiflow’s BAS simulations are non-destructive (as they don’t involve any operations on the OT network itself). The simulations determine the most impactful threats to the network and subsequently the most effective mitigation controls that deliver the most risk reduction per dollar spent.
The results of Radiflow’s risk assessment are provided in the form of various high-level and detailed reports used for budgeting, auditing and follow up, as well as a detailed mitigation plan listing the most effective (high-ROI) mitigation measures, accounting for the user’s budget and risk management preferences.
Example for defining Security Levels for Zones, from ENISA’s Zoning and Conduits Guidelines for Railway operators. Radiflow risk assessment process strictly follows these principles.
While the awareness of the need to bring railways’ OT network security up to par has (finally) reached maturity, there still exists a huge need for expertise and guidance, especially when it comes to vulnerability analysis, risk management and the intricacies of mandatory OT security regulations and compliance certification. Radiflow’s OT security experts closely accompany users from initial vulnerability and security analysis and implementing a central alerting and monitoring SOC to risk assessment and OT security optimization, using the most advanced, tried-and-true OT security tools.
Harmonizing risk and consequence strategies across IT and OT environments for greater cyber resilience
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3