The modern rail network has rapidly evolved over the last decade, resulting in some of the most critical systems across rolling stock being connected to the internet. Yet for many rail operators, maintaining a high level of cyber security has not been a high priority, even though a cyber incident could have a significant impact on their operations.
Rail operators may have a false sense of security in thinking that they are not a priority target for hackers from their suppliers who say in their marketing material that “cyber security is their highest priority”, unfortunately the reality is often very different. The railway industry must recognize that no system is ever totally secure and that they must have a robust cyber security strategy.
To keep a digital fleet secure, you must take steps to secure the edge of the network, given that in rail this perimeter is fuzzy, and it is also vital to take notice of what is happening within it.
With many attack vectors across rolling stock, it is difficult to say that every system is impenetrable. That is why being able to detect any suspicious activity within the network becomes incredibly powerful.
Exploring the anomaly detection method for finding the ‘needle in the haystack’ threats to rail.
Cyber security monitoring, with behavioural anomaly detection, tracks critical network characteristics and only generates alarms if an anomaly is detected that may indicate the presence of a threat. An intruder, through breaching a device, aims to gain control of the network by pivoting through devices within it. As a device is accessed by the intruder, deviations from its normal behaviour will occur.
‘Behaviour’ in cyber security terms, is defined as the patterns or trends of a device within a specified time period. With behavioural anomaly detection we begin by setting a baseline, to understand what the ‘normal’ behaviour of each device is. A rail network is a complex and unique environment compared to an enterprise IT network. Behaviour of devices across rolling stock may behave in their own odd way that cyber security solutions unaccustomed with rail, would consider a potential anomaly.
In order to detect an anomaly accurately, whilst minimising false positives, the process begins with defining what is ‘normal’ behaviour for each device as an individual within your train’s network. The behaviour of each device at a normal state is modelled, as a variety of patterns are observed with individual devices, or users, operate or communicate within their own unique processes. Once normal traffic patterns are established, the behaviour anomaly detection solution will continuously monitor and alert on any outliers.
It is essential to monitor this behaviour between every component of the network, such as identifying a suspicious communication between the TCMS and an IP-enabled CCTV device in your network, and understanding what it is trying to achieve. If a device such as CCTV camera is trying to talk to the brake systems – it is probably misconfigured or acting maliciously.
Detecting activity that occurred before the suspicious communication happened, is also value-added information that can be monitored and learnt from. This might include simply recording a log of other non-malicious complications, such as a system failure, disruption or misconfiguration. Understanding the broader sequence of events helps you understand the risks, to be able to take more precise actions to reduce it.
Increased visibility of assets and real-timing alert of threats, without disrupting operations, is a fundamental requirement of a rail cyber security programme. Security measures must therefore use non-intrusive techniques, as it is not acceptable for threat detection solutions to cause interruption or affect performance of the critical systems a train requires to carry out its function. It is vital to have a cyber security solution that reduces the number of false positives you receive, so that organisations can spend more time and energy on the actual threats.
Detecting the true security and operational unknowns. A recognised solution when building your rail cyber security programme
Continuous monitoring and behavioural anomaly detection is now being recognised as the key route to take for securing rail when compared to other threat detection solutions. In a previous blog we discussed the use of ‘signature-based’ threat detection and its flaws when used as a primary cyber security solution for rail. Signature-based tools rely on fingerprints of known attacks that are matched to the incoming signatures of an attack and blocked accordingly. They are usually found at the first line of defence of a network separating the network from the outside world.
Although it may not be possible to stop all threats immediately from initiating the cyber kill chain, the monitoring and detection of the threats within the network is an essential element of cyber security. Continuous monitoring is a prerequisite for reliable and safe operations especially within rail, as cyber incidents on rolling stock will not always be actioned by external sources. Insider attacks allow threat actors to bypass many measures of perimeter cyber security. By using behavioural monitoring and detection, rail operators can ensure constant visibility of their network to detect cyber incidents that occur beyond the perimeter.
In legacy fleets, anomaly detection and security monitoring may be the only way to improve security, as these devices lack the capability to add additional security features.
We have now seen this potential factor addressed in new cyber security frameworks, such as NIST, which specifically includes guidance to address this issue.
The US National Institute of Standards and Technology (NIST), National Cybersecurity Center of Excellence ( NCCoE), in conjunction with NIST’s Engineering Laboratory (EL) recently released a report - named: “Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection (BAD)”. The report makes clear statements that behavioural anomaly detection technology, with continuous monitoring of systems, is an essential component in sustaining operations within critical infrastructure. The NIST report listed the following benefits for behavioral anomaly detection:
Detect cyber incidents in time to permit effective response and recovery
Expand visibility and monitoring capabilities within manufacturing control systems, networks, and devices
Reduce opportunities for disruptive cyber incidents by providing real-time monitoring and anomaly-detection alerts
Support the oversight of resources
Enable faster incident-response times, fewer incidents, and shorter downtimes
Unlike signature-based detection, the monitoring of behaviour is not searching for a unique characteristic of a known threat. This is a problem as data on intrusions are relatively rare within rail. Even if they are catalogued in a threat database – every signature-based system would require updating to ensure they can now detect that particular threat the next time it appears. A key advantage for anomaly monitoring approaches is it has the capacity to rapidly detect both new and unknown zero-day attacks without any alterations. This is critical as new attacks can appear every day.
Amongst many threats, behavioural anomaly detection can be used effectively to discover and protect against:
Unauthorised network changes and spike in usage trends
Port scanning attempts to discover vulnerabilities
APT (advanced persistent threats)
Malicious, or negligent insiders, abusing access
Malware infiltration via external/removable devices
Compromised IP-enabled, and IoT, devices
Legacy software/systems with insufficient integrity
Attempts to sabotage systems, particularly vulnerable unpatched systems, with DDoS attacks
Cyber security is a continuous requirement within rail and must be considered for the entire life of the asset. Signature-based detection solutions have a very limited lifespan in which they are effective, and a lack of ongoing monitoring causes networks to never truly be in a secure state.
Behaviour anomaly detection built to handle the key challenges of securing systems in dynamic, challenging railway environments
RazorSecure has developed our security monitoring solution to meet the special needs of modern rolling stock and signalling environments. We know that rail needs a solution that will offer complete security and control for the entire lifespan of the fleet.
Firstly, using our asset discovery functionality, we allow rail operators to know and understand their assets in detail to be able to monitor network traffic and device behaviour. This allows you to assess which assets are at high risk, and implement security measures that focus on those critical assets.
As any connected device represents a possible security risk, it is important to constantly monitor, detect, locate and remove all unauthorized or ‘misbehaving’ devices. With our machine-learning approach to behavioural monitoring, we can predict how an individual device will, and should, behave. This forms the basis of our anomaly detection that identifies the deviations from this behaviour. Understanding how a device is expected to behave allows us to prevent abnormal deviations that could show signs of both known and unknown threats, as well as deviations from normal operational processes to indicate faults.
