Having worked with leading rail companies (read how we worked with Northern Rail to protect 10 million passenger journeys) over the last 5 years, we have learnt a lot about helping them meet challenges with cyber security frameworks including the NIS Directive, NIST Cyber Security Framework and IEC-62443.
Our initial work focused around deploying our RazorSecure Delta product with operators to protect their mobile communications gateways. This is a single point within their network, a key point of aggregation, but it is not the only place where they face cyber risk that must be addressed. In a previous blog we discussed the different possible attack vectors across rolling stock.
From just looking over the list of exhibitors from Infosecurity Europe, you can see there are 18 different categories of cyber security products. Each product is designed to fit a different use case or meet a specific customer requirement. The vast majority of these requirements do not apply within rail, but the point remains that there are many different elements that combine into a mature cyber security strategy. In cyber security, one size does not fit all. Effective hackers don’t attack systems aimlessly; they exploit specific weaknesses in specific systems.
Why is cyber security not treated like safety?
Looking at the rail industry in particular, cyber security is often approached with scepticism, and as a check box exercise. Safety is highly prized within the rail industry, so why are the risks of cyber security not treated with the same reverence?
A key factor in this is because digitalisation in the rail industry is still relatively new. The approaches that are being taken are driven by the large mechanical engineering techniques that the industry lives by. Value in the rail industry is often attributed to physical weight, failing to take into account that over the last 20 years the amount of software onboard a train has increased exponentially.
When first developing our software, we met with a safety assessor for rail software and after 20 minutes I asked them: “So how do you validate all the other software that runs as part of Linux?”. They responded: “What other software?”. For reference the Linux kernel is currently 28 million lines of code and that is before you add in DNS, NTP, SSH, systemd/initv, cron, iptables and all of the other services that typically make up a Linux distribution.
Many train operators remain overconfident in their ability to defend themselves against attacks, but it takes more than a ‘tick box’ cyber security approach to protect yourself from every threat.
Where are we today?
In relation to NIST, today train builders have typically focused on the “identify” and “protect” elements of cyber security. They take the basic measures of adding firewall rules between certain network zones onboard, configuring VLANs to logically separate traffic and in some cases adding air gaps between network segments.
Some basic OS hardening typically also takes place, however it is exceptionally difficult to harden an operating system for such a long period of time. Even stable, core services in the Linux distribution have vulnerabilities that are discovered over time. In the past two years there have been 9 vulnerabilities in Bash (the Linux shell terminal) that are ranked CVE 6 or above, allowing for root escalation or arbitrary code execution.
The amount of time that these systems must remain in service means that the only possible conclusion can be that during the life of the system, it will be vulnerable to attack for a significant period of time.
There is an added challenge in that you cannot ensure the physical security of a system in the rail industry for fire safety and maintenance reasons. Even where air gapped and physically separated networks are deployed, this cannot be guaranteed over the life of the asset. The reality is that an air gap can be bridged by a determined attacker with a relatively low level of sophistication. Remote access tools are available cheaply online, and M12 network connectors can be purchased easily.
So how should rail cyber security be addressed?
The good news is that the path to better cyber security is already there. The NIS Directive, NIST Framework, CENELEC WG26 Technical Specification and IEC-62443 include guidelines for the techniques and tools that will improve security and allow it to be managed over the life of the asset.
The industry has already addressed the “identify” and “protect” principles of these frameworks, however it is now time for them to address the “detect”, “respond” and “recover” principles.
These are vital best practices, and critical to the future and longevity of cyber security in the railway industry. Detect must be a core part of any cyber security strategy because when vulnerabilities are given so much time to exist, and protection measures may be circumvented, the only protection that is left is early detection.
Detection has been the last element that now needs to be addressed in the rail industry. It has been viewed as painful because it requires a step beyond check boxes and movement of cyber security into continuous operation.
The good news is that there are ways to address detection that can be implemented cost-effectively and made easy to manage over the entire life of the asset.
Detection also feeds into a strong response and recovery strategy; the benefit of early detection is that you not only get to stop an attack before it has progressed significantly but ideally you also know exactly what actions the attacker has taken. This allows you to get the assets back into use quickly and effectively, minimising the operational downtime of the railway.
The most effective security solution is one that is tailored to your unique challenges; one designed to specifically protect your most important critical assets and fortify the areas that hackers are most likely to attack. At RazorSecure we have developed our flexible, hybrid approach to rail cyber security to address the unique challenges that are faced in adding cyber security detection to the railway. This approach offers the flexibility to cover key systems while considering how this can be managed over the life of the railway asset. It gives us the right tools to address even the most difficult challenges including host-based software, network deployments using data diodes and security gateways to separate and monitor traffic.
