OT networks in the rail industry are being opened to connect with new digital systems, which is expanding the network’s attack surface and increasing opportunities for threats to move laterally throughout the network and gain access to safety critical systems.
Historically, OT networks were protected by an air gap, where IT and OT networks were physically disconnected from one another. While this did not provide complete protection against cyber threats, it made vulnerable OT assets much difficult for an attacker to gain access and exploit. Opening up OT, with digitisation, makes protecting critical OT systems more challenging, but with the correct approach and strategy; it is not impossible.
Today, with the evolution of industrial systems, mobility, cloud technologies, and multi-vendor COTS products, everything has changed. Air gapping is not the security magic bullet it was once thought to be; and it is not desirable to prevent all outbound connectivity because it makes systems difficult to manage operationally and harder to secure. There are also benefits in using connectivity, for example for remote condition monitoring and predictive maintenance.
Standards such as EN62443 provide a framework for implementing secure network zones and conduits as an architectural approach that divides a network into multiple segments, each acting as its own small network (zones) with tightly controlled traffic flows (conduits) between them.
Bridging the OT and IT network gap by enforcing boundaries
The practise of network segmentation is well established within enterprise IT networks and environments. It began as a method to improve network performance, but today it has become a foundation of a proactive network security principle. Strategic segmentation of a network, and the systems within it, helps achieve the isolation of various assets, those that are safety critical, and prevent “traffic leak” from one to another. This is important because perimeter defence, which only controls traffic going in and out of the network—is no longer enough. Once an attacker penetrates the perimeter and gains a foothold, lateral movement within the network becomes the prime goal.
Many OT networks have been in place across the rail environment for years, evolving slowly with the operational requirements of the rail industry. These networks were often built based on a “flat” architectural model – meaning communication from any system on the network can be routed to any other system on the network – without consideration for cyber security best practices.
This has happened for many reasons, in some cases these are considered closed networks that were not vulnerable to attack, a hard argument to make in a modern cyber security posture. In other cases, safety, maintenance and operational reliability were the main drivers behind a flat architecture.
While the IT environment acknowledged a real cyber threat, they were investing and adopting a “defence in depth” security approach to stay ahead. Whereas investment in the OT environment was only driven by the need for greater operational productivity and performance.
Network segmentation in an environment such as rolling-stock can be challenging and costly. It requires in-depth knowledge of the network and its systems—of which there can be hundreds.
On rolling stock, it is desirable for a network segmentation solution to enforce separation from a centralised location in the network. Through careful design, this can limit the need for expensive re-cabling and significant changes to the network layout. While these types of changes are easy in an enterprise environment, they are significant across a fleet of trains from both a cost and assurance perspective.
Despite the apparent challenges, network segmentation is one of the most significant steps asset owners can take to reduce the risk of a major security incident within the rail industry. It is a required component of a complete strategy with protective, detective and responsive measures.
Security must conform to the network, and not the other way around.
When network segmentation is implemented properly, a system can only communicate directly with other systems within its ‘segment’, to execute its operational purpose. This reduces the overall network attack surface and ensures survivability of the wider OT network; for example, an IT system on the network (such as the video surveillance device) is compromised, the safety critical and operational systems on rest of the network should have the capacity to keep working normally, as it they have been segmented separately from the effected video surveillance system.
But segmentation alone cannot prevent an attack from occurring. Defining the segment boundaries is important but is not enough on its own if these boundaries are also not enforced. Enforcing the access, and traffic, to and from each network segment, and the systems within them, requires deployment of a security gateway with firewall capabilities.
Though IT firewalls may offer network security and segmentation capabilities, they have been designed to inspect IT protocols, not OT protocols, and especially not rail specific protocols. This means IT firewalls cannot see or understand what is happening in a rail environment.
Segmented zones must be enforced with policies and filtering specifically created for that unique environment’s requirements. To properly filter and inspect network traffic across zones, a solution must understand the communication languages of the rail network. Security solutions must conform to the network, and not the other way around.
A firewall with knowledge of rail specific protocols can inspect traffic for potentially malicious content or commands and enforce access controls across network segment boundaries. However we must also consider that legitimate protocol commands can be used for illegitimate purposes. Deeper understanding of the full context of each data flow can help give an indication of malicious intent. A security solution enforcing traffic between network segments, must be empowered with detective capabilities that understands ‘normal’ vs ‘anomalous behaviour’ that allows for informed decisions to allow, alert, or block network traffic based on the full context of the communication.
Protect your fleet with a solution designed and built for the needs of the rail industry
The EN50155 approved RazorSecure Security Gateway, was designed exclusively to face the unique challenges within rolling stock and provide necessary measures to achieve EN62443 and TS50701 compliance. It helps train builders, suppliers and operators implement separation of critical networks to prevent attackers from gaining unauthorized network access and ensure network communication is controlled, and permitted, between protected systems.
The Security Gateway is built from virtualized components. It can be configured using open-source firewalls, or a next-generation firewall of your choice, giving complete flexibility over security controls and cost.
While deployed alongside the RazorSecure Delta platform, the Security Gateway will provide additional protection with a layered security approach providing strength in depth through continuous monitoring and intrusion detection across the network and it’s systems.