Continuous innovation and digitisation have increased the level of connectivity between IT and OT systems in modern railway networks. Although this brings many advantages, the dependence on software and Information Technology (IT) solutions also increases the need for industry-wide awareness and guidance on how to securely protect those systems.
The Transportation Security Administration (TSA) have responded to increasing cyber security threat levels to surface transportation systems issuing two security directives - 1580-21-01 and 1582-21-01, which were later followed by the 1580/82-2022-01 update. As service partners for global rail operators, RazorSecure and Siemens collaborated in writing the ‘Rail Cybersecurity Services’ whitepaper, to provide practical guidance based on the NIST Cyber Security Framework (NIST CSF) and the requirements within these security directives.
With significant and practical experience as rail systems and cyber security solution providers, Siemens Mobility and RazorSecure have outlined guidance for best practice in managing regulatory challenges. This article seeks to summarize findings within the paper and the advice given for effectively applying security measures and processes throughout a rail system’s life cycle, which can last up to 40 years. To read the full whitepaper, a free registration form is available at the bottom of this blog.
In December 2021, after recent large-scale security incidents in critical infrastructures (including railways), the TSA issued the 1580-21-01 and 1582-21-01 security directives, requiring owners/operators of passenger transit systems to:
Designate a cyber security coordinator.
Report cyber security incidents to CISA within 24 hours.
Develop and implement a cyber security incident response plan.
Complete a cyber security vulnerability assessment using a TSA form.
In October 2022, a follow-up directive 1580/82-2022-01 was released which extended the initial requirements of incident reporting and response capabilities to:
1. Establish and implement a cyber security implementation plan that describes the specific measures employed and the schedule for achieving the following outcomes.
a. Implement network segmentation policies and controls.
b. Implement access control measures.
c. Implement continuous monitoring and detection policies and procedures.
d. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates.
2. Establish a cyber security assessment program and submit an annual plan that will proactively and regularly assess the effectiveness of cyber security measures, and identify and resolve device, network, and/or system vulnerabilities.
However, despite existing rules and regulations there remains a lack of industry-wide methods and standards on how to apply these measures in the rail environment, and how to gradually apply cyber security to both new and legacy systems.
Conventional security methods used in standard IT applications are difficult and often impossible to implement, especially for safety relevant or legacy rail systems. Protective cyber security measures like network segmentation and segregation, monitoring, authentication, authorisation, patching, etc., are often designed around IT systems and it is challenging to bring operational technology (OT) systems – which are often operated for many years - into the scope, as older systems were not always designed with cyber security in mind.
Passive controls like monitoring and logging network traffic can create a high network or device load conflicting with their normal operation. Active protection measures like patching, disconnecting, or deactivating a device in case of suspicious behavior, can create unplanned operation downtimes and require special consideration in safety related functions.
The guidance offered in the whitepaper addresses the requirements of the new security directives. This article summarizes the paper and explains how to handle the challenges, and how to implement the security controls in each of the framework’s phases: Identify, Protect, Detect, Respond, and Recover:
IDENTIFY
“You can’t defend what you don’t know you have”
Know your assets and their current historical status:
Software or firmware versions of components.
How assets are interconnected.
Up-to-date network architecture and configurations of devices (switches, routers, firewalls).
Access rights to individual systems.
The paper offers guidance on manual and automated asset databases, monitoring and alerts and explains how the next step is to understand business security risk and gaps: Security Risk = (Likelihood) x Impact = (Threats x Vulnerabilities) x Impact. In basic terms, security risk is a function of the likelihood that a threat exploits a vulnerability which could result in an adverse impact. Our range of services are geared specifically towards the posterior implementation of cyber security measures and solutions for rolling stock, and include risk, vulnerability, and network analyses with instruction of which countermeasures to apply and where to best deploy them.
PROTECT
Defense-in-Depth describes a protection concept that comprises multiple layers of security measures and controls that account for the complex and layered structures of an IT and OT system. This approach includes:
Protection measures - firewalls, device hardening, network segmentation
Detective measures - intrusion detection, log files, Endpoint Detection and Response (EDR)
Security is more than technology; it is also about people and processes, with people often referred to as the weakest link. Also, your first line of defense, organizations must foster a culture of mature security hygiene and a high-level of risk awareness. This approach includes:
Well-defined structures and people in charge of both safety and cyber security
Well-defined security policies and practices
Regular staff training inc. dedicated yearly sessions for rail operators and maintenance staff
Zero-Trust approach (all requests inside and outside the network parameter must be properly authenticated and authorized)
Based on the initial asset assessment conducted in the ‘Identify Phase’, the next step is to carry out a vulnerability assessment to review security weaknesses within the organization. A consolidation of the methodologies of existing frameworks, the following forms the basis of an effective risk assessment (full details of each step can be found in the whitepaper):
Engagement Planning
Threat Modeling
Discovery
Scanning
Validation
Remediation
Reporting
Our Solutions:
Siemens has developed a security testing service based on a tool called SIESTA (Siemens Extensible Security Testing Appliance), providing a single user interface with multiple scanning engines including Nessus, NMAP, and others, integrating results into a comprehensive report.
RazorSecure has developed the hardware-based cyber security platform, Security Gateway, that allows operators and asset owners to have complete control of onboard and wayside networks. The security platform provides next-generation firewalls, superior access control, network segregation and segmentation capabilities, as well as host and network monitoring with its Delta solution.
The importance of network segmentation and segregation cannot be overstressed. It is recommended that devices (e.g. portable test units) connecting directly to sensitive control systems should never have an internet connection and their software should be strictly controlled. Data analysis and applications are highly reliant on connectivity meaning the concept of fully ‘air gap’ networks is impractical. Network traffic must be controlled using industrial firewalls, and access should only be granted to those who have a clear business purpose and have received proper training.
DETECT
The ability to detect anomalies and changes is one part of the Defense-in-Depth concept and key to understanding cyber risk. Increased digitisation brings with it constant changes in system designs and configurations such as the addition of new devices, software, and applications, and these advancements add complexity when monitoring security. However, monitoring is one of the most effective controls as indicated by NIST-SP 800, IEC62443, CENELEC TS5070, and ISO27001 standards.
Collecting log files from devices, applications, and network components such as switches and firewalls, and adding network access control (NAC) and Network Intrusion Detection System (NIDS) to passively monitor network traffic, are good first steps and can help toward compliance in your next audit. However, anomalies in signature-based detection methods and AI-based systems must be considered.
Signature-based detection methods rely heavily on expert configuration and maintenance. IDS solutions integrated into next-generation firewalls typically use a signature-based detection method, checking traffic patterns for known attacks based on previously analyzed events. Maintaining accuracy requires constant signature updates.
AI-based systems are almost "zero-touch" and self-learning, concentrating on behavioral data rather than signatures, detecting both known and unknown attacks. Rather than analyzing packets in protocols, these systems look for abnormal behavior as evidence of a potential attack.
Our Solutions:
Siemens Mobility has tested and implemented both signature-based and AI-based systems and found that both can be used in rail environments. RazorSecure’s Delta is a Network Intrusion Detection System that allows for full visibility of the network topology, identifying unusual and unexpected traffic patterns that could be a potential risk. Deployed as a host and network monitoring solution, Delta allows for very flexible security architectures that are adapted to the network and operational constraints of each train. Siemens Data Capture Unit (DCU) can be combined with Delta for safe and secure data access when adding a device, offering operators and asset owners best-in-class detection and monitoring capabilities.
This network activity and data can be analyzed through the integration of RazorSecure’s Security Explorer, a rail agent compatible security dashboard built specifically for use in Security Operation Centres (SOC) and Cyber Defence Centres (CDC).
RESPOND & RECOVER
Regardless of protection and detection efforts, an incident response plan is essential, with a strategy that minimizes the impact of an incident. NIST SP800-34 ‘Contingency Planning for Information Technology Systems’ details a seven-step methodology for developing a cyber security contingency process and plan, as outlined below:
Develop Contingency Planning Process
Conduct Business Impact Analysis
Identify Preventive Controls
Develop Recovery Strategies
Develop Contingency Plan
Plan Testing, Training, and Exercises
Plan Maintenance
Full details of these seven steps can be found in the whitepaper.
As part of this process and in adherence to the US DHS Security Directive 1582-21-01 obligating that incidents are reported to The Cybersecurity and Infrastructure Security Agency (CISA), the American Public Transportation Association (APTA) recommends documenting the following recovery strategies:
Incident response plan: The ability to proactively detect, contain, eliminate, and recover from security breaches, such as malware or data breaches.
Business continuity plan: During and after a disruption, a business continuity plan focuses on maintaining an organization's mission and business operations (e.g., ticketing system).
Continuity of operations plan: Focus on restoring an organization's mission-critical functions, such as recovering a ransomware-affected system.
Crisis communications plan: In the event of an incident, the crisis communications plan documents standard procedures, standard formats, and identifies the people in the organization who are responsible for internal and external communications to the public about the status of the response.
As the modern, digitalised rail industry see’s increasing complexity of control systems onboard and at the wayside, reliance on system health data has become crucial to security, and ultimately, for the prevention of safety hazards. However, confidentiality of sensitive information and intellectual property must be absolute, and the same is true of integrity and availability, all of which can be supported by a solid cyber security program. Transit owners and operators must be able to trust that whether their data is transferred through the internet, stored in a cloud environment, or an on-premises server - it is secure, reliable, and accessible. This has a direct impact on ridership quality and customer satisfaction, as customers must also feel confident that their data is protected, and that there will be no delays or safety hazards during their commute. Furthermore, the same data gained for security monitoring can be used to monitor any technical abnormalities and analyze the root-cause of any failures, further improving the reliability and safety of a monitored system
Digitalisation and the increased use of software for rail applications opens the door to new vulnerabilities, software failures, and the risk of uncontrolled and unrestricted access. Financial, reputational, and safety related risks are now a very real threat to the sector, and the increase in cyber security incidents in critical infrastructure has led to regulatory responses such as the TSA security directives. Strong cyber security is the foundation and driving force behind any digital solution, however this is a continuous and ongoing process that can only be achieved through standards, industry guidelines, and best practices from the rail industry and IT applications.