When discussing with our rail customers, we often hear that they want to implement additional firewalls, or network monitoring, as part of a ‘defence in depth’ strategy. While we agree that this is an excellent way to improve cyber security, we often wonder whether they have fallen into a myth that is perpetuated by cyber security vendors that do not have experience in rail.
“How do you secure your network?”
I’m sure this is a question that many rail operators are asked during discussions with cyber security vendors. This question inevitably leads you down a line of questioning about network intrusion detection, firewalls, network IPS etc.
However, in our view, this perpetuates a myth that exists in the cyber security industry. This myth is so prevalent that “intrusion detection system” is taken by many people only to mean network IDS which would only involve monitoring network traffic for suspicious activity
That myth accentuates a belief that attackers attack networks when, in reality, it could not be further from the truth. To gain a significant foothold in a network, an attacker must attack and breach systems, not the networks themselves. Even in cases of remote access tool (RAT) devices, these could be considered to be physical attacks against switches and are detectable through direct monitoring of the switches.
It is easy to see how this has come about. People think in very abstract terms, and it is much easier to consider an approach of a ‘system of systems’( i.e. a network), rather than the individual connected systems.
There are advantages of a well-configured network, with strong protections in place, against cyber attack. However, when it comes to detecting cyber attacks on trains, a network only approach will be left sorely lacking.
We got hit by Schrödinger’s Cyber Attack
Does that packet contain a cyber attack or not? To figure that out, you need to look at the contents of the packet. “Great,” says your cyber security team, “we’ll deploy deep packet inspection to do that”.
A month later, they get targeted by an attack that uses encrypted traffic. Your security operations centre couldn’t see inside the packets because they were encrypted, deep packet inspection is practical only in some use cases and has limited usefulness in many cyber-attacks.
The truth is that in most cases, DPI and network-based methods work well for incoming traffic at the perimeter of the network, but break down when considering a holistic view of traffic across the entire network. In this case, it is much more interesting to look at traffic patterns and behaviour.
In a previous blog we discussed the issue of using deep packet inspect methods to protect trains, in more detail
How does this apply to the railway, signalling and rolling stock?
The approach of a perimeter, a form of barrier between your network and the external world, within cyber security is a questionable concept. While it may have some merit in a static office environment, it’s place within rail is less straightforward. When considering railway systems, the concept of a perimeter and the lines around it are blurred. The reality is that the perimeter on a train may not be on board; it could exist in a public cloud system.
Also, in a typical hosting centre environment, you would have a physical perimeter that you can control. In the rail industry, the boundary is much harder to define, with systems hidden in toilets and behind cabinets that are accessible from passenger areas;there are very few physical controls.
Due to limitations in a railway environment, consideration for attacks outside of network-based attacks is crucial. If an attacker can plug in a USB device, or connect their network cables, as part of a risk-based approach; this vulnerability needs addressing. Most network intrusion detection systems wouldn’t consider a physical attack to be a priority, because they are generally unlikely in a hosting centre.
The railway requires a more nuanced approach, combining host-based and network-based solutions.
A hybrid approach to cyber security
At RazorSecure, we often talk about our hybrid approach to cyber security. For us, this means that we combine our ability to detect host-based attacks (i.e. attacks directly on operating systems, information systems, onboard web servers, etc.) with network-based detection.
We see this combination of approaches as being vital to dealing with the unique challenges that rolling stock and signalling environments must address. Particularly:
Lack of physical security
Lack of patching and security updates
Lack of ability to update attack signatures
Lack of connectivity
In many cases, there is also a lack of basic security controls including authentication, encryption and network segmentation
Each of these elements must be a consideration in deploying effective detection mechanisms for railway systems. The combination of physical security challenges combined with lack of connectivity and ability to update systems means that detection requires a variety of approaches rather than a one-size-fits-all approach.
Our hybrid approach to cyber security, including network and host-based detection, is effective because it takes into account these limitations. The solution remains effective over the life of the asset, a crucial consideration when systems are in service for upwards of thirty years.