Why security by obscurity does not work for rail cyber security
“We’ll just keep it secret, they can’t hack what they don’t understand”
It sounds like a pretty compelling argument does it? You’ve just finished designing a system, it uses some proprietary software that has been developed in house and the designs are marked as confidential internally.
How could anyone figure out how to hack the system you’ve just developed? You were careful, you did some OS hardening, you used good development practices and scanned the code using a static analyser.
And that is how it starts…
Security by obscurity is not a new concept
First let’s explain what security by obscurity is, quite simply it is the assumption that if you keep key details about the design of a system secret that it will stay secure. The only reason it is secure is because no one knows it exists. It is believed that using security by obscurity, system owners think they are going to minimize the risk of getting targeted by an attack. But obscurity does not actually secure anything. You are just putting a network or system out of easy reach. Anyone looking around can find it, and access it.
Think of it like storing your life savings by burying it in your back garden under a big tree. Whereas a bank would have several mechanisms to protect access to your savings through various layers of security, it is only safe in your garden as long as no one knows you put it there.
The first known example of someone challenging this is in 1851 when a locksmith demonstrated that even the state-of-the-art locks could be picked. More commonly it is attributed to Kerckhoffs's principle which in 1883 stated that "one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them.
Importantly this is a concept that has existed for over a century, it was identified by experts in the field as a fallacy, yet it continues to exist today in a modern digital environment
But the information about my system is a closely guarded secret, it is impossible for someone to get that information…
Who has access to that information? Will they work for the company forever? Is it stored in a digital format that is accessible to the rest of the organisation?
The truth is that you lost control of the information the moment that the system was developed.
If the security of a system relies on keeping the implementation or structure of it a secret, the entire system becomes vulnerable when the first person discovers how the security mechanism works—and there is always someone that is determined to discover these secrets. We’ve seen cases in rail where documents have been leaked to third parties, where proprietary hardware has been sold on eBay and where highly sensitive documents have ended up on the Darkweb. These documents included default passwords and full information about the security measures in place.
Also, physical access to devices cannot be prevented in a transport environment (either through poor end-of-life procedures or access to the equipment while in service). So again, you have lost control of the security measures in place.
Why would anyone hack this rail system, it does not perform a critical function?
Maybe not, but it might be connected to a system that does, or it may provide a different opportunity for an attacker. Often direct attacks against a system are not the route in for a hacker, indirect attacks may provide an easier route in because they have not been considered by the manufacturer.
Creating a beachhead within a network can be as effective as hacking a critical system, the dwell time of an attacker provides them with the opportunity to learn information and gain further footholds into the network.
You must assume that an attacker has near unlimited time to breach your system, whereas you have only a limited opportunity to protect it. The unfortunate truth is that they only have to win once to be able to breach your system.
So how do I secure my rail system?
The good news is that you’re not alone in this problem, cyber security is a team sport with no prizes for someone who goes it alone. Look to international standards like NIS, NIST, ISO27001, IEC-62443 and the upcoming CENELEC standards to give guidance at how best to secure your systems.
Look for solutions (like RazorSecure Delta) that can provide detailed monitoring and remain effective over the life of the asset.
If you are buying systems, then look to add requirements to the tender/procurement for cyber security. It is much easier for suppliers if these are specified in advance, and encourage them to meet international standards and regulations that are in place to protect you as a transport operator.
And where you are unsure, seek specialist help to address security concerns. You are not alone, and there are skilled people who can help guide you through what may seem like an insurmountable hurdle.