Who hasn’t been frustrated when traffic comes to a standstill or the underground breaks down? Such frustration is a very real human emotion that lets us know that our highways, subways and light rail transit systems are vital for our lives to run smoothly. Add it up across thousands or millions of people: if transportation systems don’t work, entire economies and societies suffer.
Why then have some critical infrastructure industries, such as the energy sector, been better at adopting cybersecurity practices while the transportation sector has been lagging in this area?
The answer, I think, is that never before has the transportation industry been under such pressure to increase capacity and at the same time become more efficient. Efficiency in this case means improving financial returns and consuming fewer natural resources.
Let’s take a look at how, in this challenging environment, passenger rail and public transportation systems can improve their Industrial Control Systems (ICS) security.
The global urbanization trend is putting pressure on passenger transportation systems to increase capacity and become more efficient. How can they also improve ICS security?Image Courtesy: Toronto Transit Collection 2014
Adoption of Ethernet Networks Increases Cyber Threats
In order to realize improvements in performance and capacity, rail operators are utilizing advances in technology while at the same time seeking to reduce capital expenditures. This inevitably means a shift from traditional legacy systems using stand-alone bespoke equipment to a greater use of standardized technologies, protocols and operating systems (Ethernet, for example).
These newer technologies typically have open interfaces and standardized protocols. Consequently, as they are designed into control and communication systems at an increasing rate, the risk to transportation systems from cyberattacks also increases.
In addition, to achieve superior value and an increased level of customer service the interconnectivity between what have previously been stand-alone systems, is greater than it has ever been before. An example is connecting train control systems with seismic or tunnel drainage monitors for enhanced safety and reliability. This interconnectivity, sometimes using leased lines of communication infrastructure, also creates a new and real risk when it comes to cybersecurity.
Cyber Risk Extends Beyond Safety Risks
But does cybersecurity really matter, given the fail-safe methodologies used within the transportation industry? It is true that a safety-focused culture, particularly within the rail sector, mitigates some of the immediate risk, but not the consequential risks.
By consequential risks I mean that the ongoing operation of a compromised transport system may be degraded rather than actually halted; late running trains or some ticket barriers not working for example. In addition, as operational systems become more complex, reliably achieving fail-safe conditions is more challenging, especially when subjected to a deliberate cyberattack.
It is also important to note that the cyber risks are not limited to safety. Cybersecurity has the potential to affect the whole supply chain. Failures in the supply chain, especially those that persist for a few days, will quickly have a direct operational impact. For example, spare parts may not be delivered to a maintenance depot, resulting in trains being out of service and a degraded operational service.
There are also reputational and commercial risks, especially when attacks directly affect passengers or passenger services. Finally, the media interest in cybersecurity has the potential to give wide coverage to even minor incidents; any response to transportation related cyberattacks will be in the public domain and will have a high impact on passenger trust in the system.
ICS Security Standards for Public Transportation Systems
Increased cyber risk is the reason that groups like the ones listed below have all published cybersecurity recommendations for rail operators over the past few years:
- APTA - American Public Transportation Association, an industry association
- Securing Control and Communication Systems in Transit Environments – Part 1
- RSSB - UK Railway Safety and Standards Board, a railway stakeholder group
- Rail Cybersecurity Guidance to Industry
- US-CERT - United Stated Computer Emergency Readiness Team, a government body
- Transportation Industrial Control System (ICS)Cybersecurity Standards Strategy
- ENISA Railway - European Union Agency For Network And Information Security, another government body
- Cybersecurity and Resilience of Intelligent Public Transport. Good practices and recommendations
Thanks to the recommendations of these groups plus the overall ICS cybersecurity standards developed by ISA and IEC (ISA IEC 62443) there are a lot of resources available to turn to for guidance. But it doesn’t have to be overwhelming; here are some simple principles to help you.
ICS Security Tip #1: Start with a Risk Assessment
Taking the first step in a new area is always the hardest, but take heart; guidance is available. The best practices incorporated into the industry and government recommendations mentioned above are available to guide you.
The first step is to conduct a risk assessment; you need to understand what your network looks like and where the critical assets are. Then think about your risk tolerance for the different assets. It will be different, for example, for signaling systems versus passenger Wi-Fi services.
This might sound like a big project, or a costly consulting engagement. However, it is possible to do it internally and at no cost. While this may not be for everyone, it could be a viable option if a third-party assessment is not in your budget right now. It is also better than doing nothing about improving the security of your ICS network.
Learning this process is important and it is not a one-time exercise. Good security requires monitoring, evaluating and improving your plans regularly in order to ensure current measures are working effectively. This will also help you recognize new or developing risks to the network.
ICS Security Tip #2: Plan a Defense in Depth Strategy
After completing the risk assessment, the next step is to create a plan to secure your network. Again, using the collected knowledge of the experts in this area, the approach you want to take is called Defense in Depth (DiD), which basically means multiple layers of defense distributed throughout the network.
A well-developed DiD strategy includes:
- Multiple layers of defense instead of relying on a single point of security
- Differentiated layers of defense, ensuring an attacker can’t access all subsequent layers after getting past the first
- Context- and threat-specific layers of defense, meaning each layer is optimized to deal with a specific class of threat
- Zones of defense where devices with similar security requirements are secured by a conduit as per the ISA IEC 62443 standard
If your network is protected by a DiD strategy, the impact of an accidental security incident or a malicious attack will be limited to the zone where the problem began. You want to set up your systems so that the right people or teams receive an alarm and start working on incidents in a timely fashion.
This diagram groups together devices and systems with similar security requirements. The next step, as per the ISA 62443 standard, would be to specify conduits, such as industrial firewalls, to control communications between the zones. Source: APTA Part II
ICS Security Tip #3: Protect the Critical Assets First
Lastly, you must prioritize the critical assets. These are the systems that would cause a complete disaster for your network if they were shut down (either unintentionally or maliciously).
For a passenger rail system, typical examples would be the remote terminal units (RTU) in signaling control systems or the network infrastructure running a Communications-Based Train Control (CBTC) system. Aggressively protect these assets and the chance of a truly serious cyber incident is greatly reduced.
Get Started on Cybersecurity for Public Transportation Systems
Don’t let the:
- Efficiency challenges of the day
- Complications brought on by increased connectivity
- High cost of formal risk assessments
keep you from protecting your transportation systems effectively.
By taking the right steps to understand your risks, choosing a layered approach, and prioritizing your most important assets, you can successfully implement good cyber defenses.
What are the challenges you face in implementing cybersecurity measures? Do you have any tips to pass onto others? We look forward to hearing from you.
ICS Security Resources
- Blog: Industrial Networking: Easy Security Risk Assessment
- Blog: Defense in Depth Part 2: Layering Multiple Defenses
- Blog: What Advanced Persistent Threats (APTs) Can Teach the ICS and SCADA Security Practitioner
- Blog: Industrial Wireless Network Design for Railways
Belden Cyber Security Solutions for Transportation