Managing Cybersecurity Risk in America’s Modern Railroads

In 2015, a single rail system suffered 2.7 million hacking attempts in less than two months…in a simulation.

Project Honeytrain, a massive cybersecurity experiment conducted by two prominent security companies, Britain’s Sophos and Koramis of Germany, tried to name risks to industrial transportation infrastructure by creating a fake railroad system online and watching the attacks against it. Although the simulation was conducted 7 years ago, there were a number of findings that stay relevant today:

• Automated dictionary attacks to crack unknown passwords using common and overused words, phrases and combinations were the most frequent form of attack. Even with today’s increased awareness of the need for password complexity, dictionaries are simple, automatic and readily available out-of-the-box hacking tools that only have to work a single time to be worthwhile for the hacker.
• “Only” four of the attacks resulted in successful logins, but two of those were from dictionary attacks. Attackers who successfully logged in once then logged in repeatedly.
• One attacker was able to commandeer the front lights of a simulated train engine.
• Security settings were discovered and exported. The same attacker who took control of the front lights also tried to log into the track signaling interface.
• Another attack was on the media server, aimed at altering a public-facing website.

What this experiment uncovered is that a sizable portion of railway hackers don’t just have cybersecurity knowledge, but also have a deep understanding of the complexities and intricacies of the rail industry and operations.

The Scope of Railway Infrastructure Cybersecurity Attacks and the Rise of Ransomware

“An unlooked-for consequence of the railroad, is the increased acquaintance it has given the American people with the boundless resources of their own soil…Railroad iron is a magician's rod, in its power to evoke the sleeping energies of land and water.” – Ralph Waldo Emerson

As deep as our country’s “rail roots” run, America’s relationship with rail is more than poetic romance. In a typical year, continental U.S. freight railroads move around 1.7 billion tons over (just under) 140,000-miles of track and accounts for 40% of all American freight. Passengers travel about 17 billion miles a year on rail. American rail composes a major part of the national economic circulatory system. Spiritually, emotionally and physically, rail built the modern US economy and is a critical component of the transportation industry. In conjunction with the trucking industry, transportation can account for 40-60% of the overall costs of supporting a supply chain.

The interchange between trucking and rail has made new innovations. The new Des Moines Transload Facility provides one of the few places in the country where multiple Class 1 (national) and Class 2 trains can seamlessly, openly and competitively exchange freight with trucking companies or even other rail companies. This increased efficiency is critical to lowering shipping costs and making the entire transportation infrastructure more robust, but it also demands an innovative approach to transportation cybersecurity risk management.

Since Honeytrain, the cybersecurity threat landscape for real rail companies has only grown. Last month, many trains in Denmark ground to a halt for several hours. It was the result of a third party vendor falling victim to ransomware.

Rail is very big business and is therefore also a very big target. Cybersecurity in the rail industry is only one part of supporting a safe supply chain, but it is critical.

The Growing Relationship of Operations and Information Security – Risks and Opportunities

In the old days of rail there was only operational technology. When information technology was first introduced, it was thought of as an add-on to the infrastructure. The CIO was in charge of Information Security, and the COO took care of everything that wasn’t a workstation, server or network, such as locomotives, cranes, signaling and switching, rail cars, and anything that causes that equipment to run. With the growth in IoT technology digitally interconnecting once fully autonomous, individually controlled machines, everything from GPS-connected freight locators to internet-accessible locomotive controls, is now under the purview of information technology. The CIO and COO have a lot of overlapping responsibilities.

Traditionally operational equipment becomes more digital. Telematics and other information is readily available. This is great for operations, but provides more challenges for cybersecurity in transportation. This includes ransomware. Rail is uniquely vulnerable to paying high ransoms, just because of the high value of the freight that could be stalled in transit. The value of planning, detection and response in rail cybersecurity can’t be overstated. Project Honeytrain demonstrates the value of rail companies regularly scheduling red team exercises and penetration testing in anticipation of thwarting future attacks.

Rail Cybersecurity Mitigation Actions and Testing Directive

Rail systems now have more and clearer guidance than ever before when it comes to cybersecurity. In October, the U.S. Transportation Security Administration released the Rail Cybersecurity Mitigation Actions and Testing Directive. With the growing sophistication of attack technology and bad actors and organizations and even governments, and with the growing importance of rail as critical infrastructure in the supply chain, the TSA has directed U.S. rail owners and operators to do the following:

• Identify critical cyber systems.
• Develop network segmentation policies and controls to ensure that operational technology systems can continue to run safely if IT systems are compromised.
• Create control measures to secure and prevent unauthorized access to critical cyber systems.
• Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations.
• Reduce the risk of exploitation of vulnerable systems by applying security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
• Establish a Transportation Cybersecurity Assessment Program and send the plan annually to the TSA, describing how the rail carrier will proactively and regularly assess the effectiveness of cybersecurity measures and show and resolve vulnerabilities.

Safety and security of the rail network is paramount, and requires having good technology, good information and good people in place with the power to act. If safety and security fails, freight fails.

For transportation cybersecurity planning and execution, contact the experts at HBS today.