With the announcement of a new security directive coming from TSA for the rail industry, cybersecurity has been getting a lot of deserved attention from rail operators lately. Properly managing cyber risks in this sector of the economy is now crucial, since new attack vectors from increasing connectivity and software programs are opening up railway industrial control systems (ICS), such as positive train control (PTC), to new threats. To keep passengers and crew safe onboard, rail operators must implement preventive security measures to avoid cyberattacks that may lead to accidents.
There have been quite a few documented cybersecurity incidents within rail infrastructure around the world, including in Denmark, Germany and New York. Although the motivation for most of these attacks was to install ransomware for financial gain, the fact that an attacker could get that far into a rail operator’s network is a wakeup call for many. Even a relatively minor cyber-physical attack could be extremely damaging because it can cause safety issues if it affects a digital signaling system, which can endanger passengers or destroy infrastructure.
Safeguarding PTC systems and other operational technology (OT) in railways is essential to any country’s national security. The biggest issues with implementing good cybersecurity practices for rail infrastructure are the legacy systems and complex architectures, which can make this task difficult.
Many organizations have relied solely on information technology (IT) security tools in the past to protect themselves, such as endpoint detection and response (EDR), firewalls or antivirus software. These are not effective defense methods for control system environments, which are the backbone of our railways. Because ICS operators prioritize reliability and safety over all else, many IT security tools are simply too intrusive for sensitive industrial control system endpoints.
Here are three tips to help rail operators get started with ICS cybersecurity:
Rail operators should adopt a cybersecurity standard or framework
The NIST CSF is an excellent starting point for rail operators, and many other critical infrastructure organizations have implemented this framework successfully. Another great option to look at for rail are the ISA/IEC 62443 standards. Compliance regulations targeting the rail industry are either already in progress or just around the corner in many countries around the world. A great way to prepare for these regulations is to apply a cybersecurity framework, like the NIST CSF or ISA/IEC 62443, to lay the groundwork for a measurable, provable cybersecurity program.
Invest in protective ICS security controls first
Lately, there has been a lot of focus on industry and governmental information sharing. This can be helpful at a macro level, but it doesn’t encourage basic security hygiene such as asset management, vulnerability monitoring, secure remote access and network segmentation, which many rail operators still do not have in place. You don’t invest in expensive surveillance cameras without installing locks on your doors and windows first, and the same holds true for cybersecurity. Once you have your foundational controls in place, you can move on to more advanced use cases like threat hunting and information sharing.
Spend your limited cybersecurity budget wisely
Matching individual needs with specific cybersecurity solutions can be difficult, especially if your organization hasn’t yet invested in ICS cybersecurity. As mentioned above, it’s always good to start with the basics. Although buying the latest visibility and threat detection tools might sound cool and feel good, prioritizing investments in foundational controls first will set you up for success in the long term. Many organizations invest in a security tool that seems cutting-edge, only to discover one year later that it has brought them limited ROI and cost precious human resources to manage along the way.