As mentioned before cyberattacks affecting critical systems have become almost daily news. Most of these systems use similar hardware, software, and architectures. As a matter of fact, any cyber incident that occurs in critical infrastructure, such as the recent ransomware attack on the US oil pipeline3, sets off alarm bells for those in charge of rail security and safety. Security incidents are nothing new to the rail sector. Using a simple internet search, you’ll find at least 30-40 headlines of cases that happened, mostly in Europe followed by North America, the Middle East and Asia Pacific. And it can be assumed that the true number of cases is much higher due to the lack of information sharing requirements in the sector. The causes of these known incidents range from accidental misuse to targeted attacks lead by cyber criminals or even nation states. The biggest safety reported incident happened back in 2008 where a 14-year-old boy in Poland was able to build a wireless transmitter that he used to control and finally derail trams, injuring 12 people in the process.
A closer analysis of the incidents shows that ticketing, passenger information, CCTV, on-board Wi-Fi and entertainment systems are impacted most. Fortunately, in most cases, operational technology (OT) systems remain safe and secure, and the issues were either very little or unknown. These examples show that the rail IT systems have been the main target. However, due to increasing system interconnections, signalling, control and telemetry are becoming more vulnerable to such attacks as well. It is a reality that rail operators will be affected at some point. The variables are only the type of incidents, whether it is an accidental or targeted attack, and the severity of the impact. Whatever happens, it is common practice and mandatory by EU law to take steps to protect critical systems, but also to recover them in a timely manner. The NIS-Directive mandates4 that every EU country must implement regulations for critical infrastructure sectors with measures to secure IT/OT-networks and information systems.
Rail operators are defined as so-called operator of essential services (OES). By 2018, each EU member state had to implement and enforce these laws. In retrospect, awareness and overall security level has improved significantly. However, the different implementation in member states, including lack of enforcement, has been criticized. That is why NIS 2.05 proposes solving these deficiencies through the following measures. • A common risk management approach with a minimum list of basic security elements to apply • Uniform procedures and deadlines for incident reporting • Cybersecurity information exchange obligations • Cybersecurity risk assessment and compulsory • education for management practices • Rigorous oversight and enforcement by authorities with regular audits and random inspections • Fines up to 10 million euros or 2 % of the operator’s total global annual turnover As the NIS 2.0 fines get close to the GDPR6 fines, cybersecurity of OT systems (if not already) will become another very important topic in future board meetings. The question is how much investment is needed to effectively deal with these risks? The required investment depends on the intended security level and practices in place, as well as the organisation’s risk appetite. In traditional IT, companies typically spend on average of 3-6% of their annual IT budget to manage cybersecurity risks, that includes spending on security hardware and software, professional training and salaries, process development and maintenance. In the US the first cybersecurity rules have been imposed for rail transit at the end of 2021.The federal government imposed two cybersecurity mandates on “higher-risk’’ railroad and rail transit systems. The new security measures will order critical passenger and freight railways to take these actions: • Report cyber incidents to the federal government within 24 hours • Appoint a cybersecurity point-person available 24/7 • Develop an incident response plan • Conduct a vulnerability assessment.
Before you start to identify the business risk and gaps, you need to understand the variables and the security risk equation Security Risk = (Likelihood) × Impact = (Threats × Vulnerabilities) × Impact In other words, security risk is a function of the likelihood that a threat exploits a vulnerability which could result in an adverse impact. Threats can range from accidental misuse to malware or ransomware used by cyber criminals and nation states. In addition, there is no such thing as a perfectly secure system as every software-based system has vulnerabilities. The number and severity of the vulnerabilities will depend on the system’s age, how well it was designed and how well it is maintained. The risk of unwanted impacts such as safety, financial and reputational damages generally increase with the number of vulnerabilities and if the system is seen as an easy and attractive target. When quantifying cyber risk both qualitative and quantitative measures are used. Regardless of the risk metric, it is important to understand the threat and vulnerability variables that cause the highest risk. Even with unlimited resources, no one can remove all vulnerabilities. Defining the risk appetite i.e., which risks need to be addressed and which risks need to be accepted or transferred is primarily a business decision.
Typical cybersecurity risk assessment approaches are: • Gap assessment • Maturity assessment • Vulnerability assessments • Penetration Tests • Internal and external audits • Automated tool-based security scans Each of these approaches have their pros and cons. It is important to note that some approaches can give you a false sense of security, and the fact that you are compliant does not necessarily mean that there is no risk. The opposite is also true, which means a “non-compliant” does not necessarily mean that you are at high risk. When conducting an assessment or a penetration test on rail systems, it is strongly recommended to use security experts with both domain know-how and system expertise. ISO 270017 and IEC 624438 certification as well as rail references, are good indicators that you have the right experts. An assessment conducted by purely IT-security experts will likely increase the chances that you end up with a long list of findings and vulnerabilities that are neither relevant nor possible to fix due to system limitations in rail systems Experience tells us that there is no one size fits all rail security assessment methodology. A train, for example, is quite different than interlocking or CBTC systems, hence a tailored approach is required. Looking at rail automation systems, the best results are achieved using an IEC 62443 based assessment (adding aspects of upcoming CENELEC – TS 507019 is in work), but for rolling stock, it makes more sense to use a customized threat and risk assessment, a detailed threat modelling approach together with business representatives and rail cybersecurity experts. The standard ISO 27001 offers a good basis to assess a rail operator’s governance and information security management system. It is covered by parts of IEC 62443. Whichever method you use, you need up-to-date documentation (such as asset lists and network diagrams) and a security team that understands the system and the protection-/business goals and processes. Understanding your system and domain is the key to producing high-quality, actionable results.
Regulations, vulnerabilities, and threats will change over time. Standards, best practices, and experience suggest that penetration tests and assessments should be conducted regularly (at least every 2-3 years) to maintain transparency of business risks and gaps. To automate and accelerate these tasks, the proper use of common IT tools can help a lot. Rail penetration testers might use the same tools as hackers to find vulnerabilities but using asset discovery and vulnerability scanning tools on a safety system is not recommended. Siemens developed a security testing service based on a tool called SiESTA (Siemens Extensible Security Testing Appliance). The tool takes advantage of the many well-known tools on the market (open source or commercial -of-the-shelf), but with safety-critical OT systems in mind. The SiESTA framework provides a single user interface with multiple scanning engines including Nessus, NMAP and many others in parallel and integrates the scan results into a unified, comprehensive report. It provides a set of approved test cases that can be reused or customized to scan entire networks or components automatically and safely. Although creating test cases still requires experience in scanning methods, predefined test cases can be executed without risk as part of the usual system maintenance. Test cases come in many facets and can regularly scan a system for:
• Configuration changes
• Software version changes
• Software and configuration vulnerabilities
• Security policy compliance
Security is about more than just technology; it is also about people and processes. People are frequently described as the weakest link, as well as your first line of defence. As a result, organizations need to foster a security culture and a high-level of risk awareness. A mature organization differs from a less mature organization in the fact that it has well-defined structures and people in charge of both safety and cybersecurity. Furthermore, staff must be regularly trained and have a set of security policies and practices that they understand and follow. A yearly security awareness training for rail operations and maintenance staff with rail-specific use cases is recommended. Siemens faced its own cyber crisis in 2010 with Stuxnet13, which shifted the company’s focus to cyber-security and has since grown to a workforce of around 1,200 cybersecurity professionals14 working on both internal and external projects15 16. While some companies outsource their entire IT and security infrastructure, others like Siemens make a deliberate decision to keep security “know-how” including incident response in-house.
When it comes to protecting rail’s complex and highly distributed systems, it’s best to start with a digital asset inventory. Knowing which assets, you own, and their current and historical status is very important. This includes knowing the software or firmware versions of components, as well as identifying how assets are interconnected. Without this visibility you cannot distinguish between a threat and normal behavior. The big question is where you’ll get such a comprehensive list. Experience shows that this information is often distributed, and if it is in digital format, you find it in Excel, Visio, Word, and so on, but not in a centralized database. Such centralized asset databases are, however, highly recommended. These must be kept up-to-date and capable of tracking any changes, including security vulnerabilities and patches. For this purpose, Siemens uses an own asset database for both product development and customer projects. This database has grown over time and now contains over 90,000 vulnerability entries from various verified sources, including open source, commercial (COTS), and Siemens’ own software applications. This database has interfaces to a Siemens Mobility database used to create and constantly update a “monitoring list” of software systems and components. Since automated discovery is not always possible, manual entries and the import of lists are supported. The previously mentioned SiESTA framework, for example, can output the results of a scan as an asset list for this and other central databases. With this asset list in the database changes can be monitored, and information about new vulnerabilities can be communicated immediately either by email or other means. Such vulnerability alerts include general information about the software and a rating of the severity and exploitability using the standard CVSS17 scoring metric. For the further assessment of the vulnerability, it makes sense to take the Threat and Risk Assessment as a basis for managing the vulnerability and deciding about the mitigation measure.
With this information, it can be decided and prioritized where a software needs a patch or which application needs to be reconfigured or at least segmented to reduce the attack surface. The solution for the infamous WannaCry-ransomware for example could have been a Windows patch, but it could also have been as simple as disabling the SMB version 1 protocol. Using tools like SiESTA allows to automate tasks such as audits to verify if changes have been applied and if misconfigurations or open ports can be exploited. Finally, limit the use of unauthorized applications, devices, and users and segment the network. When it comes to users, make sure that you only grant access to those who have a clear business purpose and have received proper training. Network access control (NAC), application control whitelisting, data encryption, firewalls, and data diodes (unidirectional gateways) are among the most common technical solutions to further enhance security. Network segmentation is another important and highly effective security measure. As connectivity requirements for data analysis and other applications grow, fully “air gap” networks, if they ever existed, are impractical. The network traffic shall be limited and controlled using industrial firewalls such as RuggedCom18 or SCALANCE S19. Keep in mind that firewalls require properly configured rules as well as an updated firmware version at all times. If maintaining firewall rules are too complicated, or if two-way communication is not required, data diodes such as the Siemens Data Capture Unit (DCU) are a safe and secure option. One-way communication has been used in the defence space for several years in mission-critical applications. DCU technology supports many two-way based protocols on IP (Internet Protocol) such as TCP (Transport Control Protocol), while also supporting use cases for security monitoring of safety critical rail network segments and secure cloud communication among others. The Siemens DCU uses electromagnetic induction for its hardware-based separation. Effectively, no direct connection or software exists that hackers could manipulate or bypass. Any of the above-mentioned security measures and controls are important and will improve your overall security posture. The question is whether they are permitted, and if so, how to implement them without causing harm to the system. This must be discussed and approved by the supplier or system integrator, especially in the case of legacy or safety systems. Still, reaction free technologies like Siemens’s DCU can ease the process of homologation.