All fields are required.
— by Julie Sneider, assistant editor
A year ago, an online activist group known as "Anonymous" hacked into Bay Area Rapid Transit's (BART) websites twice in one week. The attacks stemmed from an incident a few weeks earlier in which BART police fatally shot a man on a BART station platform, then days later shut off riders' cell phone service to quash a planned protest of the shooting.
In response to the cell service shut-off, Anonymous hackers broke into a website and gained access to names, phone numbers, email addresses and passwords of more than 2,000 riders. Next, they broke into another BART-related site and posted on a separate website the names, home and email addresses of more than 100 BART police officers.
The BART situation illustrates two realities of today's cyber security war. First, electronic threats and risks to sensitive data networks are increasing in number and sophistication. Second, hackers are becoming much more specific in terms of who they are targeting with the intent of gaining access to private information and/or disrupting business operations or service, say railroad information technology (IT) security experts.
"Really, you can almost track the evolution of the cyber security threats just by watching the news," says Mark Grant, director of information security and enterprise architecture at CSX Corp. "You go back five years and the stories basically were about people's computers being infected with a virus. Well, that problem has largely been solved — not many people catch computer viruses that impact their companies anymore."
Today, cyber attackers are more technologically savvy and able to take advantage of e-security weaknesses, says Grant. As a result, railroads aren't just on the alert for generic cyber invasions. They also need to be prepared to fend off hackers, terrorists or other well-resourced adversaries bent on breaching a particular company's firewalls and e-security systems.
"It really is a bit of an arms race," he says.
To get a leg up, CSX frequently upgrades its security systems to protect against the latest evolving threats in the cyber world. In general, though, the Class I uses a multi-layered, risk-based approach to IT security.
"When we think about our environment, we think about the potential consequences from the perspective of a successful cyber attack," Grant says. "We try to have defenses in place that would mitigate the risks from those threats. It's really a continual process, where we are continually adjusting our security, and our security is very much a layered approach. We'll have one layer of filtering and we'll have monitoring behind that. We don't just rely on one thing."
A successful security program entails efforts to monitor and prevent attacks from occurring, as well as response and recovery plans in place should a threat arise or an attack occur. CSX monitors its security systems 24/7, and has escalating steps in place to respond quickly if a threat is detected, Grant says.
To check for system vulnerability, CSX will hire "ethical hackers" to test the Class I's defenses, then recommend any necessary security-tightening measures, he adds.
To stay up-to-date on the potential risks and threats, Grant's department remains in continual contact with CSX's e-security suppliers, other members of the rail industry, the Association of American Railroads (AAR), the U.S. Department of Homeland Security, the Transportation Security Administration and other government entities.
Common cyber threats that railroads watch out for include nation-sponsored, recreational or anti-social hacking; phishing attacks; browser attacks; data breaches; data theft from internal or external sources; cloud security; and mobile devices, including bring-your-own device solutions, said Doniele Carlson, Kansas City Southern's assistant vice president of corporate communications and community affairs, in an email.
KCS applies several prevention strategies including security architecture, patch management, intrusion detection and prevention, firewalls, active monitoring, anti-virus software, application security, data encryption, password policies, active process and exception management, education and security awareness, response and containment programs and frequent assessments of vulnerabilities, said Carlson.
"Over time, the risks have become more frequent, persistent and sophisticated," she said. "The increased use of mobile devices by regular consumers also adds to security complexities."
Some of the latest cyber-protection technology available includes biometric security and multi-factor authentication. Additionally, improvements have been made in instruction detection and prevention, firewalls, active monitoring and anti-virus software, Carlson said.
KCS, CSX, other Class Is and Amtrak belong to the AAR's Railway Information Security Committee, which was created in the 1990s as the coordination point for sharing experiences and information on effective security practices. The committee, which comprises the railroads' IT leaders, convenes every two weeks to discuss concerns, share experiences and talk about what each is doing to enhance security. The group also periodically runs exercises to test railroads' responses to cyber emergencies.
"The first area of focus is on ensuring safety and efficiency of the railroad and train operations," says Thomas Farmer, AAR's assistant vice president for security. "The other element is from a more general security perspective, working to ensure the business/administrative side."
The railroads maintain a distinction between their operations networks — those involved in the train activity and supporting dispatch system — versus the business/administrative side of the computer network structure, says Farmer.
"That distinction is important. What you don't want to have is a situation where there is an ability to get into operational networks through a business connection," he says.
The railroad industry operates under a "comprehensive security plan" that covers both physical and cyber security elements. Created immediately after the 9/11 terrorist attacks, the plan was developed with input from Class Is, the AAR, the American Short Line and Regional Railroad Association, Amtrak and other rail industry participants. Its recommendations address security for railroad operations, critical information, communications and cyber areas, and military shipments, Farmer says.
The group updates the plan at least annually; each railroad adapts the recommendations to its own circumstances.
"It is a continual effort, one that reflects the importance of maintaining the integrity of these systems as a means of ensuring the railroads can function," says Farmer.
Since 9/11, the industry also follows an alert system based on increasing threat levels for physical and cyber security. Level 1 is the lowest threat level; Level 4, the highest. The industry remains on Alert Level 2, which requires railroads to maintain vigilance for potential terrorist and/or illicit cyber activity.
"Levels 3 and 4 are higher levels of concern that would be driven by intelligence that we receive from a range of sources," Farmer says. The AAR maintains a "railway alert network," which Farmer supervises, as the principal resource for railroads to stay on top of the latest information concerning potential threats.
On the cyber side, the potential exploitation of IT systems by terrorists always is a concern, but there are many other actors in the cyber sphere, ranging from individual hackers to organized groups or state-sponsored actors, Farmer says.
A prime example of an organized effort was the 2011 Anonymous attack on BART's related websites. It was an episode of "hacktivism" — activists using computers and computer networks to disrupt service in order to make a political statement, as opposed to hackers who break into data systems for financial gain. Hacktivism is a threat all transit agencies should watch out for, says Rodney Dor, senior security analyst for California's Orange County Transportation Authority (OCTA).
In June, Dor participated in a panel discussion on cyber security issues at the American Public Transportation Association's (APTA) Rail Conference in Dallas, and he previously participated in APTA working groups that prepare cyber-security standards and recommended practices.
Dor's advice to transit agencies? They need to identify the security-vulnerable points in their IT networks, then go about closing those electronic entry points before a security breach or cyber attack occurs.
"What the hackers or bad guys are looking to do is exploit that vulnerability," Dor says. "So if you stay ahead of the game and plug these vulnerabilities as soon as they are identified, and with proper testing put some controls into place, you pretty much remove the occasion to be exploited."
He also advises agencies to remain vigilant about the potential e-security risks and threats, maintain a robust firewall to protect IT infrastructure, and control data flow coming in and going out of their organizations. Because security breaches can come from within an organization — from a disgruntled employee, for example — it's important for transit agencies to control who has access rights to important data and information.
"That's another program that most transit agencies can take on right away: identity management," Dor says. "A lot of systems came online back in the day when everybody trusted everybody and we didn't have to worry about these issues. Now, with the [IT] tools being as powerful and consolidated as they are, you really can't give everyone in the organization the rights to shut down the server, for example."
If an organization's electronic security is breached and information is lost or stolen, or if service is disrupted, the organization is at risk of losing the trust of its customers, constituents and the general public, says OCTA Deputy Chief Executive Officer Darrell Johnson.
To safeguard that public trust, OCTA maintains a disaster management and recovery plan in the event that security is breached. The plan includes steps to notify the public of what happened and how the agency will rectify the situation, says Johnson.
"We really want to make sure we have a professional and positive image to present to our constituents and the taxpayers, and that we ensure public trust," he says. "For the past two years, we've focused on having a solid disaster recovery plan in place, and that we have continuity of our operation so that we can continue to provide the necessary and required services to the public."
Going forward, freight and passenger railroads must be constantly aware of e-security threats and risks as they continue to evolve with new technology. The expansion of social media, the growing use of personal electronic devices such as iPads, and the federal positive train control (PTC) mandate will present additional electronic security challenges.
"Early on, the security shops would say, 'no iPads,' but business has dictated that we must find a way to let it happen," says OCTA's Dor. "So we had to prepare for it. It forces us on the security side to go back and determine what it is that we are trying to protect, and how best can we put the controls in place to allow the business or departments to proceed with using those tools."
As for PTC, the rail industry is already preparing for related e-security issues.
Says AAR's Farmer: "Through the Railway Information Security Committee, you've got a very proactive effort to assess security risk in connection with the aggressive testing, development and implementation of what eventually will be the positive train control system in the U.S. on passenger routes and routes railroads use to transport hazardous materials."