This site is protected by reCAPTCHA and the Google
Terms of Service apply.
By Julie Sneider, Senior Associate Editor
The latest trends in detecting and preventing security threats to rail were discussed at the fifth annual Secure Rail Conference held May 1-2 in Orlando, Florida.
Hosted by Progressive Railroading, the two-day event featured presentations and a product showcase addressing security issues for freight and passenger railroads, as well as industry suppliers and service providers. Session topics included passenger screening techniques, lessons learned from other sectors, protecting freight-rail operations with application security and the industry’s expanding attack surface.
This year’s sponsors were Dragos Inc., Xaptum Inc., Abloy Security, Cepton Technologies Inc., OTN Systems N.V., Railhead Corp. and Safety Vision LLC.
The conference kicked off with a panel discussion and audience question-and-answer session on the current state of rail security and potential future themes for rail professionals to keep in mind. Serving as panelists were Aston Greene, deputy chief system security and law enforcement officer for the Los Angeles County Metropolitan Transportation Authority (LA Metro); and Jonathan Lamb, freight-rail industry engagement manager for the U.S. Transportation Security Administration (TSA).
Lamb, who worked for a Class I prior to joining the TSA 16 years ago, told attendees that freight-rail security has improved over the past decade. However, security threats to freight railroads have intensified at the same time, he said.
To address existing and potential threats, TSA regularly consults with the Association of American Railroads (AAR) and American Short Line and Regional Railroad Association (ASLRRA) on security matters.
“[The U.S. freight-rail network] is a very large system to try and secure,” Lamb said. “What we’re looking at is addressing the threats that we see and trying to imagine the threats that we do not see, and extrapolate what’s happened in other parts of the world.”
Recently, the TSA established a Surface Transportation Security Advisory Committee as part of the TSA Modernization Act of 2018. The committee aims to meet twice a year and advise the TSA administrator on surface transportation security matters. Additionally, the agency for the past four years has held annual exercises with Class Is and other railroads to practice security-threat scenarios that could disrupt freight-rail operations.
“I believe in exercise and practice,” Lamb said, adding that he advises railroads to get to know the local law enforcement and first-responder agencies along their networks. “Waiting to trade business cards at an incident scene is a bad idea.”
Likewise, security threats to passenger railroads and transit agencies are on the rise due to an “open-by-design” environment that hosts the masses, said Greene. He urged agencies to analyze their risks, be prepared to address threats and invest in security measures as part of the cost of doing business.
“Ask yourselves, how prepared are we now compared to where we should be? I consider preparedness a strategy for success,” said Greene.
At the morning’s next session, Greene focused on a new, advanced and portable passenger-screening technology now in place at LA Metro in collaboration with the TSA. The technology also was applied in Atlanta during Super Bowl weekend in early February to screen riders on the Metropolitan Atlanta Rapid Transit Authority (MARTA) system, where Greene was commander of the authority’s Police/Security and Emergency Management Unit. A month ago, he left that position for a similar role in Los Angeles.
LA Metro was the first surface transportation agency in the nation to purchase the screening system, which helps detect weapon and explosive device security threats. After the TSA conducted a series of tests, Metro purchased several Thruvision TAC-TS4 terahertz millimeter wave units, which are placed at locations throughout the transit system. The devices are equipped with software that quickly screens passengers for hidden weapons or explosive devices at LA Metro stations. When a weapon is inside clothing or strapped to a person’s body, the software generates generic avatars and creates a color indicator to show where the weapon or explosive device is.
When Greene used the technology at MARTA for security during the Super Bowl, the agency was able to screen thousands of people within minutes.
“It’s a detective, noninvasive technology that’s portable and can be used where you need it,” Greene said.
The units help address the challenge of quickly and efficiently screening passengers entering and leaving subway and commuter-rail stations much faster than in airport settings.
While the advanced screening units help protect against potential terrorist events, Greene cautioned transit-rail system executives from viewing new technology as a panacea for all security risks and threats. Rather, technology should be one component of a well-designed security plan.
“Security has to be intricately woven into policy, procedures, technology and training,” said Greene. “All of that together is a good security edifice.”
Later on Day 1, presenters turned their attention to cybersecurity threats. Two speakers from Oliver Wyman — James Cummings, senior adviser cyber risk management, and Paul Mee, head of cyber practice — led a session on cross-industry best practices, or cybersecurity lessons learned from other sectors that can be applied to railroads.
In an increasingly digitized world, the bad actors are getting more sophisticated, they warned.
“The amount of harm even a low expertise individual can do is greater than ever,” said Mee.
They encouraged railroads and other businesses to assess their “mission critical systems” to determine where to invest the most in terms of security resources.
“Quantify your cyber risk in economic terms,” said Mee.
Another first-day presenter was Greg Deibler, chief safety, security and corporate compliance officer at Virginia Railway Express (VRE), a passenger railroad serving the Washington, D.C., area. Deibler talked about how transit-rail agencies, government-funded and/or smaller railroads can “get back to the basics” of security by protecting their organizations’ physical assets.
Like other Secure Rail presenters, Deibler emphasized the importance of preparation through classroom, tactical and field training, and getting to know local law enforcement officers and agents by name.
Seeking creative ways to stretch a security budget is vital, as well, he said. For example, VRE started an undercover law enforcement initiative by allowing certified law enforcement officers to ride trains to and from work for free if they agree to assist conductors with any security issues.
“We don’t publicize this arrangement, but it has been a huge asset for us,” said Deibler.
He also recommended not to overlook other security basics, including upgrading station and facility lighting to LED systems, installing security cameras and adopting advanced fencing systems for critical facilities.
Other first-day presenters at Secure Rail 2019 included Railinc Director of Security Bill Dupre, who talked about protecting rail industry operations with application security; TTX Director of Digital Risk and Security Stephan Hundley and Xaptum Chief Executive Officer Rohit Pasam, who discussed the rail industry’s growing attack surface; and NCC Group Technical Director Jim McKenney, who provided a lessons-learned view of software-influenced safety control processes and what led to Boeing’s 737 Max 8 controversy.
Wrapping up the day’s sessions was Keith Dierkx, global industry leader of freight, logistics and rail at IBM Industry Academy. He discussed the increasing trend of integrating cyber intelligence and analytics across the new digitized operational technologies (OT) environment.
The TSA’s Lamb kicked off Secure Rail’s second day by providing an overview of cost-free cybersecurity resources to help transportation stakeholders develop cyber policies and practices. He also distributed a laminated TSA pocket guide on cybersecurity awareness topics covering malware, spam and scams, social networks, wireless networks, mobile devices, identity theft, data security and incident response.
Additionally, he described the TSA’s cybersecurity workshops conducted for the transportation industry. The workshops cover “five things in five days” that railroads and other companies can do to improve their cybersecurity posture: • Become familiar with the National Institute of Standards and Technology, a voluntary framework of standards, guidelines and best practices to manage cybersecurity risk; • Implement a unique password change policy; • Understand the latest phishing scams and spam trends; • Differentiate computer network access control; and • Report cybersecurity incidents to the National Cybersecurity & Communications Integration Center at the U.S. Department of Homeland Security.
“The thing about cybersecurity is that it requires action on your part,” Lamb told attendees. “If you have a system that hasn’t updated its antivirus software or firewalls in the past five or six months, you’re a target.”
Also presenting on Day 2 were Robert Carter, chief of security at Transit Safety and Security Solutions, who discussed modern solutions to traditional physical security challenges of transit system vehicle maintenance facilities (VMFs); and David Cordell, Port of New Orleans’ chief information officer and local agency security officer, and Christy Coffee, executive vice president of member services at the Maritime & Port Security Information Sharing and Analysis Organization, who discussed a cyber protection collaboration effort between the port and railroads.
In addition, Dennis Story, senior manager of communications and control systems at Dallas Area Rapid Transit, talked about challenges and cybersecurity issues that were addressed when the agency transitioned from a Synchronous Optical Network to a Multi-Protocol Label Switching-Transport Profile network.
Day 2’s most lively session occurred during a panel discussion led by Alex Cowen, founder of Razor Secure Ltd., and Jeff McCormack, associate vice president, technical leader transit and rail systems engineering at AECOM. They outlined clients’ most common security-related technology issues and discussed the security concerns that arise due to the fast pace at which technology evolves versus the slower pace at which clients can adopt new technologies. The presentation evolved into a debate among audience members over policy and methodology differences between IT teams and OT teams.
The day’s last two sessions were presented by Caleb Mathis, senior threat analyst at Dragos, and Matthew Riley, systems engineer at INIT Innovations in Transportation Inc.
Mathis talked about the mindset of an industrial control system hacker; a model for merging traditional IT and OT risk assessment methodologies; how to identify an organization’s “crown jewels” through a functional dependency analysis; and how to better inform cybersecurity strategies to align with critical operational assets.
Riley provided a case study of the Regional Transportation District of Denver, which used an object maintenance information system to conduct in-field testing of vehicle equipment to ensure passenger-counting technology produced accurate data.
In closing Secure Rail 2019, event organizers from Progressive Railroading put out a call for presentation ideas for next year’s conference.
Email comments or questions to firstname.lastname@example.org.