Media Kit » Try RailPrime™ Today! »
Progressive Railroading
Newsletter Sign Up
Stay updated on news, articles and information for the rail industry

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

View Current Digital Issue »


Rail News Home Security

May 2018

Rail News: Security

Secure Rail Conference 2018: A recap of threats, risks and solutions

The conference ran April 24-25 in Orlando, Florida.
Photo – Daniel Niepow


By Daniel Niepow and Julie Sneider

Progressive Railroading’s fourth annual Secure Rail Conference, held April 24-25 in Orlando, Florida, featured 23 presentations on topics that addressed how railroads can improve the security of assets, passengers and employees.

The first day’s morning session opened with an hour-long question-and-answer session on passenger screening options for rail agencies, featuring speaker Alfredo Perez, president of Perez Consulting LLC, and Progressive Railroading Senior Associate Editor Julie Sneider. Perez talked about the technologies and strategies passenger railroads use, can use or may soon use to secure their systems against mass casualty weapons with minimal interference to ridership.

He also suggested that transit agencies try to "get the public more involved" in security by encouraging riders to use their smartphone cameras to report criminal activity.

Perez then fielded questions from Sneider and Secure Rail attendees on the challenges that U.S. rail systems face today in screening passengers and bags for guns and explosive devices.

Also presenting in the morning were Steve McDowell, instructor at the Security and Emergency Response Training Center, who spoke on the topic of tactical hazmat operations in surface transportation; Troy Kitch, senior director of product marketing and GTM for the Security Cloud Business Group at Oracle, who shared ways to use cloud applications more securely; and David Teumim of Teumim Technical LLC, whose presentation addressed cybersecurity standards for transit-rail vehicles.

Teumim is a member of the Control and Communications Security Working Group of the American Public Transportation Association (APTA), which is developing consensus standards that address cyber threats to the many communications systems involved with vehicles used in heavy-, light- and commuter-rail services.

From operations to information technology that’s necessary to run transit-rail systems, “you’ve got a lot to be concerned about” in terms of the potential for cyber attacks on rail systems, Teumim said.

“Cyber is getting more attention day by day as we guard our entities and electronic wallets,” he said. “With the hackers, it’s always a cat and mouse game: You protect it, they break it.”

Teumim put out a call for new members to join the committee’s work in developing standards that have to evolve as new threats emerge.

The morning wrapped up with a presentation by Andrew Erickson, applications engineer at DPS Telecom, and Brian Studinski, telecommunications manager at Alaska Railroad Corp. Their topic examined “Real-World Monitoring and Security Strategies from Alaska Railroad.”

Five years ago, Alaska Railroad was “reactive” in responding to a problem with its remote technology and facilities, noted Studinski. The regional has 400 miles of track, 36 remote sites and one central office, which is located in Anchorage, Alaska.

Now, Alaska Railroad has become “proactive” by implementing a modern monitoring system that keeps tabs on the railroad’s environment, technology, operations and infrastructure around the clock. The constant monitoring helps the railroad to discover when repairs or other actions are needed, rather than sending out technicians frequently to check on the network’s status. That monitoring helps to prevent bigger problems such as unexpected power outages by sending out technicians only to repair real problems.

During the conference lunch breaks, attendees were free to visit and network in the Product Showcase room, which featured products and services from Secure Rail sponsors DPS Telecom, PacStar Communications, PS Technology, Railhead Corp., RPI Group Inc., Rockwell Collins Inc., Safety Vision LLC, Siemens Mobility, Splunk and Strukton Rail.

Afternoon sessions: Know your vulnerabilities

After lunch, conference-goers returned to hear from Craig Hartburg and Jeff Watts, both of RPI Group Inc., who discussed steps to take after conducting a security vulnerability assessment, which they previously performed for the Virginia Railway Express (VRE). Three steps are key following a vulnerability assessment: triage, funding and implementation, Hartburg and Watts said.

Any vulnerability assessment and follow-up plan must address cybersecurity, they said.

“In today’s world, if cybersecurity isn’t part of your overall security plan, you’re doing it wrong,” said Watts.

Later that afternoon, conference sessions featured Charles Butler, chief executive officer of The Security Oracle Inc., and Al Eline, senior sales support engineer at PacStar, who talked about the use of artificial intelligence (AI) to “transform” railroad security from a “passive model” to one of “active defense;” and Ellen Linnenkamp, managing director of Strukton Rail North America, who discussed balancing rail worker protection with rail network reliability.

Next up was a presentation by Jake Breechen, founder and chief technology officer at Confluence Security Group; Scott Carns, vice president of operations at Duos Technologies Inc.; and Alfredo Perez, who talked about how Department of Defense and Department of Homeland Security-approved technology can be used by rail executives to make decisions in elevated threat environments.

Also speaking in the afternoon were Frank Chavez, project manager for the Atlanta Streetcar, and Rickey Green senior project manager at HNTB Corp., who described the approach used to certify the streetcar system’s safety and security plan.

Concluding the day’s sessions were Leandro Pfleger de Aguiar, a key expert on cybersecurity at Siemens Corp., who reviewed methods for improving the first line of defense to protect rail automation applications and other critical infrastructure assets; and Wendy Buckley, president and founder of Specialty Transportation and Regulatory Services, who talked about the importance of having a security plan in place for rail yards and rail cars before transporting hazardous materials.

“Civilization would not be possible without hazardous materials,” said Buckley, a former hazmat inspector for the Federal Railroad Administration. “They are essential, but they are dangerous. Manufacturers and carriers have a responsibility to make sure they are handled safely and responsibly.”

From there, the attendees and sponsor representatives adjourned for a cocktail reception.

Day 2: Tackling digital, physical risks

On the conference's second day, WSP's Lurae Stuart kicked things off with a presentation on risk acceptance. Despite railroads' best efforts, there always will be "residual risk," said Stuart, who serves as the firm's manager of system safety and security for transit and rail.

"Bad guys will always come up with something else to harm or injure people," she said. "We're trying to get that risk sufficiently low enough."

Stuart suggested passenger railroads use risk matrices to determine the level and severity of threats, as each agency faces its own specific risks.

After Stuart's presentation, Razor Secure Ltd. Founder Alex Cowan presented a cybersecurity case study for a European transit agency. Cybersecurity was a recurring theme on Day 2, with five additional speakers addressing the topic.

"Rail is vulnerable to cyberattacks," said Justin Smith, senior manager of cybersecurity engineering at Rockwell Collins. "We've seen it happen many times in the form of ransomware."

Smith's presentation focused on ways that transit agencies can develop cyber resiliency to fend off attacks.

Other speakers who addressed cybersecurity risks and threats included CheeYee Tang, electronics engineer at the National Institute of Standards and Technology; Nick Percoco, chief security officer at Uptake; Joe Becker, managing director of rail at Uptake; Ken Bousfield, partner at law firm Bereskin & Parr LLP; and Catherine Lovrics, also a partner at Bereskin & Parr.

Meanwhile, 5326 Consultants Inc. Chief Operating Officer Stacey Blau talked about workplace violence risks in the rail industry. From disgruntled former employees to new hires, railroads face "wide-ranging" workplace violence risks, Blau said.

Pranav Misal, a research analyst with ARC Advisory Group, closed out the conference with a presentation on Industrial Internet of Things applications in the rail industry, as well as the accompanying cyber risks.

[Editor’s note: Daniel Niepow is associate editor and Julie Sneider is senior associate editor at Progressive Railroading. Niepow can be reached at; and Sneider at]

Related Topics: