This site is protected by reCAPTCHA and the Google
Terms of Service apply.
By Daniel Niepow, Associate Editor
From Berlin to San Francisco, hackers continue to launch cyber attacks on rail industry targets. Earlier this year, the Ontario government confirmed that Metrolinx was the victim of a cyberattack originating in North Korea. In May 2017, Germany’s Deutsche Bahn rail network was swept up in the worldwide “WannaCry” ransomware attack, while the San Francisco Municipal Transportation Agency (SFMTA) endured a different ransomware attack only six months earlier.
These attacks can hamper operations and impact the bottom line. When the SFMTA took its fare systems offline due to the hack, the agency may have lost up to $50,000 in unpaid fares.
Although many widely publicized cyberattacks have been directed at transit agencies, hackers can target freight railroads, too. And many cyber criminals aren’t concerned about a road’s number of track miles or annual revenue.
“The size of an organization is no longer a factor when it comes to cyberattacks, making short lines particularly prone, especially as the cost of doing cybersecurity correctly can be quite expensive,” wrote Nick Chodorow, chief information officer at the Belt Railway Co. of Chicago, in the fall 2017 issue of the Short Line Connector magazine. “Safe, efficient and profitable railroad operations now have a significant dependence upon technology, which is why short lines should pay particular attention to cybersecurity.”
To help short lines stay on top of emerging threats in the digital realm, the American Short Line and Regional Railroad Association (ASLRRA) recently kicked off a cybersecurity webinar series for its members. The first and second parts in the series were broadcast in February and March, with the final segment scheduled for April 18.
One of the key takeaways from the first two segments: Small railroads must take time to develop sound cybersecurity strategies, and they can take advantage of a variety of existing tools to do so.
“It doesn’t matter if you have five employees in your office or thousands of employees spread across the country, cybersecurity should be a focal point,” said Justin Smith, senior manager of cybersecurity engineering at Rockwell Collins, who presented both webinars.
Cyber threats exist even if a railroad’s computer networks aren’t directly connected to the internet. Systems that are supposedly “air-gapped” — that is, those that are physically separated from other computers that are connected to the internet — can be “remotely exploited some way,” he said.
Ransomware and phishing attacks, which remain the biggest threats to many industries, present a major threat to short lines, according to Smith. Hackers execute ransomware attacks by infiltrating an organization’s computer systems and locking users out. Then, they demand a sum of money to restore a victim’s access.
Phishing attacks involve hackers posing as trusted sources to get their hands on key information, such as usernames or passwords. For example, a hacker might send an email purporting to be a colleague or boss asking for a specific piece of information. Or an attacker might include a seemingly innocuous link in the message that downloads a virus onto a user’s computer.
“Malevolent hackers don’t care if you sell T-shirts or run trains for profit; you’re both potential sources of information or revenue,” Smith said in an email. “They’ll exploit weaknesses without discrimination.”
The first step in boosting cyber defenses is selecting a cybersecurity framework. As an example, Smith highlighted the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, which was established by an executive order during President Obama’s administration.
The NIST framework is a voluntary set of standards, guidelines and best practices to help mitigate cybersecurity risks. More than 3,000 contributors from the private sector, academia and government helped develop the framework. Those contributors included railroads, Smith noted.
The framework’s guidelines provide outlines for organizations to identify, protect against, detect and respond to cyber threats. They also detail how an organization can recover from an attack.
Some Class Is already have begun using the NIST standards as their cybersecurity framework of choice, which makes it important for short lines to get acquainted with those guidelines, especially as railroads continue to share data and IT systems.
During the ASLRRA webinars, Smith delved into some of the framework’s general “security controls” that short lines can implement to bolster digital defenses. One such control: taking inventory of all authorized and unauthorized devices on a network.
Railroads should keep tabs on each device that plugs into their network — from printers and security cameras to tablets and even some telephone systems.
“Simply put: Know what is allowed to connect to your network,” said Smith, who will address cybersecurity challenges at the Secure Rail Conference on April 24-25.
Taking inventory of software is another key security control. This could involve listing which types of software employees are permitted to download onto their computers. Some users may not have the experience or training needed to understand the risk of downloading software from the internet.
“More often than not, they [can] infect their networks unknowingly,” Smith said.
And it’s equally important that small railroads educate their own employees on cybersecurity best practices. This could involve simple signage and reminders around the office or company-wide classes.
In Smith’s view, workers are the “first line of defense” against data breaches.
“Thousands of dollars spent on cybersecurity protections can be bypassed in seconds by an uninformed user clicking on a malicious link,” he said.
As railroads adopt a cybersecurity framework, they might be able to leverage their own staff and resources. In some cases, railroads may find that they’re already implementing key security controls through existing policies. For example, only giving administrator privileges to certain users is one way to reduce cybersecurity risks.
“If you have staff that understands technology, involve them in the process,” Smith said. “They have a wealth of knowledge … that oftentimes doesn’t get utilized to its fullest potential.”
To gain a better sense of the cybersecurity landscape, short lines should identify their main “threat vectors” — individuals or organizations that may want to hack a railroad. That could range from fired employees to cyberterrorist groups to entire countries. In some cases, threat vectors may be interested in hacking a Class I, but they could start out at smaller companies — such as short lines and regionals.
“To get to one target, [hackers] may go through three or four smaller targets,” Smith said. “The bottom line is different segments of the rail industry face different types of cyber threats.”
In addition to cybersecurity training for employees, railroads should perform security assessments to evaluate their existing protocols, Chodorow noted in an email.
Ideally, an outside organization should come in to conduct those security assessments, which would include interviewing a cross section of a railroad’s employees. The assessment also should include a review of a railroad’s cybersecurity training for workers.
“It’s very important to do a security assessment on a regular basis [every two years], and then make sure the recommendations are followed/implemented,” said Chodorow, who chairs the ASLRRA’s Technology Committee.
The assessments should lead to an action plan, along with guidance for implementing that plan. Additionally, a railroad’s executive and technology teams would receive summary reports following the assessment.
Outside of the various cybersecurity frameworks Smith mentioned in the webinars, small railroads can boost their cyber defenses in other ways. Outsourcing is one solution, especially at railroads without dedicated IT professionals.
If a railroad decides to go the outside-partner route, there are several considerations to take into account, said Brett Kelsey, McAfee’s vice president and chief technology strategist, who’s had cybersecurity discussions with various railroads.
“Make sure that, at a minimum, they have a dedicated cybersecurity practice and aren’t just reselling technology,” he said.
A third-party partner should be familiar with NIST’s cybersecurity framework, too, Kelsey said.
As hackers continue to develop increasingly sophisticated methods to infiltrate information systems, small railroads can rely on the NIST framework and other tools to mitigate risk.
“It’s not all gloom and doom,” Rockwell Collins’ Smith said. “It’s absolutely something we can defend everyone against.”
Email questions or comments to firstname.lastname@example.org.