Dr. Waël Kanoun, head of Cyber Solutions – Middle East, Thales on cyber securing rail systems through strategic design
The proliferation of the Internet of Things combined with the convergence of Information Technology (IT) and Operational Technology (OT) have enhanced operational efficiency, but also exponentially increased the treat of cyber-attacks across critical national infrastructure, including ground transportation systems.
Railway operators face new fundamental challenges when it comes to protecting their systems. With significant digital transformation across the sector, substantial benefits relating to safety, operational efficiency and reliability as well as general CAPEX and OPEX optimisation are to be had, whilst at the same time exposing their systems to a new class of risk related to cybersecurity.
Poor design can leave our rail systems vulnerable to cyber-attacks. These vulnerabilities can impact operational efficiency in a variety of ways including, train delays, loss of revenue, reputational impact, loss of trust, and, in the worst case, an impact on passenger safety.
General rules of the thumb
Though security is contextual, universal security principles generally drive good security design. There are a set of generally accepted security principles that should be implemented to reduce the risk of cyber-attack, they include: open design, compartmentalization, perimeter defence and minimisation of attack surface, defence in depth, and least privilege.
When it comes to open design, proven approaches, mechanisms, technologies, software and solutions provide greater assurance as they have generally been subject to rigorous scrutiny by others in the marketplace.
Compartmentalisation is a security approach whereby a system is segmented into several domains that are protected independently, whilst at the same time, efficient security designs help limit the surface area susceptible to attack and correctly protect the exposed areas.
The principle of defence in depth is about having more than one layer or type of defence. If one layer or type of defence is breached, no matter how strong and reliable it is, there are two or more layers to make it much more difficult to compromise.
The ‘least privilege’ principle requires that a subject (human or software) has the proper and minimum privilege (in terms of scope of authority and resources). The time these resources can be accessed should be restricted to only those required to perform a specific task.
A holistic approach to cybersecurity
Holistic cybersecurity in the rail industry can only be achieved by addressing the three pillars that support a robust cybersecurity posture: Processes and Procedure; People and Technology.
In terms of processes, appropriate operational, management and audit measures must be put in place. As the human factor is considered the weakest link in cybersecurity, comprehensive training for operator and supporting infrastructure staff ensures cybersecurity awareness and adequate skills across the railway system. In terms of technology, security controls must consist of specific building blocks added to the architecture of the railway system throughout the entire design and build process.
The layers in cybersecurity architecture
To secure ground transportation systems, a cybersecurity architecture consisting of complementary layers of security must be designed and deployed. While traditionally, physical controls are not in the scope of cybersecurity plans and architecture, sometimes they are explicitly required to address a specific threat or requirement. Examples include locks, physical access controls, and anti-tamper seals.
Controls within the network are another layer that include technology to secure sensitive data during transmission over wired or wireless networks, maintaining the integrity of vital communication or protecting the system from attackers.
A third layer – host – includes cybersecurity controls that ensure the security of host machines such as servers, workstations, maintenance laptops and other IT machines. The final layer of application and data includes controls that ensure the security of the application and data level of the system. Examples include database encryption and file encryption.
Fundamental security building blocks
The following components can be integrated into the railway system to mitigate the risk of an infiltration attempt from the outside: Demilitarised zones (DMZ) with communication through proxies and secure gateways; Web Application Firewall to protect against web-based attacks; Virtual Private Network (VPN) gateways to ensure confidentiality of communication; and Data diodes to implement and guarantee on the physical level, one-way egress communication with external networks.
Internal network security measures must also be strengthened to cover Network segmentation with IP/MPLS VPN based on rail subsystems to implement traffic isolation and firewalls, while Intrusion Detection Systems can be standalone devices or embedded features within NGFW to implement traffic monitoring and to detect known attacks or anomalies/suspicious behaviour.
It is also important to implement Network Access Control (NAC) to ensure that only authorised and legitimate devices can connect to the railway network. Finally, Secure protocols (e.g. TLS) must be implemented to protect the integrity, authenticity and confidentiality of communication within the network.
It is essential to harden back-to-basics core defence by reducing the attack surface of railway systems and ensuring robust configuration. Further, an endpoint protection solution with centralised management should be deployed to thwart malware from gaining a foothold in the system. The solution should have the following features: Antivirus, Application whitelist and Device Control.
Centralised user management and profiles can unify and simplify a railway system, making access controls easier to manage and maintain across the enterprise.
Security Information Event Management (SIEM) systems also become a cornerstone to building effective cybersecurity detection and response capabilities. Its role is to manage, aggregate, qualify and correlate various types of logs to detect cyber-attacks and respond appropriately.
Railway systems should also be designed with ‘cyber maintenance’ in mind. Central update servers such as WSUS, should be part of the network to ensure robust management and effective distribution of security updates. Mechanisms should also be put in place to securely backup and restore system applications, data and configuration settings.
Addressing cybersecurity at an early stage of the design is paramount to guaranteeing the presence of fundamental security building blocks whilst ensuring a robust cybersecurity posture with minimum cost. Any delay in addressing cybersecurity leads to higher costs when having to address residual risk, let alone the adverse impact of any cyber-attack.