Many North American railroads have teamed up with each other and their technology suppliers as of late to ensure their cybersecurity teams are able to identify and secure the potential vulnerabilities in their freight and passenger-rail networks that could lead to cyber-attacks.
Amir Levintal, chief executive officer of Cylus — a railroad cybersecurity solution provider — has noticed an increase in cyber attacks in the rail industry over the past three years.
While many of those attacks are not being reported publicly, perhaps to protect the industry’s and railroads’ reputation, the sharing of that information between railroads is important because an attack on one network can be repeated on another, Levintal says.
To help identify, share and create best practices for responding to cybersecurity threats, several representatives from major North American freight and passenger railroads are part of the Association of American Railroads’ (AAR) Rail Information Security Committee (RISC).
As RISC members, they commit their railroads to actively sharing information related to cybersecurity, best practices, and benchmarking efforts, as well as participate in industry-wide projects intended to improve the security posture of all railroads. Anonymity in shared information is expected.
“We need to be able to openly share details regarding specific attack vectors or indicators of compromise, which allows other railroads to check to see if they may have been impacted by similar attacks,” said Mark Grant, CSX’s head of technology operations and chief information security officer, in an email.
There have been cases where the flow of information within the committee allowed railroads to react more quickly, and to prevent impacts to their cyber environments, said Grant, who often represents CSX on the RISC.
Other committee members include managers, directors, analysts, and architects of cybersecurity from Amtrak, BNSF Railway Co., CN, Canadian Pacific, CSX, Kansas City Southern, Norfolk Southern Railway, Union Pacific Railroad, Railinc, Genesee & Wyoming Inc., and VIA Rail Canada Inc.
Members meet in-person at least twice a year and convene via teleconference every other week to share updates. In addition, members often communicate specific cybersecurity threat information via the Rail Alert Network (RAN), the AAR’s security information center.
RAN staff use the information provided within the system to analyze terrorist tactics, malicious cyber activity, rail-related threats and incidents, and suspicious activity in the industry. Railroads then use those determinations in their security training and awareness programs. The information is also shared with government security officials in the United States and Canada.
Warding off attack threats
The type of threats reported internally range from a ransomware infestation to physical perimeter security.
“Railroads have a tremendous amount of data and systems that we need to protect from attackers who want to disrupt our operations,” Grant said. “The job of doing that has gotten much bigger and more complex over the years. Our process [as part of RISC] allows for the flow of threat information or situational awareness without attribution.”
One potential threat to a railroad is a ransomware infestation that can start within typical corporate or enterprise infrastructure. Such an attack has the capacity to transverse the information technology (IT) to operational technology (OT) infrastructure, ultimately allowing a hacker the potential to hinder production operations from running effectively, explains Paul Veeneman, MBA Engineering Inc.’s vice president of operations. MBA provides controls, automation, data analytics, and cybersecurity for the rail industry through fuel storage management, wastewater management, sanding, and lube and oil solutions.
Traditional IT architecture is typically found in workstations, laptops, servers, applications, and data centers of operation, while non-traditional OT encompasses industrial control systems, automation, and production devices at field locations, rail yards, and facilities.
OT systems in the field hold critical operations data that must be captured within IT servers and applications for business analytics and stakeholder decision-making.
Physical security of a rail network and physical perimeter control are extremely important as a first line of defense against malicious activity and intent to compromise railroad operations and productivity of any scale at a geographical location or facility, Veeneman says.
Creating a physical perimeter could mean safeguards at railroad facilities, like gates access, security cameras, and the compliance of employees to only allow badged personnel on-site.
“In our yards and terminals, railroaders are on the front line of defense and can really help by reporting anything suspicious related to field technology equipment,” Grant said.
To engage all of its employees in best cybersecurity practices, CSX also participates in Cybersecurity Awareness Month, which is an annual campaign in October that provides updated tools, tips, and strategies for staying safe online.
Logical cybersecurity best practices ensure the deployment of preventative and protective solutions that can thwart hackers and cyber attacks, Veeneman explains.
Best practices also ensure that a railroad’s detection and monitoring systems alert teams to malicious cyber activity, and response plans are available to isolate, contain, and mitigate active threats, he says.
Exposing cyber weakness
To identify vulnerabilities and other cyber risks in its network, CSX employs a combination of automated scanning and active red-team testing in its cyber environment. Red-team testing is when cybersecurity experts hack their own digital infrastructure in order to test the railroad’s defenses.
The railroad also uses these practices to train security responders to be able to effectively monitor against prevalent attack methods. In addition, CSX includes its rail suppliers in cybersecurity efforts.
The Class I regularly partners with other railroads through the RISC to host rail supplier information exchanges with organizations that provide embedded technologies, such as technologies on locomotives and at the wayside.
“These sessions helped us better understand our communications channels, possible equipment vulnerabilities, and cybersecurity response processes,” Grant said.
CSX ensures that security is considered in its purchasing processes when writing contracts and during implementation.
“It’s often much easier to address security upfront than having to retrofit,” Grant said. “It’s also important to consider that many products, such as cameras, vehicles, and cranes, come with embedded technology, so it’s critical to think about security beyond software solutions.”
Bring in the suppliers
In March, the AAR kicked off a new joint forum of rail industry suppliers to collaborate with the RISC on cybersecurity efforts and share information to mitigate cyber risks in the industry.
The idea behind the forum is to create a national, collective focus on cybersecurity so that all parties in the industry are working from the same playbook and leveraging their collective knowledge across the industry, says MBA’s Veeneman, who was appointed to the joint forum last month.
“The IT departments within the railroads are a collection of extraordinarily and extremely talented folks, but now they’re going to get an outside perspective,” Veeneman explains. “I think it fosters accelerated adoption of technology, increases resilience in the supply chain, and creates a more comprehensive and focused direction on threats that are in the industry.”
Joint forum members include officials from Collins Aerospace, Siemens, New York Air Brake Corp., Wi-Tronix, Progress Rail, Wabtec Corp., TTX Co., The Greenbrier Cos. and Union Tank Car Co.
Similar to RISC members, joint forum members will be responsible for sharing information on vulnerabilities, threats, cybersecurity concerns, and effective practices for prevention and risk mitigation.
“[Members] maintain anonymity because the communication and transparency will allow everyone to achieve the goals effectively,” Veeneman says.
Members also have access to security advisories, alerts, and reports on AAR’s RAN security information center.
From each individual railroad’s cybersecurity team to the companies tasked with supplying and implementing new technology for rail, the cyber health of the industry depends on collaboration to prevent and combat cyber attacks.
With the creation of the AAR’s RISC and the joint forum, all industry players are working together to create industry-wide best practices, MBA’s Veeneman says.
“If we’re both looking at the same playbook and we’re both working toward a single goal, leveraging all of that talent, we’ll have a positive impact on resilience and reliability of railroad operations in a multitude of ways,” he says.
CSX’s Grant agrees that a key part of a cybersecurity program is collaboration with government agencies, other leading industries, and fellow railroads.
“We share information, benchmark programs, trade best practices, and exchange first-hand experiences on the tactics hackers may use,” he says. “Having this information helps us better prepare our defenses and plan accordingly.”