Security and Transportation Systems
Wednesday, April 20, 2016 @ 12:04 PM gHale
By Richard Weatherburn
Who hasn’t been frustrated when traffic comes to a standstill or underground transportation breaks down? Such frustration is a very real human emotion that lets us know that our highways, subways and light rail transit systems are vital for our lives to run smoothly. Add it up across thousands or millions of people: If transportation systems don’t work, entire economies and societies suffer.
Why then have some critical infrastructure industries, such as the energy sector, been better at adopting cyber security practices while the transportation sector has been lagging?
One answer is never before has the transportation industry been under such pressure to increase capacity and at the same time become more efficient. Efficiency in this case means improving financial returns and consuming fewer natural resources.
So, along those lines, and maybe taking a tip or two from other sectors, let’s see how passenger rail and public transportation systems can improve their Industrial Control Systems (ICS) security.
In order to realize improvements in performance and capacity, rail operators are utilizing advances in technology while at the same time seeking to reduce capital expenditures. This inevitably means a shift from traditional legacy systems using stand-alone bespoke equipment to a greater use of standardized technologies, protocols and operating systems (Ethernet, for example).
These newer technologies typically have open interfaces and standardized protocols. Consequently, as they are designed into control and communication systems at an increasing rate, the risk to transportation systems from cyber attacks also increases.
In addition, to achieve superior value and an increased level of customer service the interconnectivity between what have previously been stand-alone systems, is greater than it has ever been before. An example is connecting train control systems with seismic or tunnel drainage monitors for enhanced safety and reliability. This interconnectivity, sometimes using leased lines of communication infrastructure, also creates a new and real risk when it comes to cyber security.
Cyber Risk Fans Out
But does cyber security really matter, given the fail-safe methodologies used within the transportation industry? It is true a safety-focused culture, particularly within the rail sector, mitigates some of the immediate risk, but not the consequential risks.
By consequential risks I mean the ongoing operation of a compromised transport system may end up degraded rather than actually halted; late running trains or some ticket barriers not working for example. In addition, as operational systems become more complex, reliably achieving fail-safe conditions is more challenging, especially when subjected to a deliberate cyber attack.
It is also important to note cyber risks are not limited to safety. Cyber security has the potential to affect the whole supply chain. Failures in the supply chain, especially those that persist for a few days, will quickly have a direct operational impact. For example, spare parts may not end up delivered to a maintenance depot, resulting in trains being out of service and a degraded operational service.
There are also reputational and commercial risks, especially when attacks directly affect passengers or passenger services. Any response to transportation related cyber attacks will be in the public domain and will have a high impact on passenger trust in the system.
ICS Transportation Security Standards
Increased cyber risk is the reason groups like the ones listed below have all published cyber security recommendations for rail operators over the past few years:
• APTA – American Public Transportation Association, an industry association
• Securing Control and Communication Systems in Transit Environments – Part 1
• RSSB – UK Railway Safety and Standards Board, a railway stakeholder group
• Rail Cybersecurity Guidance to Industry
• US-CERT – United Stated Computer Emergency Readiness Team, a government body
• Transportation Industrial Control System (ICS)Cybersecurity Standards Strategy
• ENISA Railway – European Union Agency For Network And Information Security, another government body
• Cybersecurity and Resilience of Intelligent Public Transport. Good practices and recommendations
Thanks to the recommendations of these groups plus the overall ICS cyber security standards developed by ISA and IEC (ISA IEC 62443) there are resources available to turn to for guidance. But it doesn’t have to be overwhelming; here are some simple principles to help you.
Tip 1: Risk Assessment
Taking the first step in a new area is always the hardest, but take heart; guidance is available. The best practices incorporated into the industry and government recommendations mentioned above are available to guide you.
The first step is to conduct a risk assessment; you need to understand what your network looks like and where the critical assets are. Then think about your risk tolerance for the different assets. It will be different, for example, for signaling systems versus passenger Wi-Fi services.
This might sound like a big project, or a costly consulting engagement. However, it is possible to do it internally and at no cost. While this may not be for everyone, it could be a viable option if a third-party assessment is not in your budget right now. It is also better than doing nothing about improving the security of your ICS network.
Learning this process is important and it is not a one-time exercise. Good security requires monitoring, evaluating and improving your plans regularly in order to ensure current measures are working effectively. This will also help you recognize new or developing risks to the network.
Tip 2: Defense in Depth
After completing the risk assessment, the next step is to create a plan to secure your network. Again, using the collected knowledge of the experts in this area, the approach you want to take is called Defense in Depth (DiD), which basically means multiple layers of defense distributed throughout the network.
A well-developed strategy includes:
• Multiple layers of defense instead of relying on a single point of security
• Differentiated layers of defense, ensuring an attacker can’t access all subsequent layers after getting past the first
• Context- and threat-specific layers of defense, meaning each layer is optimized to deal with a specific class of threat
• Zones of defense where devices with similar security requirements are secured by a conduit as per the ISA IEC 62443 standard
If your network is protected by a Defense in Depth strategy, the impact of an accidental security incident or a malicious attack will end up limited to the zone where the problem began. You want to set up your systems so the right people or teams receive an alarm and start working on incidents in a timely fashion.
Tip 3: Prioritize Critical Assets
Lastly, you must prioritize the critical assets. These are the systems that would cause a complete disaster for your network if they shut down (either unintentionally or maliciously).
For a passenger rail system, typical examples would be the remote terminal units (RTU) in signaling control systems or the network infrastructure running a Communications-Based Train Control (CBTC) system. Aggressively protect these assets and the chance of a truly serious cyber incident is greatly reduced.
In starting the security journey, there will be roadblocks, but don’t let the following keep you from protecting your transportation systems:
1. Efficiency challenges of the day
2. Complications brought on by increased connectivity
3. High cost of formal risk assessments
By taking the right steps to understand your risks, choosing a layered approach, and prioritizing your most important assets, you can successfully implement good cyber defenses.
Richard Weatherburn is a manager – transportation at Belden. He has over 20 years of experience in the transportation sector. He has successfully delivered multi-million dollar rail projects across Europe and has worked in systems engineering, program management, product management and business development roles. Click here to view the entire blog.