Whether it is used as a means of transportation for passengers or to carry freight, the railway industry is the economic backbone of every country, and railway cybersecurity is critical for reliable operations. Hackers that compromise railway infrastructure, which includes high-speed railways, inter-city rail, and rapid transit, can badly affect national economic security and may even affect the lives of passengers. The railway industry in particular often indirectly affects the ecosystem of other critical infrastructure sectors.
For example, about 48% of the electricity generated in the energy sector of the United States was from coal. Railways are the primary mode of transportation. In the Healthcare and Public Health sectors, railways are also relied on for drug transportation [1]. The Association of American Railroads (AAR) also stated that the railway industry is an integral part of the supply of raw materials for the production of automobiles [2], which shows the necessity of protecting the railway industry.
1) Onboard: Railroad cars running on railway tracks are usually composed of one or more locomotives and railroad cars that carry passengers or freight. Most railroad cars will use wireless technology to connect to the network between railroad cars for data exchange, as shown in the blue area in Figure 1. For example, the onboard area of a passenger railcar primarily includes five asset classes:
a. public services for passengers, such as WLAN and video;
b. the comfort system for passengers, such as passengers’ information systems and HVAC;
c. vehicle safety, such as signaling and automatic train protection (ATP) systems;
d. control and command systems such as traction and doors; and
e. auxiliary systems such as phone and driver advisory systems (DAS).
Since passengers can legally access public services, there are no strict restrictions on either the items that passengers can carry or their behavior in the railcars. Thus, the question of how we can ensure that systems do not interfere with each other and prevent attack commands has become a critical issue in order to protect the passengers.
4 Components of Railway System Architecture
According to different asset purposes, this article divides the railway system architecture into four areas, including Onboard, Wayside, Station, and Control Center:
1. Onboard
Railroad cars running on railway tracks are usually composed of one or more locomotives and railroad cars that carry passengers or freight. Most railroad cars will use wireless technology to connect to the network between railroad cars for data exchange, as shown in the blue area in Figure 1. For example, the onboard area of a passenger railcar primarily includes five asset classes:
- public services for passengers, such as WLAN and video;
- the comfort system for passengers, such as passengers’ information systems and HVAC;
- vehicle safety, such as signaling and automatic train protection (ATP) systems;
- control and command systems such as traction and doors; and
- auxiliary systems such as phone and driver advisory systems (DAS).
Since passengers can legally access public services, there are no strict restrictions on either the items that passengers can carry or their behavior in the railcars. Thus, the question of how we can ensure that systems do not interfere with each other and prevent attack commands has become a critical issue in order to protect the passengers.
2. Wayside
This generally refers to a variety of equipment erected beside the railway track, as shown in the green area in Figure 1. According to different railway needs, the equipment can include actuators for displaying signals, ATP ground devices for detecting vehicle positions and providing speed limit information, and repeaters for wireless telephone transmission, as shown in the blue railway location cabinet next to the railway track. Wayside’s network-related equipment, such as routers, controllers, and serial servers, is often stored in the railway location cabinet and widely deployed beside the tracks. Wayside equipment includes advanced signaling systems like CBTC, which facilitates communication between trains and the control center, ensuring efficient and safe train operations. This way, real-time information can be provided to vehicles and control centers at any time.
3. Station
As shown in the yellow area of Figure 1, next to the tracks, the area where passengers wait for vehicles is provided. Like the Onboard area, Station provides space for passengers to carry personal belongings and move freely, so this area also provides services such as Public and Comfort. On Auxiliary, most stations will also include monitoring and broadcasting systems to provide benefits such as event handling and information dissemination.
4. Control Center
Control Center in this context generally refers to the back-end control center of railway operations. It must be able to receive railway-related information in real-time and provide appropriate operational decision-making capabilities and management to reduce interruptions. The facility is also often coordinated internally, and is involved in emergency response and recovery. To that end, most control centers have SCADA systems, including communication systems, signal control systems, passenger information systems, or power control systems which are monitored by professionals around the clock.
Communication System
This system mainly provides communication required for vehicle dispatching, power distribution, signal remote control, safety monitoring, maintenance, and passenger service (data flow of number 1 in Figure 1). For example, the driver can send a voice message through the GSM-R mobile phone and communicate with the control center dispatchers through the network of Wayside’s repeater and relay station.
Signal Control System
Signal control systems integrate signaling equipment, level-crossing protection equipment, and ATP systems. It can automatically control vehicles to maintain a safe driving speed, and the dispatcher handles traffic flow to maximize performance and driving efficiency by using wireless technology (such as GSM-R), which communicates between Onboard and Wayside (data flow of number 2 in Figure 1). The ATP system uses the signaling equipment along the railway line and the signal transmission equipment on the track to transmit electronic signals to the train, monitor the running status of the train, and keep the speed constant to ensure that the train does not cross the end of the “movable range”.
Passenger Information System
This system can transmit real-time vehicle information through the internet and display to the public the upcoming train number, the following train number, departure time, stop mode, and the number of remaining seats. This makes it convenient for waiting passengers to receive this information and improves boarding efficiency (as shown in the data flow of number 3 in Figure 1). To enable the public to obtain information conveniently, the system’s infrastructure can be accessed on the train or in the station area [4].
Power Control System
The function of this system is to supply electricity to locomotives and rail trucks. After the electrical substation reduces the electrical voltage, it can be passed through the back-end power remote control system (which can be regarded as a SCADA system). For deployment and monitoring, its composition includes workstations, human-machine interfaces, communication networks, and related peripheral equipment (as shown in the data flow of number 4 in Figure 1). In addition to main workstations, substations and stations can also be equipped with SCADA outstations.
Figure 1: Railway Industry Ecosystem Overview
Railway Cybersecurity Threats
Railway infrastructure and operational systems across the Onboard, Wayside, Station, or Control Center areas can exchange data with each other. This means that any system suffering from a cyber attack would trigger a rail security mechanism that would cause the railway company to temporarily cease operating. For example, in March 2022, an Italian railway company was attacked by ransomware on its system, which made it impossible to continuously update passenger information, causing all trains to stop operations completely [5]. Denmark’s Supeo company was attacked by ransomware at the end of October 2022, which prevented the country’s giant train operating company from using its applications to obtain critical information, resulting in the suspension of all trains and incapacitating normal operations [6]. Given this, TXOne networks analyzed the railway ecosystem to discover the following potential threats:
1. The growing number of connected IoT devices gives attackers more opportunities to perform vulnerability exploits or password cracking on critical systems
Many connected IoT devices that aren’t using the best security practices will make it easy for attackers to access the IoT device and take control rights. The biggest concern is that when mission-critical control systems are connected to the public network, that opens the control systems to hackers and the attacker can then infiltrate control, auxiliary, or even safety-related systems and inject malicious commands or launch a DoS attack. Past research has shown that attackers can connect directly from entertainment systems to locomotive control systems; in the worst case scenario, this would directly threaten the lives of passengers [7][8].
Suppose a company’s public Wi-Fi uses unsecured technology or incorrect configuration in onboard and station areas. In that case, hackers can sniff out these vulnerabilities with credentials information, exercise man-in-the-middle (MITM) attacks, and tamper with critical systems, thereby causing passenger safety to be exposed to risks. For example, in 2020, the public Wi-Fi system in the United Kingdom did not correctly configure the database stored in AWS, and the detailed information of about 10,000 passengers was exposed to the public network. This incident was fortunately discovered by security researchers and repaired immediately. Otherwise, the database could have tracked the time when passengers log in to each site to collect travel patterns of passengers, endangering the personal safety of passengers [9].
2. When the Signaling Control System uses a WLAN protocol with low security, the attacker can execute a man-in-the-middle attack and inject malicious commands into the system
The Communication-Based Train Control (CBTC) system uses wireless technology for real-time communication between onboard and wayside devices. Compared with the traditional fixed block signaling system (FBS), it can track the train’s position more accurately and has become one of the most commonly used mainstream systems by railway operators. Since the CBTC system needs to use many connected devices as nodes for information exchange, they are more likely to become targets of attacks from external networks. For example, onboard and wayside devices often use WLAN technology for train control. Because the CBTC system is connected to many systems, such as passenger information systems, attackers can target wireless devices with a low-security protocol and execute a man-in-the-middle attack. The hackers can send emergency commands and penetrate the operator’s I.T. environment. Furthermore, the CBTC system usually has a maintenance port for troubleshooting functions. If the attacker successfully identifies and exploits the maintenance network port, it may further affect the availability of the system [10].
The Rail Safety Improvement Act of 2008 (RSIA) enforces that American railroad tracks must equip positive train control systems to keep trains driving within a specific range. The Intelligence Analyst of Dragos pointed out that the Meteorcomm PTC radio design vulnerability may affect the national railway infrastructure. If the vulnerability allows a man-in-the-middle attack, it may cause delays, collisions, or derailments of trains [11] due to Meteorcomm installing PTC in most of the United States.
3. Even though rail systems worldwide have been targeted by ransomware attacks, rail systems are designed with physical security and reliability in mind instead of cybersecurity
Since 2018, APT attacks designed for industrial control environments have begun to target critical infrastructure with ransomware. Starting in 2020, ransomware attacks on critical infrastructure industries have increased significantly. Statistics from 2013-2021 show that the transportation industry has a share of about 4% in ransomware attack incidents [12]. In July 2021, 420 ticket machines based in Northern Rail of the U.K. were forced to close due to ransomware attacks, and manual ticket sales were performed instead, causing great inconvenience to the public. According to Security Week, since Northern Rail belongs to the U.K. government, it was impossible to pay the ransom, so it is speculated that this was an indiscriminate attack [13]. In March and October 2022, Italian and Danish railway companies also had to stop operations due to ransomware attacks in March and October 2022, respectively. For this reason, critical fixed-use assets of enterprises should harden and lock down their systems. Even if ransomware is planted by more sophisticated methods in a targeted attack, it still cannot execute.
4. The geographical location of Wayside-related facilities is difficult to manage, allowing attackers to physically access network devices such as routers or controllers and exposing systems in the railway industry to the threat of data falsification or service interruption
Wayside’s network-related equipment is typically housed in rail location cabinets, with only physical locks used to prevent public access to them. Therefore, an attacker can easily use an unlocking tool to open a railway location cabinet, gain physical access to railway wireless controllers, access points, and switches, and launch an initial attack on railway network equipment. Most commonly, attackers can execute malicious codes on network devices, and have the opportunity to further remotely bypass the authentication mechanism of multiple routers in the roadside area and execute malicious commands, causing the train to stop running [14][15]. In another case, wayside and station switches were found to have denial-of-service vulnerabilities, which would allow attackers to disable public, comfort, and auxiliary services at the station [16][17].
5 Strategies to Mitigate Potential Railway Cybersecurity Threats
Based on the above threat analysis, we can conclude that there is a large number of subsystems in the railway system. In addition to running through the onboard, wayside, station, or control center areas, the critical systems may also need to exchange data with each other according to system application. In October 2022, the U.S. Transportation Security Administration (TSA) issued a directive aimed at improving U.S. railway cybersecurity operations for all of the United States. The contents of the directive include [18]:
1. Implementing a network segmentation policy and controls to prevent operating disruption to OT systems if IT systems are compromised and vice versa
Build defenses from the ground up and turn the onboard, wayside, station, and control center subnet into a cyber-fortress with digital walls, watchtowers, and drawbridges. Stop intruders from getting in, moving laterally, or gathering information needed to carry out attacks. Routing network traffic through cleverly designed segments adds layers of protection without compromising workflow. OT Firewalls divide the network into zones, and Intrusion Prevention Systems (IPS) analyze traffic and block malicious packets. Using next-generation OT IPS technology can help railway operators establish network segmentation policies and controls designed with OT zero trust. For example:
- In the station, EdgeIPS Pro works best deployed directly beneath the station’s rack-mounted ethernet switch, where it can inspect all traffic in and out of the station subnet with superior protocol sensitivity. Its minimized latency keeps data transmission optimally quick as it is being secured.
- The access points (APs) that a train uses for mesh or roaming are often running with limited or hardly any security. Ordinarily, if someone stands in the wayside and takes out their smartphone, they can find an AP’s access ID and attempt to gain entry, and would then be able to affect the signal control system. EdgeIPS is perfect for deployment between the AP and its switch, preventing it from being compromised.
- The wayside’s safety- and mission-critical circuit monitoring, signal control, detection, and point machine assets all benefit from EdgeIPS security boxes running on a 1-to-1 basis, preventing interference by malicious actors. EdgeIPS’ ruggedization is perfect for maintaining a high mean time between failure, even in the potentially harsh environments of the wayside, where equipment cabinets can be exposed to extreme temperatures for extended periods of time. If an AP requires multiple ports, another device in the Edge family, the next-generation firewall EdgeFire, makes an effective bridge. One of its multiple ports serves the AP, while the others can be used for control devices and the link to the switch.
One common sign of malware infection is suspicious outbound traffic resulting from the unwanted application trying to connect to command-and-control server (C&C Server) or spread itself around the network, which Edge series nodes detect and stop. While modern cyber attacks are commonly based on stolen credentials, EdgeIPS series nodes have the ability to detect unusual traffic even among apparently approved devices or accounts, minimizing the potential for human error as well as stopping intruders from sending out commands on the network. It does this via a trust list, which functions by specifying approved commands and connections.
TXOne Networks recommends network segmentation to be built into network architecture from the ground up, as it substantially increases visibility while making the system much more defensible against cyber attacks. Segments in a network are created based on “intentionality”, or which assets or subsystems must communicate to do their work. EdgeIPS technology can segment the network at the time it’s transparently deployed, requiring no changes to existing architecture while increasing security considerably.
2. Create access controls to secure and prevent unauthorized access to critical cyber systems
Never trust, always verify. Lock down OT network communications using adaptive trust lists. The situation on the railcar, control center, or at the station changes constantly. The trustworthiness of devices must be constantly evaluated based on current conditions. Trust lists must adapt. Each piece of equipment used in the OT zero trust model has a trust list. Trust lists are set up on OT Firewalls and OT IPSes using carefully designed sets of rules or policies to create network segments. These rules can filter files or segments based on protocols commonly used in railway industry such as Profinet or OPC-UA. Some OT IPSes offer deep traffic analysis and can filter based on control commands. Some OT Firewalls and OT IPSes can even filter IT protocols like HTTP or SMB.
In terms of endpoint protection, trust lists also known as allow lists are automatically generated from the inventory collected during the railway security inspection. This makes locking down endpoints easy because the security scan contains a list of all the files that are allowed to execute on the device. These trust lists are automatically updated during patching or maintenance to stay current and minimize downtime. For fixed-use assets like ticketing stations and on-board computers, Stellar is the ideal solution. Even if malware finds its way into your working hardware, it wouldn’t be able to execute due to Stellar’s trust list-based 4-in-1 lockdown. Applications, configurations, data, and USB devices are all locked down with a trust list that excludes all applications that are unlisted from executing and all users that are unlisted from making changes to data or configurations. Only administrator-approved USB devices can connect to the device, and only an administrator can grant a device 1-time approval to connect.
3. Rail operators must ensure that critical systems are continuously monitored and scanned for cyber threats
At the heart of OT zero trust is the ability to directly monitor the security of your industrial control system at a glance using the OT defense console. The OT defense console combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms. Railway operators can watch security controls safeguard all ICS assets during routine operations. As cyber-events unfold, you will be alerted to any breaches. This bird’s-eye view also shines a light on shadow OT, which is rogue equipment that can jeopardize your railway cybersecurity.
Cybersecurity engineers can also use the OT defense console to remotely manage large-scale deployments of OT IPS and OT Firewalls. It acts as a secure portal for virtual patches to protect against known malware signatures and to stop most attacks before they start. Additionally, the defense console gives administrators the ability to edit the OT protocol allow lists so that key production machines can work together. It provides robust and flexible reporting from log files and keeps track of data needed for policy enforcement, protocol filters, node groups, systems, audits, and asset detection. The defense console runs on virtual machine platforms and shares data with third-party tools such as SIEM, ICS Detection, and other log aggregators.
4. Reduce the risk of unpatched systems being exploited by using a risk-based approach to apply timely security patches and updates to operating systems, applications, drivers, and firmware on critical network systems
In rail, where equipment as old as 20 years may still be in use, legacy assets benefit from special protections operating efficiently from the network without requiring any modification to the device. Virtual patching, which is supported by TXOne Networks’ team of security intelligence specialists, is a network-based technology that shields the vulnerabilities of legacy assets while supporting their maximized availability and operation. This technology was specifically created to address the needs of mission-critical assets well past their end-of-service (EOS) date.
In addition, endpoint protection solutions can enhance and ensure the integrity of computing devices, thereby protecting the computing devices within the critical OT systems from targeted attacks like APTs. In order to prevent malware attacks, our Stellar monitors legitimate processes that are vulnerable to attacks under the control of least privilege by learning and authorizing operational behaviors, which gives Stellar the ability to detect abnormal operational behaviors. Furthermore, Stellar can protect against insider threats and malicious insider activity through USB device control. For legacy systems, Stellar is equipped with unique trust lists and locking technologies to ensure operational cybersecurity, including operational locking, USB device locking, data locking, and configuration locking to fully protect complex legacy endpoints.
5. Establish a rail cybersecurity assessment plan to proactively test and periodically audit the effectiveness of cybersecurity measures and identify and address vulnerabilities in equipment, networks, and systems
Before an asset is integrated to a railway operation infrastructure, the railway carrier should proactively inspect and periodically audit each asset to create a record of OT health that proves the equipment is malware-free and vulnerability mitigation. In the past, attackers have launched cyber attacks and exploited the supply chain by compromising assets prior to shipment or during system maintenance.
The proactive inspection and audit include taking a detailed inventory of all the applications, the firmware, the operating system, the computer information, version numbers, and patch levels. This inventory is used for threat modeling to determine how likely it is for a known vulnerability to be exploited and what the consequences would be if it were. Asset inventory can be gathered from legacy equipment such as standalone PCs, even those running Windows XP, Windows 7, or Linux. Air-gapped systems that were previously impossible to examine can also be inspected. Our portable security devices can run native scans or boot scans depending on the operating system of the asset.
Reference
[1] Cybersecurity and Infrastructure Security Agency, “CRITICAL INFRASTRUCTURE SECTORS”, Cybersecurity and Infrastructure Security Agency, Oct 21 2020, Accessed Nov 16 2022
[2] Association of American Railroads, “Freight Rail: Designed to Drive a Nation”, Association of American Railroads, Accessed Nov 16 2022
[3] RideOnTrack, “SIP Operational Telephony”, RideOnTrack, Accessed Nov 16 2022
[4] ENISA-ERA Conference, “CENELEC prTS 50701 (Railway applications – CyberSecurity)”, ENISA-ERA Conference, Mar 16 2021, Accessed Nov 16 2022
[5] David Briginshaw, “Italian railway IT system suffers major cyber-attack”, International Railway Journal, Mar 29 2022, Accessed Nov 16 2022
[6] Eduard Kovacs, “Cyberattack Causes Trains to Stop in Denmark”, SecurityWeek, Nov 4 2022, Accessed Nov 16 2022
[7] Nikhil Kapoor, “Understanding Railway Cybersecurity”, ISA Global Cybersecurity Alliance, Mar 26 2022, Accessed Nov 16 2022
[8] Claudia Swain, “The Emerging Cyber Threat to the American Rail Industry”, Lawfare, Oct 20 2022, Accessed Nov 16 2022
[9] Zoe Kleinman, “Rail station wi-fi provider exposed traveller data”, BBC News, Mar 2 2020, Accessed Nov 16 2022
[10] Miki Shifman, “7 Reasons Why CBTC Systems Need Cybersecurity Solutions”, Cylus, Jun 10 2021, Accessed Nov 16 2022
[11] Anna Skelton, “Positive Train Control (PTC) Expands Cyber Attack Surface for Rail Systems”, Dragos, Oct 15 2021, Accessed Nov 16 2022
[12] Ivan Belcic, “The Destructive Reality of Ransomware Attacks”, Avast, Feb 24 2022, Accessed Nov 23 2022
[13] TXOne Networks Blog, “U.K.-bas,ed Northern Rail’s ticketing system shut down after ransomware attack”, TXOne Networks, Jul 28 2021, Accessed Nov 16 2022
[14] Moxa Security Advisories, “TAP-323, WAC-1001, and WAC-2004 Series Wireless AP/Bridge/Client Vulnerabilities”, Moxa, Sep 1 2021, Accessed Nov 16 2022
[15] Moxa Security Advisories, “TAP-213/TAP-323 Series Wireless AP/Bridge/Client Vulnerabilities”, Moxa, Dec 30 2021, Accessed Nov 16 2022
[16] Cisco Security Advisories, Responses and Notices, “Cisco Industrial Ethernet 4000 Series Switches”, Cisco, Accessed Nov 16 2022
[17] Cisco, “Connected Rail Solution Design Guide”, Cisco, Nov 2016, Accessed Nov 16 2022
[18] Eduard Kovacs, “New TSA Directive Aims to Further Enhance Railway Cybersecurity”, SecurityWeek, Oct 20 2022, Accessed Nov 16 2022
