By Jeff Zacuto, Director of Product Marketing 

The systems and components onboard passenger and freight rolling stock are more digitized than ever, so the importance of operational technology (OT) cybersecurity in the rail industry cannot be overstated. Cyber Senate’s 3rd Annual Rail Cybersecurity USA Conference brought together industry leaders, cybersecurity experts, and rail operators to address this pressing concern at a critical time. Cyber threats increasingly target OT systems today, creating risks beyond interrupting the smooth operation of rail services to ones that can directly impact public safety. 

As the cybersecurity landscape continues to evolve rapidly, rail companies face the challenge of adopting proactive approaches to counter emerging threats effectively. It is crucial for these companies to understand this intricate landscape thoroughly and to implement robust strategies to address cybersecurity risks. By embracing a proactive mindset, and by adopting new approaches to OT cybersecurity, they can strengthen their defenses against evolving threats and proactively respond to shifts in the cybersecurity landscape. 

These key takeaways from the conference provide a snapshot for rail companies seeking to fortify their cybersecurity defenses and protect their critical rail infrastructure. By embracing the ideas and best practices shared at the conference, rail companies can effectively navigate the cybersecurity landscape and safeguard the public’s safety in an era marked by ever-increasing digital threats. 

Key Takeaways 

Legacy systems are the Achilles’ heel of cybersecurity.

Legacy systems, particularly those in Operational Technology (OT), present a significant challenge in cybersecurity. Often integral to critical infrastructure, these systems were not designed with modern cybersecurity threats in mind. As a result, they often possess unique vulnerabilities that cybercriminals can exploit. Brian Yoshino, Cybersecurity Advisor at the Cybersecurity and Infrastructure Security Agency (CISA), emphasized the importance of securing OT systems due to their increasing exposure to targeted cyber threats. The consequences of a breach in these systems could be severe, potentially disrupting essential services and posing safety risks. 

Ahmed Idrees, Operations Technology & SCADA Manager at Sound Transit, further highlighted the unique challenges presented by OT systems. He noted that these systems have a lifespan of 25 years or more and do not get replaced as frequently as IT hardware. This longevity presents a considerable challenge for maintaining their security as software updates might be hard to get—if at all. There is a lack of standardization in securing OT systems, and the convergence of IT and OT has led to a more fragmented approach to securing the entire operational environment. 

Addressing this challenge means prioritizing both the modernization and protection of these legacy systems simultaneously—ensuring the utmost security practices and tooling are in place to protect the current system while working to replace legacy hardware and software in tandem. Comprehensive security measures should be placed around legacy OT systems to safeguard against potential threats. Striking a delicate balance between maintaining the functionality of these critical systems and ensuring their security should always be a top priority. 

Network segmentation remains a crucial strategy in cybersecurity – even for OT.

Network segmentation is a critical strategy for maintaining security in the face of cyber threats. An unsegmented network can easily facilitate the spread of breaches, leading to widespread disruption and making containment challenging. However, implementing network segmentation in OT systems poses challenges, as most segmentation solutions available today are for IT systems. 

Graham Nasby, Senior Manager of OT Security Architecture at CN Rail, emphasized the importance of network segmentation and firewall rules for separating OT systems. Segmenting reduces the risk of a virus compromising one zone from spreading to others. He also highlighted the need for robust IT policy frameworks on the OT side, including policy standards, guidelines, positions, and patterns. 

Despite these challenges, the industry cannot ignore the importance of network segmentation. It acts as a virtual firewall, preventing the spread of breaches and enhancing the network’s overall security. Rail companies need to invest in solutions that enable effective network segmentation, even in OT systems. Adopting a proactive approach to cybersecurity, such as anticipating and mitigating potential threats before they can cause harm, is crucial. 

The industry needs cooperation and consistency in developing cyber frameworks and standards.

Comprehensive and consistent frameworks and standards in cybersecurity are crucial for rail companies. These frameworks help them understand and manage risks, identify critical systems, and plan for future cybersecurity needs. Tariq Habib, CISO at the New York Metropolitan Transportation Authority (MTA), emphasized the importance of processes and practices, not just technology, in developing cybersecurity standards.  

Sarah Freeman, Principal Cyber Engagement Operations Engineer at MITRE, highlighted the importance of a close partnership between operators and providers/manufacturers in addressing cybersecurity issues. She also emphasized the need for a common understanding, frameworks, and definitions of these systems, which is crucial when considering updates and maintenance. 

The absence of such frameworks may lead different constituencies to create their own, potentially resulting in inconsistent cybersecurity practices that are ultimately less effective. This situation highlights the significance of industry-wide standards and frameworks that can guide a rail company’s cybersecurity efforts. It’s not solely about having the right tools and technologies but also the right strategies and practices. 

Regular security updates & system maintenance are as critical for OT as they are for IT.

Neglecting updates can leave systems vulnerable to exploitation, potentially leading to severe security breaches. If updates are not deployed correctly and with monitoring mechanisms in place to ensure they are both applied and effective, existing or yet-to-be-discovered and patched vulnerabilities could remain—and new ones could be introduced.  

In the world of Operational Technology (OT), these challenges are even more pronounced. OT systems often have lives spanning decades, so they aren’t replaced as frequently as IT hardware. This situation presents unique challenges for maintaining their security, including: 

  • Limited maintenance windows: OT systems often have stringent maintenance windows due to continuous operations or limited periods of reduced demand. Finding suitable timeframes for applying updates without interrupting critical processes can be challenging, especially considering the coordination required across different departments or external stakeholders. 

  • Legacy technology: Many OT systems operate on legacy technology that may not be well-suited for frequent updates or lack built-in update mechanisms. These systems often have limited processing power, memory, or storage, making it challenging to accommodate the resource requirements of modern security updates. 

  • Testing and validation: Testing security updates on OT systems can be complex. Rigorous testing is essential to ensure that updates do not cause disruptions, compatibility issues, or unintended consequences. However, conducting thorough testing without impacting critical operations can be challenging, as it requires specialized testing environments and comprehensive understanding of the OT system’s behavior. 

  • Dependency on third-party vendors: OT systems often rely on third-party vendors for equipment, software, or specialized components. Coordinating security updates across multiple vendors and ensuring timely availability of patches can be challenging, especially if vendors have different release cycles or varying levels of responsiveness to security vulnerabilities. 

  • Lack of skilled personnel: OT systems require expertise in both operational technology and cybersecurity. The scarcity of individuals with knowledge and experience in both domains can pose a challenge for organizations when it comes to implementing and managing security updates effectively. 

Collaboration and information sharing can help overcome cybersecurity challenges.

Collaboration and information sharing are vital components in overcoming cybersecurity challenges. This entails collaboration between different sectors, organizations, and their suppliers, as well as between researchers and industry professionals. Janet St. John, Director of Cybersecurity at the Association of American Railroads, stressed the importance of sharing information with the right people at the right time under the right circumstances. Access to shared information and resources is crucial for mitigating risks and preventing compromises or exploitation of vulnerabilities. 

St. John also highlighted the industry’s security plan, which is updated every two years and exercised annually. This plan is not static and is adjusted based on the current threat landscape and incidents. They conduct an annual tabletop exercise that brings together physical and cybersecurity teams. This exercise helps to ensure that these teams communicate effectively with each other. The AAR’s Railway Alert Network (RAN) is a key information-sharing tool. This network disseminates information from government and industry partners across a distribution list, which includes law enforcement, fusion centers, and government partners. 

Prioritizing these can also foster a culture of collaboration and information sharing. This collaboration includes sharing threat intelligence, best practices, and lessons learned from incidents. Collaborative efforts can also extend to developing new security solutions and strategies, leveraging industry stakeholders’ collective knowledge and resources. 

Now’s the time to turn insights into action  

As cyber threats increasingly target OT systems, extending the risks beyond operational efficiency to the potential impact on public safety, the rail industry has to be proactive when navigating the evolving cybersecurity landscape. Cyber Senate’s conference should serve as a catalyst for change: taking decisive action and investing in robust OT cybersecurity measures today will benefit the industry for years to come.  

By embracing lessons learned and leveraging collective knowledge, the rail industry can stay ahead of emerging threats and foster a culture of cybersecurity resilience. Together, the rail industry can establish a secure and resilient future, upholding the trust of passengers and stakeholders. And by fortifying defenses, rail operators can confidently navigate the digital landscape, ensuring the safety and reliability of rail services in an interconnected world. 

Visit our Shift5 for Rail Solution to learn more about our capabilities.