5 Tips for Building a Railway CSOC

Israel Baron
August 9, 2021
city with full train station

Today, it’s become clear that cybersecurity plays a fundamental role in railway safety. As a result, rail organizations have made strides, from appointing dedicated cybersecurity leadership to implementing cyber solutions.
But even this isn’t enough to protect the complex networks and systems that comprise railway. Effective railway safety requires a holistic, unified, and centralized unit that provides 24/7 cybersecurity monitoring, detection, and mitigation. It requires a Cyber Security Operations Center or CSOC.

A CSOC isn’t a new concept. It’s been a mandatory component of security strategy in other industries for years. But, ironically, CSOCs are almost unheard of in the railway industry, despite the clear need for a unified approach to secure its complex and dispersed infrastructure. Those that do exist are usually only built to monitor IT security, and completely leave out operational technologies, which is critical in railway cybersecurity.

In this post, I’m going to explain what a CSOC is and provide five clear tips for building a successful one.

What does CSOC mean for railways?

A CSOC (also sometimes called a cyber SOC), is a centralized unit within an organization that relies on people, processes, and technology to improve its security posture. The CSOC is responsible for continuously monitoring, detecting, investigating, and responding to cybersecurity threats.
Think of a CSOC as a central hub or command post that sits at the center of your IT and OT infrastructure, including your networks, communication and railway signalling systems, devices, rolling stock, etc.
Here’s why it’s important for railways.

Digital technologies and wireless channels are proliferating throughout rail infrastructure. At the same time, railways have become an attractive target for malicious hackers. As a result, CISOs need the ability to collect context from diverse sources across operations. A CSOC enables the high-level as well as granular visibility into all activities, communication, and signals that could be the target of an attack, which in turn, enables more effective remediation.

Building a railway CSOC from the ground up

Before I dive into the tips, I want to tell you a little bit about where they come from.
In 2017, I became the first CISO of Israel Railways. After serving in cybersecurity roles for many years in the Israeli Ministry of Defense, I felt confident I had the skills and experiences necessary to establish a cybersecurity department from the ground up and improve railway safety.
But after one day on the job, I could see that I was facing an extraordinarily complex challenge: namely, finding a way to manage the mess of systems and networks that comprise the rail infrastructure.
I understood that all of these systems must always work and remain in constant communication in order to keep the trains running safely. But ensuring this wasn’t simple. Each system’s security was being managed separately and with no way to see the whole picture.
I needed visibility to do my job, but I felt blind. I decided to build a CSOC, which would be responsible for handling all security activities both from the IT systems and especially from the OT critical networks, from one centralized location, staffed with professional cyber analysts working around the clock to monitor everything.
Once I got the CEO on board, we were moving. One of the first-ever railway-dedicated CSOCs was born.

5 tips for Building a railway CSOC

Based on this experience, here are the five core tips I’d offer to other railways CISOs when building a CSOC.

1. Adopt a holistic cybersecurity approach

A holistic approach is fundamental to getting a CSOC to work. With the railway’s numerous and dispersed systems, networks, and technologies, it’s almost impossible to manage each system individually.
Doing so would require you to assign individual cyber analysts to manage each asset. This is problematic for a few reasons:

• Few cybersecurity teams have the human capital to carry this out
• Managers suffer from “tunnel vision,” or the inability to see how a threat in their system or security zone could be impacting others
• You face the added challenge of ensuring adequate communication and collaboration between managers, which could jeopardize threat remediation

Without a holistic approach, harm will eventually find its way into the safe zone. But with one, you will have clear, unified visibility into every system, technology, and activity that may become the target of an attack.

2. Monitor both IT and OT

All CSOCs monitor IT. In other industries, this is enough. But to truly adopt a holistic, railway-centered approach, you must also monitor your operational technologies.

Imagine you’ve built a CSOC, and now all of your railway systems, protocols, and networks are being monitored. This is all great. But what about the supply chain? What about the hardware vulnerabilities your suppliers have left undetected? Without also monitoring the hardware you connect to your systems, the door is still open to potential attackers.

One of the unique things about Cervello is that it’s designed to solve exactly this kind of problem.
Cervello is a fully passive, non-intrusive railway-centered security solution that integrates directly into the railway infrastructure without causing any system downtime or network interference. It provides in-depth visualization of your operational environment, including operational dependencies and hardware.

Cervello allows CSOCs to monitor both IT and OT. Easil enable auto-discovery to segment and map every connected asset within each security zone, which provides essential context to operators and infrastructure managers who must respond to suspicious activity.

3. Protect your network with a one-way data flow architecture

Even a CSOC can become a vulnerable target for attackers—that’s why it’s critical to create a unidirectional data flow architecture.

As a centralized cybersecurity hub, the CSOC connects formerly disparate systems, which makes it the weak link in the chain. Attackers could try to penetrate the CSOC in order to gain access to your critical network and compromise your safety systems.

The approach of one-way data flow allows the CSOC to secure IT and OT networks from external threats by preventing inbound data flow and eliminating threats from passing through sensitive networks and systems.

4. Bridge the knowledge gap

One of the reasons rail cybersecurity is so challenging is because cyber analysts and railway professionals usually don’t really understand what the other is doing.
When I first joined Israel Railways, there was a complete separation between the cybersecurity/IT team and the railway operators/infrastructure managers. They had no common language to communicate or work together.
If a threat was detected, the railway operators couldn’t comprehend the analysts’ instructions, and the analysts didn’t understand the intricacies of the railway systems—or the implications of disruption.

As I already mentioned, cybersecurity in railways is different than in any other industry. A generic, broad-stroke approach just doesn’t work. Analysts must understand the unique complexities of railway operations, communication, and signalling. And at the same time, railway operators and infrastructure managers need to understand the realities of cyber threats so they will “get on board” and collaborate.

So, one of the first things I did as CISO sent the cybersecurity analysts to a railway foundations course, and send the railway operation control staff to a cybersecurity foundations course. Once the groups were able to understand each other, we had excellent collaboration.

5. Be prepared to respond

This means improving team readiness and creating an actionable playbook for efficient rail incident response.

When an “unapproved” person enters a sealed-off security zone, the security guards who respond to the incident don’t just act on impulse or intuition. They adhere to a predefined set of procedures and tactics that are designed precisely to mitigate the threat.
The same goes for your CSOC. Having procedures in place to respond to threats swiftly and acutely is crucial.
This is what Cervello does. In addition to helping analysts monitor, map, identify, and isolate threats, we provide an actionable playbook of procedures so cyber analysts and IT professionals, as well as railway operators and infrastructure managers, know exactly what to do at exactly the right time.

Railway CSOCs will soon be standard practice

Although railway CSOCs are still rare today, it won’t be long before they become the norm. As railway organizations continue looking for ways to bolster their cybersecurity posture, building a CSOC—led by a CISO—will be the natural progression.

The process is sure to be challenging, but with the right strategy, technology, and culture, you can build a successful CSOC that helps keep operations running smoothly and safely.

If you have any questions about CSOCs or would like to get in touch, feel free to contact me on the form on your right.