The attack against Alaska’s Railroad Corporation in December, American company Wabtec’s data breach last summer, and, of course, the third-party cyber attack that forced the complete suspension of Denmark’s DSB train service last October are prime examples of the complex vulnerability of rail systems. As railways become more digitally connected, cyber incidents like these are likely to become common.
As the former CISO of a national railway, I ask myself how would I act if I were put in the position many CISOs are faced with today.
Well, recently, I presented at the UITP Global Public Transport Summit to share my thoughts. With the significant rise in rail cyber events around the world, I was inspired to talk about the journey many decision-makers, like myself, go through when faced with a potential cyber incident.
Rail networks consist of thousands of components and, while they aren’t all connected, it’s nearly impossible to know which are affected during a cyber event. This lack of contextual understanding leads companies to make uninformed, and sometimes unnecessarily radical decisions with both financial and reputational repercussions, such as suspending all services for hours. It all comes down to a lack of visibility and rail-focused cyber tools.
A report conducted in 2020 by Mineta Transportation Institute showed that, while 81% of transit agencies believe they were prepared to manage and defend against cybersecurity threats, 40% didn’t have a cybersecurity preparedness program at an organizational level. 43% of them didn’t believe they had the necessary resources for cybersecurity preparedness. This significant gap confirmed that while the expertise and willingness of rail organizations to protect their infrastructure is there, they are not adequately equipped to make an informed decision to choose the best tools for their complicated systems.
So, what is needed to make a smart operational decision? It’s critical to have deep visibility, a contextual understanding of which systems are actually affected by each potential incident in order to understand the detected vulnerabilities or threats, validate, and prioritize them, and an automated response playbook based on the collected data.
Make smarter operational decisions with the help of the world’s most trusted rail cybersecurity company.
The Role of Visibility in Operational Response
Over the last few years, innovation in the rail industry has significantly increased, leading to greater dependency on supply chain providers. The assumption that signaling systems and other critical infrastructure networks are closed networks, is no longer correct. Beyond the significant benefits of railway innovation, innovation has also made rail networks increasingly more complex and vulnerable.
Due to the volume of networks now interconnected and integrated with numerous third-party solutions, it is increasingly necessary to continuously see the entire network, monitoring and describing the status of all assets prioritizing the risk of vulnerabilities according to contextual risk analysis, and their operational impact. It’s essential to segment networks so that in the case of an attack, you can more efficiently manage the response.
Contextual Analysis and Prioritization During a Cyber Incident
Securing critical infrastructure means understanding what is at stake. Rail is a more than $290 billion per year industry and is a critical aspect in the supply chain of thousands of goods. In the US alone, a lengthy shutdown could cause 765,000 people to be out of work. It enables the transfer of basic goods and services such as food, medicine, and water, and it, of course, is responsible for the daily transit of millions of people.
Disruption of this kind of essential service causes immeasurable damage to a nation’s economy and to the reputation of the rail company. While you may not be able to stop a cyberattack, you can prevent a costly service disruption by responding efficiently and intelligently to cyber events.
There is no minimum amount of time to respond to a cyber incident, whether it be the discovery of a new vulnerability, detection of a threat or suspicious behavior, or an actual attack – the time is zero. Decision-makers need as much information as possible to make the most effective decisions with minimal operational damage.
From my experience as a railway CISO, it is imperative that the information and guidelines provided to rail security teams be driven by a comprehensive understanding of rail protocols.
In times of crises and under severe time constraints, knowing the operational impact of each incident and action is essential, as well as having alerts and remediation guidelines prioritized by severity and importance.