From Cyber Incident to Operational Response

Israel Baron
June 15, 2023

The attack against Alaska’s Railroad Corporation in December, American company Wabtec’s data breach last summer, and, of course, the third-party cyber attack that forced the complete suspension of Denmark’s DSB train service last October are prime examples of the complex vulnerability of rail systems. As railways become more digitally connected, cyber incidents like these are likely to become common.

As the former CISO of a national railway, I ask myself how would I act if I were put in the position many CISOs are faced with today.

Well, recently, I presented at the UITP Global Public Transport Summit to share my thoughts. With the significant rise in rail cyber events around the world, I was inspired to talk about the journey many decision-makers, like myself, go through when faced with a potential cyber incident.

Rail networks consist of thousands of components and, while they aren’t all connected, it’s nearly impossible to know which are affected during a cyber event. This lack of contextual understanding leads companies to make uninformed, and sometimes unnecessarily radical decisions with both financial and reputational repercussions, such as suspending all services for hours. It all comes down to a lack of visibility and rail-focused cyber tools.

A report conducted in 2020 by Mineta Transportation Institute showed that, while 81% of transit agencies believe they were prepared to manage and defend against cybersecurity threats, 40% didn’t have a cybersecurity preparedness program at an organizational level. 43% of them didn’t believe they had the necessary resources for cybersecurity preparedness. This significant gap confirmed that while the expertise and willingness of rail organizations to protect their infrastructure is there, they are not adequately equipped to make an informed decision to choose the best tools for their complicated systems.

So, what is needed to make a smart operational decision? It’s critical to have deep visibility, a contextual understanding of which systems are actually affected by each potential incident in order to understand the detected vulnerabilities or threats, validate, and prioritize them, and an automated response playbook based on the collected data.

Make smarter operational decisions with the help of the world’s most trusted rail cybersecurity company.

The Role of Visibility in Operational Response

Over the last few years, innovation in the rail industry has significantly increased, leading to greater dependency on supply chain providers. The assumption that signaling systems and other critical infrastructure networks are closed networks, is no longer correct. Beyond the significant benefits of railway innovation, innovation has also made rail networks increasingly more complex and vulnerable.

Due to the volume of networks now interconnected and integrated with numerous third-party solutions, it is increasingly necessary to continuously see the entire network, monitoring and describing the status of all assets prioritizing the risk of vulnerabilities according to contextual risk analysis, and their operational impact. It’s essential to segment networks so that in the case of an attack, you can more efficiently manage the response.

From Cyber Incident to Operational Response – Baron at the UITP Global Public Transport Summit, June 2023

Contextual Analysis and Prioritization During a Cyber Incident

Securing critical infrastructure means understanding what is at stake. Rail is a more than $290 billion per year industry and is a critical aspect in the supply chain of thousands of goods. In the US alone, a lengthy shutdown could cause 765,000 people to be out of work. It enables the transfer of basic goods and services such as food, medicine, and water, and it, of course, is responsible for the daily transit of millions of people.

Disruption of this kind of essential service causes immeasurable damage to a nation’s economy and to the reputation of the rail company. While you may not be able to stop a cyberattack, you can prevent a costly service disruption by responding efficiently and intelligently to cyber events.

There is no minimum amount of time to respond to a cyber incident, whether it be the discovery of a new vulnerability, detection of a threat or suspicious behavior, or an actual attack – the time is zero. Decision-makers need as much information as possible to make the most effective decisions with minimal operational damage.

From my experience as a railway CISO, it is imperative that the information and guidelines provided to rail security teams be driven by a comprehensive understanding of rail protocols.

In times of crises and under severe time constraints, knowing the operational impact of each incident and action is essential, as well as having alerts and remediation guidelines prioritized by severity and importance.

Cervello Platform Leads Effective Operational Response

What is a purpose-built railway cybersecurity platform? Combining the expertise of top cybersecurity and railway operations specialists, Cervello developed a 7-layer protection platform that is both pre-emptive and effective in guiding rail security teams, specifically, through cyber incidents and risks.

Cervello’s asset management solution uses mapping and discovery tools to suggest which assets from all of your OT, IT, IoT, signaling systems, rolling stock, and legacy assets, to respond to for the most efficient and least disruptive remediation. Its risk-based scoring mechanism prioritizes next steps in case of an incident and aids with vulnerability and misconfiguration management.

Cervello’s rail incident response has customized and automated playbooks which provide the required next steps with contextual considerations for each action. Decision-makers and influencers can thus respond and mitigate damages with custom insights fine-tuned to their railway’s individual operations.

A solution like Cervello’s was designed to secure rail infrastructure while first and foremost ensuring business and operational continuity. Cervello Platform presents decision-makers and influencers with a full contextual understanding of each asset and its influence on other assets so that they feel in full control over their ultimate operational response.

Cervello is exhibiting at APTA Rail 24! Join us June 2-3.