Railway Cybersecurity: 2021 Year in Review

Cervello Team
December 28, 2021
moving train at night|photo of 2021

2021 was a monumental year in the world of rail cybersecurity.

Rising federal cybersecurity standards, a variety of high-profile railway cyberattacks, and unprecedented demand for railway-centered cyber solutions are just some of the challenges and milestones the industry underwent this year.

Here’s Cervello’s official recap on 2021 from a railway cybersecurity perspective, as well as our outlook for the New Year.

National governments are ramping up cybersecurity standards and regulations

In early December, the TSA issued new security directives to fortify cybersecurity across all US critical infrastructure, including passenger railroads, rail transit agencies, and freight railroads.

The directives are part of the Department of Homeland Security’s efforts to make cybersecurity a top priority and to strengthen the industry’s security posture after a series of attacks this year. The TSA requirements, outlined below, represent one of the most concrete sets of standards put forth by a federal government. We believe that in the following years, more governments will follow suit.

The new TSA cybersecurity requirements obligate railway owners and operators to:
Designate a cybersecurity coordinator who will be available to the TSA and CISA at all times.
Report all cybersecurity incidents to DHS’s CISA within 24 hours.
Develop and implement a rail incident response plan to prevent operational disruption
Conduct a cybersecurity vulnerability assessment of current practices and activities to address cyber risks to information and OT systems, identify current gaps in cybersecurity measures, and identify remediation measures.

The EU also began making progress this year by publishing its own set of standards for railway cybersecurity.

CENELEC, which is responsible for developing and defining voluntary electrotechnical standards in Europe, created CLC/TS 50701 in 2021. The document provides railway operators, system integrators, and product suppliers with guidance on how to manage cybersecurity in the context of the EN 50126-1 RAMS lifecycle process.

The technical specifications outlined in CLC/TS 50701 are considered a landmark for railways, as they provide the first unified set of standards and recommendations to handle cybersecurity matters. In 2022 and beyond, we expect to see governments around the world develop even more concrete requirements to ensure railway cybersecurity.

Landmark cyberattacks underscored railway’s vulnerability across the globe

2021 was the year cybercriminals “woke up” to railway’s vulnerabilities. The surge of attacks directed at the railway industry this year was a clear sign that attackers—from state-endorsed hacking groups to individual malicious actors—have set their sights on railway.

Among the most notable cyberattacks, this year was the July attack on Transnet, one of South Africa’s state-owned ports and freight rail companies.

This attack, which garnered significant media attention and drew governments’ concern worldwide, demonstrates cyberattackers’ rising interest in railway, as well as the potential disruption they are capable of.

In the face of this risk, railway organizations need to react. Although federally mandated regulations will help raise cybersecurity standards, individual railway organizations will only be able to achieve optimal cybersecurity if their leaders are ready to take the initiative into their own hands.

Appointing a CISO, building a railway CSOC, and implementing a railway cybersecurity platform are three key ways railway leaders can fortify their defenses and prevent disruption.

Railway has become a prime target for cyberattacks during large-scale events

Large events convening global leaders and delegates from around the world have also emerged as attractive targets for cybercriminals, particularly the railway systems these events depend on.

For example, the 2021 United Nations Climate Change Conference, commonly referred to as COP26, was held at the SEC Centre in Glasgow, Scotland, from October 31 to November 13. In August, more than two months before the conference began, police and security experts put critical infrastructure in Glasgow, including the underground and train network, on high alert.

The Tokyo Olympics was another global event that faced the threat of a cybersecurity attack. Leading up to the games, Japanese officials warned of threats to critical infrastructure. If they had been successful, malicious hackers could have caused wide-scale operational disruption that jeopardized the event and put lives at risk.

Fortunately, fears that hackers would target the critical infrastructure at COP26 and the Olympics did not actualize. However, the possibility of a cyber attack threatening a major global event—and the media attention it would garner—have made such events ideal targets for cybercriminals.

Increased digitization creates novel railway cybersecurity challenges

2021 marked another year of progress in railway’s industry-wide transformation to digital technologies and wireless channels. Every country and region is making strides at its own pace, but each continues to improve productivity and operational efficiency with new, digital systems.

One such example is the European Railway Traffic Management System (ERTMS), which has already helped improve cross-border interoperability throughout Europe by creating a single standard for railway signalling.

However, as railway organizations around the world continue their digital transformation, they must also increase their awareness of the inherent threats that come with it. The more digitized and interconnected railway organizations become, the more vulnerable they are to cyber-attacks.

In 2022, as the pursuit of digital technologies in railway continues, industry leaders must put equal attention on the vulnerabilities they are introducing, and develop viable strategies for mitigating them.

Amid increasing threats, demand for a dedicated railway cybersecurity solution is rising

In the railway industry, technological progress and the increased risk of a cyberattack go hand-in-hand. After the events of this year, it is now well understood among both cybersecurity agencies and industry leaders that the only way to protect railway’s critical infrastructure and ensure passenger safety is with a railway-centered cybersecurity solution.

Only a railway-centered solution that is built specifically for railway’s protocols, technologies, and systems can help ensure operational continuity, reliable transport, and passenger safety.

With rising demand for such solutions, we have a positive outlook for 2022. As we further develop our technology and establish new partnerships with railway organizations around the world, we believe 2022 will be a safer, more productive year for railways.

Ready to join us? Submit your info in the form on the right.

Cervello is exhibiting at APTA Rail 24! Join us June 2-3.