Introducing Margo – the first AI-powered cybersecurity assistant for rail!

Through an Attacker’s Eyes: Exploiting Weakness in Railway Maintenance Procedures

Cervello Team
April 11, 2022
empty train tracks with traffic light

Railway maintenance procedures represent a crucial function in keeping systems running and avoiding unplanned downtime. But for malicious actors, maintenance processes and technologies are prime opportunities to exploit vulnerabilities and disrupt operations.

Welcome to the first article in our new series, Through an Attacker’s Eyes, in which we examine how cyberattackers look for opportunities to infiltrate railway systems in pursuit of malicious agendas.

In order to accurately anticipate where, how, and when a cyberattacker will attempt to breach a railway system, we start with a simple question: What’s the easiest way in?

While it’s true that some targeted attacks require significant preparation, many others are opportunistic. As railway critical infrastructure becomes more digital and connected, it’s become easier for malicious actors to identify unaccounted-for vulnerabilities. Moreover, infrequent system updates allow vulnerabilities to remain unremediated for extended periods of time, increasing the risk of exploitation.

Today, many of those vulnerabilities exist within the digital systems used for maintaining critical rail assets and systems. These vulnerabilities allow cyber attackers to easily exploit the weakness in railway maintenance procedures to disable operations and threaten passenger safety.

Let’s take a look at maintenance procedures through an attacker’s eyes to understand where they see the biggest opportunities—and where your biggest risks may lie.

The Supply Chain is Ripe With Vulnerabilities

Maintenance processes that are enabled by third-party vendors and allow remote access to signaling and control systems are prime targets for malicious actors. As the digital transformation in railway accelerates, the supply chain has become an attractive target for malicious actors.

A supply chain attack occurs when malicious actors exploit trusted relationships between an organization and external parties, such as vendors or third-party software. In a supply chain attack, the attacker enters an organization’s internal network through a vulnerability in an external party.

For example, a cyber attacker could exploit a known vulnerability within a third-party vendor or software to perform a variety of attacks. For example, an attacker could exploit vulnerabilities to achieve lateral movement, corrupt computers, and files, and disable key systems. They could even generate a low-volume DoS attack within the application layer by issuing seemingly legitimate requests. By overloading a system with such requests, a cyberattacker could render them unable to function and cause them to shut down.

By some counts, supply chain attacks tripled in 2021. In Europe, nearly 62% of all cyberattacks occur via the supply chain. As the likelihood of supply chain attacks increases, so does the need for a robust solution to secure connected third-party systems.

Infrequent System Updates Complicate Security Efforts

Another weakness cyber attackers are eager to exploit is gaps between system updates.

Due to the complexity of updating and patching mission-critical railway systems, updates via preventative maintenance processes don’t occur every time a vulnerability is detected.
As a result, even known vulnerabilities for which a patch has been issued could remain unremediated within mission-critical systems for extended periods of time, allowing attackers to gain entry without being noticed, and stay there.

Because unpatched systems are easily exploited, and provide a direct path to critical OT systems, railway organizations must address this security weakness.

How Zero-Trust Fortifies Security in Your Maintenance Supply Chain and Gaps Between System Updates

Once we understand where cyber attackers have set their sights, it becomes easier to identify the appropriate security solution. The proliferation of remote maintenance technologies and a myriad of third-party software — have opened many more doors for malicious actors to gain entry.
The most effective approach to mitigating the vulnerabilities left open by digital maintenance technologies is a Zero Trust model.

A Zero-Trust model enables a contextual, risk-based evaluation of all requests, procedures, and activities, regardless of network location or user rank. When applied to cyberattacks that originate in the supply chain, a zero-trust model validates and authenticates the information transmitted via third-party remote channels to the operational systems with which they are connected.

Moreover, when system updates are infrequent, a Zero-Trust model enables the continuous authentication and validation of actions and information within the application layer to identify malicious activities.

This approach is not only becoming the norm across most industries, but it is also becoming a requirement. In 2021, the US government released a new memorandum expanding requirements among critical infrastructure organizations and national security systems agencies to adopt a Zero-Trust architecture as part of their plan to defend against known or suspected cybersecurity threats. The NIST (National Institute of Standards and Technology) has also released its own cybersecurity measures and guidelines highlighting the core components of Zero-Trust principles.

Be the First to Take Action

With a look into how malicious actors seek out vulnerabilities in railway systems and technologies, you have the foresight to be proactive.

Malicious actors who wish to disrupt operations, demand ransom, or inflict harm have one goal in mind: to find the easiest way in.

In many cases, advanced systems that enhance maintenance procedures are also ripe with vulnerabilities—and network security is only as strong as its weakest host. Unsecured supply chains and complex processes for updating and patching critical systems are two areas of weakness cyber attackers are keen to exploit.

With a railway-centered cybersecurity solution that adheres to Zero-Trust principles, you will gain the visibility and context required to map out a rail incident response plan and remediate threats before they cause damage. The combination of ongoing monitoring, passive railway threat detection, and comprehensive contextual visualization enable proactive identification of:

  • Unauthorized entry to OT systems via the supply chain
  • Common vulnerabilities and exposures (CVEs)
  • Critical security misconfigurations caused by maintenance procedures