Introducing Margo – the first AI-powered cybersecurity assistant for rail!

Defending Railway Signaling Systems Against Cyber Attacks

Israel Baron
November 1, 2019
empty train station with moving train

In this article, I will try to share some of my thoughts and insights about developing fit-for-purpose railway-specific cyber security solutions that can eliminate or minimize the cyber threat in railway signaling systems, and why this is the time to act.

This was my second year in a row speaking at the 4th annual Rail Cyber Security Summit – last year as the CISO of Israel Railways, and this year as the Director of Business Development at Cervello – participating this year as the Summit’s Co-Sponsors alongside Siemens. I was very impressed to see that most of the major railway manufacturers and operators decided to send high-level management representatives. We had the opportunity to meet new and existing colleagues, share knowledge, and present our solution to protect railways against cyber attacks.

One of the speakers, I decided I would not just talk about technology and solutions this year. Instead, I would share my thoughts that it is time to take actual action to protect rail critical systems from cyberattacks. The railway infrastructures are changing and evolving into an all-new connected era.

New, computerized, connected, collaborative, and intelligent systems are integrated deep inside this unique industry to enable it to be much more advanced in the fields of predictive maintenance, customer service, punctuality, and more. As a result, they pose more opportunities for cyber-criminals and terrorists to attack such critical systems.

With billions of passengers/kilometers per year, the railway industry is one of the major assets in any country’s transportation system across the globe. Until recently, this industry was considered to be safe regarding cyber threats due to the fact it relied on proprietary, segregated networks, with very specific commands and protocols for the signaling systems and networks.

This assumption is not sustainable anymore due to the following reasons:
1. Signaling systems have become more IT-based with functionalities that use not only dedicated computers and hardware but also ordinary computers and COTS (commercial off-the-shelf) components that are more vulnerable to cyber threats.
2. There is increased use of network control and automation systems that could be accessed remotely via public and private networks.
3. Deployment of ETCS, which is the control component of the European Rail Traffic Management System (ERTMS), which uses GSM-R links to transfer lineside data to the cab/locomotive as part of automatic train operation.

Over the years, I’ve been in many cybersecurity events for the rail domain, both as a speaker and as an attendee. I’ve heard and participated in professional panels, read countless articles and posts, and even wrote some of my own. But lately, I have the feeling that we need to do more, that I should do more. Most of the people we know and care about use trains every single day – our friends, our colleagues, and our families.

I can’t let go of the thought that every day that goes by, and no one handles this important issue, catastrophic incidents due to a cyber attack are becoming more likely, and this makes me extremely worried.

It’s a known fact at this point in time, that most of the railway operators tackle mainly their IT environments, while the signaling systems are left without any railway threat detection capabilities at all – meaning they are a complete blind spot.

To do so, as Israel Railways’ CISO, I’ve examined many cyber solutions that were designed to monitor standard IT systems and OT networks. Unfortunately, none of them were fit to monitor the rail signaling systems and produce the desired cyber insights and alerts of attacks when and before they occur. This led me to the conclusion that to properly protect rail signaling systems, a railway-specific system should be developed.

After extensive and long research, I have no doubt that only solutions with the characteristics listed below will have the chance to be adopted/tested in this traditional unique industry in order to make the necessary change to face the upcoming threats.

1. Railway-specific technology
2. Seamless integration & deployment
3. Minimum false-positives
4. Non-intrusive

Furthermore, because of the special characteristics of this industry, integrating cyber defense solutions require a step-by-step approach and should include the following steps before going live:
1. Cyber survey – map the operator’s critical assets to be protected
2. Learning process – understand the operator’s critical network and special characteristics
3. Offline POC (Proof of Concept) – an offline installation of the cyber defense solution and the use of recorded data from the operator’s network
4. Connection to a test environment – a live unidirectional connection to the operator’s test environment or lab equipment/resources
5. Connection to a production environment – in a unidirectional way (the usage of diodes can be evaluated)
6. SIEM – an optional step, as some operators could ask to integrate the signaling cyber security solution in their existing SIEM/SOC

As shown, developing and integrating cyber security solutions for the railway industry is a challenging task, but nevertheless – it is a possible and important task. One of the first things I’ve learned during my time as a CISO is that we are not only responsible to protect systems and technologies – we are also responsible for public safety!

This is why at Cervello we set our mission to protect global railway operations and passengers by offering a railway cybersecurity platform that secures all connected rail & metro signaling systems against cyber attacks. With a team that brings decades of experience in cybersecurity and the rail industry, our unique technology and security services support international standards and protocols to provide the most complete, accurate, effective, and safe cyberdefense solutions. Furthermore, we work closely with OEMs and operators to ensure that rail cybersecurity will be an integral part of any signaling system, without compromising on safety or productivity.