Jesus will debate how to secure critical rail infrastructure from cyber attack in a forthcoming IRS Rail Webinar on 28 July
Cyber attacks have disabled ticketing systems for several passenger rail operators and forged track switching signals as well. Much more sophisticated cyber threats are currently targeting other industries – seeing these threats in rails is only a matter of time. This is unacceptable – safe operations are possible only if we are secure from cyber threats. The same is true for reliable and efficient operations. In this article we explore modern cyber attack techniques targeting industrial operations and project how those techniques will evolve in the medium-term, given the trends we see in other industries.
Let’s start with targets: vital networks for rail systems are target rich and getting richer. Rail system digitalization steadily introduces more computers into our systems, all running software, and all software is a target. All software has defects after all – nobody produces flawless software, and some defects are security vulnerabilities, discovered and undiscovered. Worse, increased digitalization demands increased connectivity for all those software assets, and every connection that allows any message or information to flow allows attacks to flow as well.
Now to threats: the most pervasive threat is common malware. Malware that infects consumer cell phones and laptops seeking to steal consumer credit card numbers or account passwords is a pervasive threat, with limited consequences. Such malware may trigger shutdowns if it compromises vital computers through an email or a USB drive, but the malware is not designed to damage operations. Common ransomware is a bigger threat. Ransomware is designed to render computers inoperable by encrypting important information and extorting money to restore the data. Such malware does impair operations, and restoring operations in the face of such compromise can be much more involved than saying “just restore from backups.”
The most sophisticated ransomware threat, however, is targeted ransomware. This is where an adversary does their homework, crafts very convincing false emails, and steals remote access credentials. These adversaries might steal credentials from rail system operators, or more recently in other industries, steal these credentials from smaller and less-thoroughly-defended service providers – providers who are trusted to access operations networks remotely, and who might even have continuous VPN connections into such networks from the providers’ premises. Once inside their targets, these attackers use so-called “pass the hash” and other techniques to steal even more valuable credentials. These attackers frequently create new accounts for themselves, so that even if the passwords they stole originally are reset, the new accounts are unaffected.
With powerful credentials in hand, these targeted attacks spread through a network until they reach what they deem to be a target important enough for their victims to pay a large ransom to restore. This is when they plant their ransomware on dozens of hosts at once and trigger it, crippling operations and demanding up to several million dollars at a time to decrypt their targets.
There are two important lessons here. First: many operators new to cyber security have the impression that security updates, encryption and firewalls will save them from this class of threat. This impression is mistaken. These security measures provide a degree of protection from common malware, but not from targeted attacks. If we re-read the attack description above, we observe that:
• Victims pulled forged emails and/or attachments through their corporate firewalls over encrypted connections. Firewalls do not block authorized traffic, nor does encryption.
• Attackers’ connections to their compromised computers are generally encrypted – over the HTTPS protocol, or over a supplier’s VPN. Cryptosystems encrypt attacks as readily as they encrypt legitimate communications.
• The attackers used stolen credentials to move around their target network – they did not exploit defects or vulnerabilities in software systems.
In short, modern attacks exploit permissions, not vulnerabilities.
It gets worse. The second lesson: many security practitioners look backwards at attack patterns, reasoning that, because there are few targeted ransomware attacks that have impaired rail operations historically, protecting against such attacks should be a low priority. The problem with this logic is that that it ignores clear trends: high-volume cyber attacks have become steadily more sophisticated over time.
These “exploit the permissions” targeted attack techniques were, only a half decade ago, thought to be used exclusively by nation-state adversaries. Today they are used routinely by organized crime, with a steadily increasing volume and variety of victims. Targeted ransomware is too profitable for organized criminals to give up any time soon. This means that today’s “ultra-sophisticated” nation-state capabilities, able to defeat intrusion detection, two-factor authentication and other software security systems, will almost certainly show up as widespread, targeted threats in another half decade.
Rail system operators cannot afford to throw out and redesign vital networks for control centers, power management, switching systems and rolling stock every half decade. We need practical, cost-effective security systems today – systems that will survive even very sophisticated attacks, for the foreseeable future.
Robust, practical and cost-effective designs are already in use, and these designs prevent cyber attacks much more reliably than do intrusion detection, encryption, firewalls and security updates. To explore how these designs achieve such goals, please sign up for one of our up-coming webinars, or download the latest Waterfall eBook at https://waterfall-security.com/rails-occ/
Swedish State Railways (SJ) has for a long time highlighted the minimal climate footprint of rail compared to air travel. More recently, the “flight-shame” movement has emerged as an opportunity to take this one step further. The concept started to gain traction in social media in Sweden in 2017, about a year before climate change activist Greta Thunberg initiated her school strike, which developed into the world-wide Fridays For Future demonstrations. The basic idea behind “flight shaming” was that measures aimed at reducing air travel, such as increased fees for airlines, were insufficient. Targeting the social capital of the travellers would have a greater effect.
Travelling by train in Sweden has increased significantly in recent years. Since the mid 1990s, train passenger kilometres have increased by more than 200 per cent. Just between 2017 and 2019 the increase was another 10.4 per cent. In contrast, domestic air travel seems to have peaked in 2017, with a combined loss of almost 1 million passengers in 2018 and 2019, or -12.5 per cent. Consequently, rail has also improved its market share. These trends continued in January 2020, before the coronavirus crisis hit the transportation industry.
SJ regularly performs on-board surveys asking our customers about their reasons for choosing the train. Among 14 different alternatives, the environmental aspect is now – for the very first time – the top stated reason, mentioned by 34 percent of passengers.
During the past years, SJ has been communicating ”carbon savings” to private as well as business customers, comparing train emissions with corresponding numbers from cars and airplanes. In 2019 SJ decided to further explore the communication opportunities provided by more environmentally conscious customers and the increased interest in travelling by train.
We picked our most important line – Stockholm–Gothenburg – and formed a campaign around a very basic question: “How many journeys by train from Stockholm to Gothenburg can you take before the CO2 emissions equal those of a single flight?”. The answer, “40,000 journeys”, was conveyed in TV commercials, printed media and posters at railway stations. To calculate this number we used the standard methodology for calculation and declaration of energy consumption and CO2 emissions of transport services (EN 16258) and airplane emission data from Scandinavian Airlines1. The fact that SJ is able to purchase 100% renewable electricity, mostly from hydro power, did of course contribute significantly.
Going forward, we now also see a renewed interest in international train journeys. A related Facebook community has attracted more than 113,000 members and it has become a thing to “train boast” – bragging about going on vacation by train. SJ is working to make it easier to book international train journeys. Such journeys usually require some form of collaboration with other train operators, but also with airlines (e.g. for return journeys). Therefore, there are opportunities ahead, not only for rail.
1 SAS have later revised their figures, affecting the calculation of journeys to be reduced to 27,000.
Photo by Tranmautritam from Pexels
When Ursula von der Leyen addressed the European Parliament in July 2019 asking for a vote of confidence in her appointment as President of the incoming European Commission, her focus on sustainability did not come as a surprise.
Global warming is ‘the’ hot topic in all international forums and its importance is rising. What makes it a singular issue is the way it has stepped out of institutional rooms to massively enter the public debate of citizens around the globe. It is a fact that no other public policy issue is being discussed as much as the tools that national and continental governments should put in place to stop temperatures rising.
What was unique in von der Leyen’s speech was its level of ambition: ‘I want Europe to be the first climate-neutral continent’, she said.
It is true that the recently published proposal for a Climate Law received bad comments from many environmental activists since it provides for climate neutrality to be reached by 2050 only, proposing no stringent mid-way targets. Nevertheless, it is a fact that the Union has made climate change its top priority like no other political body anywhere else. On CER’s side, as a prominent participant in all debates that shape European climate policies, we will do our best to support and realise the ambitions of the Union executive branch.
Active in Brussels since 1988, CER is proud to defend the rail sector on the grounds of its sustainability credentials, which are today making railways a fundamental part of the solution.
In the context of the European Green Deal (EGD), the Commission Directorate-General for Mobility will soon put forward a Strategy on Smart and Sustainable Mobility: we look forward to seeing reflected there a firm stand in favour of redressing all those regulatory imbalances that currently make railways less attractive vis à vis other transport modes.
Other policy initiatives are announced, which we hope will be strong enough to make European mobility move in the right direction: we will see a revised TEN-T Regulation and combined transport Directive, initiatives aimed at increasing rail infrastructure capacity, a revision of the Energy Taxation Directive.
As for gathering more resources for sustainable investments, we also hope that the EGD Investment Plan will bring positive effects. On the one side, we need a quick agreement between the Member States on the 2021-2027 Multiannual Financial Framework to secure necessary resources for key budgetary lines like the Connecting Europe Facility or pivotal R&I initiatives like Shift2Rail. On the other side, we hope that additional resources can be re-oriented through appropriate financing: the European Investment Bank will play a key role (and it will soon revise its transport lending policy!) and the Sustainable Finance Action Plan must find ways to have more binding consequences on institutional investors (a new version of it will be made public next autumn).
Much is still to be seen of course, but in the meantime the CER Management Committee met with Commission First Vice-President Frans Timmermans in February to underscore railways’ commitment to upgrade their technology and the quality of their services. The Commission’s political will is clear and confirmed; if we manage to get the European Parliament and national governments onboard as well, I see a bright green future ahead for Europe!
Photo by SenuScape from Pexels
Salif spoke about the benefits of the Digital Bag at the 8th International Railway Summit in New Delhi
Train drivers, conductors and maintenance technicians are at the heart of railway operations and ensure that passengers (and goods) are transported to their destination in the best conditions of safety and comfort.
They are mobile staff, but still obliged to go to their office to take with them information and papers they need to perform their missions. While it might be good to go to the office to meet colleagues and get fresh news about the company, it also can be perceived as a waste of time that prevents from focusing on core missions. Also, even after having passed by the office, while executing their mission, mobile staff might still miss recently updated guidelines to fully complete their operations. This is also a risk for seamless operations and passenger experience.
Now, let’s imagine a modern, light and user-friendly tool that mobile staff would always have with them and with which, anytime and anywhere they could:
• Consult technical and company manuals to acknowledge all required procedures in manuals
• Receive briefing wherever they are, to prepare their journeys
• Write and send back reports to inform about all events that occur
This vision is a reality with software solutions that enable the digitization of operational processes and, therefore, the removal of paper-based procedures. Immediate outcomes are accelerated data flows and enhanced operational efficiency.
In the aviation industry, for the past 10 years, pilots, cabin crew and mechanics are more and more equipped with mobile tablets and software that support them in the execution of their missions, from preparation to closure.
This major evolution in the way to operate flights generates major business benefits:
• Facilitate transmission of a safety culture since guidelines are more accessible
• Enhance the efficiency of operations: by receiving flight information in advance (or during a flight) on their tablets, crew can anticipate issues and make ad hoc decisions
• Make work conditions better for staff: no need to carry heavy bags
• Improve passenger experience: being always connected, staff can better inform customers
Challenges faced by rail operators are similar to those faced by aviation, so why would rail staff not be equipped with similar mobile solutions so they could benefit from digitized operational processes?
This is exactly what dgBirds offers, via the Digital Bag software solution that is composed of:
• A user-friendly mobile application that can be downloaded and used by mobile staff from iPads. “Documentation”, “Briefing” and “Reports” are the services available from this mobile application
• An administration platform, accessible via any Web browser and from which back office staff can organize, distribute and monitor all documentation to their remote colleagues
Documentation service: from an iPad, easy access to all documentation and manuals, anywhere, any time
As illustrated below, via innovative services, the Digital Bag can help rail staff better perform their missions, throughout their complete journey:
Digital Bag: supports rail staff over their journey
Watch this video to see how the Digital Bag concretely supports rail mobile staff: dgBirds Digital Bag for rail staff
About dgBirds:
dgBirds is a software company based in Paris and is a subsidiary of Air France.
Based on the experience of Air France pilots and cabin crew, dgBirds has developed and proposes a software solution that enables organizations to organise and distribute all the information that mobile staff require during their missions and that they can access from a mobile application.
This value proposition is addressed not only to the air transportation sector but to all transportation organizations that, by definition, have mobile staff who are, on a daily basis, in close relationship with passengers / customers and, as such, are key stakeholders to guarantee the quality of their experience.