Jesus will debate how to secure critical rail infrastructure from cyber attack in a forthcoming IRS Rail Webinar on 28 July
Cyber attacks have disabled ticketing systems for several passenger rail operators and forged track switching signals as well. Much more sophisticated cyber threats are currently targeting other industries – seeing these threats in rails is only a matter of time. This is unacceptable – safe operations are possible only if we are secure from cyber threats. The same is true for reliable and efficient operations. In this article we explore modern cyber attack techniques targeting industrial operations and project how those techniques will evolve in the medium-term, given the trends we see in other industries.
Let’s start with targets: vital networks for rail systems are target rich and getting richer. Rail system digitalization steadily introduces more computers into our systems, all running software, and all software is a target. All software has defects after all – nobody produces flawless software, and some defects are security vulnerabilities, discovered and undiscovered. Worse, increased digitalization demands increased connectivity for all those software assets, and every connection that allows any message or information to flow allows attacks to flow as well.
Now to threats: the most pervasive threat is common malware. Malware that infects consumer cell phones and laptops seeking to steal consumer credit card numbers or account passwords is a pervasive threat, with limited consequences. Such malware may trigger shutdowns if it compromises vital computers through an email or a USB drive, but the malware is not designed to damage operations. Common ransomware is a bigger threat. Ransomware is designed to render computers inoperable by encrypting important information and extorting money to restore the data. Such malware does impair operations, and restoring operations in the face of such compromise can be much more involved than saying “just restore from backups.”
The most sophisticated ransomware threat, however, is targeted ransomware. This is where an adversary does their homework, crafts very convincing false emails, and steals remote access credentials. These adversaries might steal credentials from rail system operators, or more recently in other industries, steal these credentials from smaller and less-thoroughly-defended service providers – providers who are trusted to access operations networks remotely, and who might even have continuous VPN connections into such networks from the providers’ premises. Once inside their targets, these attackers use so-called “pass the hash” and other techniques to steal even more valuable credentials. These attackers frequently create new accounts for themselves, so that even if the passwords they stole originally are reset, the new accounts are unaffected.
With powerful credentials in hand, these targeted attacks spread through a network until they reach what they deem to be a target important enough for their victims to pay a large ransom to restore. This is when they plant their ransomware on dozens of hosts at once and trigger it, crippling operations and demanding up to several million dollars at a time to decrypt their targets.
There are two important lessons here. First: many operators new to cyber security have the impression that security updates, encryption and firewalls will save them from this class of threat. This impression is mistaken. These security measures provide a degree of protection from common malware, but not from targeted attacks. If we re-read the attack description above, we observe that:
• Victims pulled forged emails and/or attachments through their corporate firewalls over encrypted connections. Firewalls do not block authorized traffic, nor does encryption.
• Attackers’ connections to their compromised computers are generally encrypted – over the HTTPS protocol, or over a supplier’s VPN. Cryptosystems encrypt attacks as readily as they encrypt legitimate communications.
• The attackers used stolen credentials to move around their target network – they did not exploit defects or vulnerabilities in software systems.
In short, modern attacks exploit permissions, not vulnerabilities.
It gets worse. The second lesson: many security practitioners look backwards at attack patterns, reasoning that, because there are few targeted ransomware attacks that have impaired rail operations historically, protecting against such attacks should be a low priority. The problem with this logic is that that it ignores clear trends: high-volume cyber attacks have become steadily more sophisticated over time.
These “exploit the permissions” targeted attack techniques were, only a half decade ago, thought to be used exclusively by nation-state adversaries. Today they are used routinely by organized crime, with a steadily increasing volume and variety of victims. Targeted ransomware is too profitable for organized criminals to give up any time soon. This means that today’s “ultra-sophisticated” nation-state capabilities, able to defeat intrusion detection, two-factor authentication and other software security systems, will almost certainly show up as widespread, targeted threats in another half decade.
Rail system operators cannot afford to throw out and redesign vital networks for control centers, power management, switching systems and rolling stock every half decade. We need practical, cost-effective security systems today – systems that will survive even very sophisticated attacks, for the foreseeable future.
Robust, practical and cost-effective designs are already in use, and these designs prevent cyber attacks much more reliably than do intrusion detection, encryption, firewalls and security updates. To explore how these designs achieve such goals, please sign up for one of our up-coming webinars, or download the latest Waterfall eBook at https://waterfall-security.com/rails-occ/
India is a vast country, not only in terms of its diverse cultural landscape but also the length, the breadth and the various topographies one encounters while travelling. Indian Railways, though a legacy of its colonial past, has evolved to become the lifeline of the country, catering to its needs for large scale movement of traffic, both freight and passenger, thereby contributing to economic growth and promoting national integration. In fact, railways constitute the backbone of the surface transport system in India. Today, Indian Railways are the fourth largest railway network in the world, operated by the Ministry of Railways, the Government of India, and one of the largest public sector undertakings.
Rail has several strengths such as being safe, more environmentally friendly and less polluting than other modes of transport — a significant advantage at a time of increasing congestion on roads and growing public concern about environmental issues.
However, the railways need to become more efficient, integrated, modern and responsive to customer demand. Building a modern, competitive railway network is indeed a top priority for India, both for smooth operation and for the development of a sustainable transport system. In line with this commitment to sustainability, the government has committed to electrify its entire rail network by 2023 and become a “net-zero carbon emitter railway” by 2030.
The high speed, modern rail services will be riding on new technology such as signalling, communication and other IT tools. It is therefore imperative at this stage that we understand the importance and role of standards, and the need to harmonise standards with the International and/or regional standardisation bodies.
What Global/Regional Standards should be chosen, harmonisation, and why it is necessary
Taking a leaf from the European Standardisation bodies CEN-CENELEC, in Europe, harmonisation means 1 standardised solution instead of 34 and whenever possible, Europe’s preference is to go for 1 global solution developed by ISO/IEC.
The objective behind adoption of harmonised or global standards is to avoid duplication of work, both at the International as well as at the European level. This also essentially means that having ISO/IEC standards-based solutions encourages competitiveness amongst manufacturers, opens global markets for trade and exchange of services, and brings economies of scales.
Harmonisation of standards is beneficial not only for the country, but it is advantageous for all the stakeholders around the world as it ensures the quality and safety of products & services, thereby increasing the reliability, safety and satisfaction of customers’ expectations and requirements. Harmonised standards also result in reduced costs, by eliminating waste and improving efficiency, thereby saving government/private spending.
Harmonised standards help in opening global markets, ensuring compliance with national and international legislations/regulations, as well as providing knowledge about new technologies and innovation.
Due to its global competitiveness, European standards are adopted in 15 countries beyond CEN and CENELEC membership, as well as at the regional level in the Gulf. China, Mongolia, Kazakhstan, Georgia, Ukraine, Moldova, Belarus, Egypt, Tunisia, Morocco, Albania, Montenegro, Bosnia & Herzegovina, South Africa and Botswana have also adopted many European rail standards as well.
In India, the railway standards and specifications for all the important verticals like communications, signalling, electric power system, rolling stock, etc. are aligned/referred/implemented 70% – 100% with European or Global standards.
As we progress towards the modernisation of the Indian Railways, integration with global standards / European standards is the most desirable way forward for Indian Railways to be at a par with its International counterparts.
A copy of Mr Sharma’s presentation delivered at the 8th International Railway Summit is available here
About SESEI:
The Seconded European Standardisation Expert for India (SESEI) project is supported and operated by the European Committee for Standardisation (CEN), the European Committee for Electrotechnical Standardisation (CENELEC) and the European Telecommunications Standards Institute (ETSI), as well as by the European Commission (EC) and by the European Free Trade Association (EFTA). Its general objective is to raise awareness on the European Standardisation System, values and assets in India.
SESEI’s mission is to enhance the visibility of European standardisation activities, increase the cooperation between Indian and European standardisation bodies and support European companies facing standardisation related issues hampering market access to India. The project also supports India in standardisation related aspects of its integration in the WTO trading system, by identifying all potential opportunities for enhanced international cooperation and global harmonization of standards. Ultimately, the SESEI project aims at reducing the Technical Barriers to Trade (TBT) both between EU and India and globally, thus supporting European and Indian industries by facilitating international trade.