Blog

Cyber Attacks Targeting Rail Systems

Jesus Molina

20 July 2020

Jesus will debate how to secure critical rail infrastructure from cyber attack in a forthcoming IRS Rail Webinar on 28 July

Cyber attacks have disabled ticketing systems for several passenger rail operators and forged track switching signals as well. Much more sophisticated cyber threats are currently targeting other industries – seeing these threats in rails is only a matter of time. This is unacceptable – safe operations are possible only if we are secure from cyber threats. The same is true for reliable and efficient operations. In this article we explore modern cyber attack techniques targeting industrial operations and project how those techniques will evolve in the medium-term, given the trends we see in other industries.

Let’s start with targets: vital networks for rail systems are target rich and getting richer. Rail system digitalization steadily introduces more computers into our systems, all running software, and all software is a target. All software has defects after all – nobody produces flawless software, and some defects are security vulnerabilities, discovered and undiscovered. Worse, increased digitalization demands increased connectivity for all those software assets, and every connection that allows any message or information to flow allows attacks to flow as well.

Now to threats: the most pervasive threat is common malware. Malware that infects consumer cell phones and laptops seeking to steal consumer credit card numbers or account passwords is a pervasive threat, with limited consequences. Such malware may trigger shutdowns if it compromises vital computers through an email or a USB drive, but the malware is not designed to damage operations. Common ransomware is a bigger threat. Ransomware is designed to render computers inoperable by encrypting important information and extorting money to restore the data. Such malware does impair operations, and restoring operations in the face of such compromise can be much more involved than saying “just restore from backups.”

The most sophisticated ransomware threat, however, is targeted ransomware. This is where an adversary does their homework, crafts very convincing false emails, and steals remote access credentials. These adversaries might steal credentials from rail system operators, or more recently in other industries, steal these credentials from smaller and less-thoroughly-defended service providers – providers who are trusted to access operations networks remotely, and who might even have continuous VPN connections into such networks from the providers’ premises. Once inside their targets, these attackers use so-called “pass the hash” and other techniques to steal even more valuable credentials. These attackers frequently create new accounts for themselves, so that even if the passwords they stole originally are reset, the new accounts are unaffected.

With powerful credentials in hand, these targeted attacks spread through a network until they reach what they deem to be a target important enough for their victims to pay a large ransom to restore. This is when they plant their ransomware on dozens of hosts at once and trigger it, crippling operations and demanding up to several million dollars at a time to decrypt their targets.

There are two important lessons here. First: many operators new to cyber security have the impression that security updates, encryption and firewalls will save them from this class of threat. This impression is mistaken. These security measures provide a degree of protection from common malware, but not from targeted attacks. If we re-read the attack description above, we observe that:

• Victims pulled forged emails and/or attachments through their corporate firewalls over encrypted connections. Firewalls do not block authorized traffic, nor does encryption.
• Attackers’ connections to their compromised computers are generally encrypted – over the HTTPS protocol, or over a supplier’s VPN. Cryptosystems encrypt attacks as readily as they encrypt legitimate communications.
• The attackers used stolen credentials to move around their target network – they did not exploit defects or vulnerabilities in software systems.

In short, modern attacks exploit permissions, not vulnerabilities.

It gets worse. The second lesson: many security practitioners look backwards at attack patterns, reasoning that, because there are few targeted ransomware attacks that have impaired rail operations historically, protecting against such attacks should be a low priority. The problem with this logic is that that it ignores clear trends: high-volume cyber attacks have become steadily more sophisticated over time.

These “exploit the permissions” targeted attack techniques were, only a half decade ago, thought to be used exclusively by nation-state adversaries. Today they are used routinely by organized crime, with a steadily increasing volume and variety of victims. Targeted ransomware is too profitable for organized criminals to give up any time soon. This means that today’s “ultra-sophisticated” nation-state capabilities, able to defeat intrusion detection, two-factor authentication and other software security systems, will almost certainly show up as widespread, targeted threats in another half decade.

Rail system operators cannot afford to throw out and redesign vital networks for control centers, power management, switching systems and rolling stock every half decade. We need practical, cost-effective security systems today – systems that will survive even very sophisticated attacks, for the foreseeable future.

Robust, practical and cost-effective designs are already in use, and these designs prevent cyber attacks much more reliably than do intrusion detection, encryption, firewalls and security updates. To explore how these designs achieve such goals, please sign up for one of our up-coming webinars, or download the latest Waterfall eBook at https://waterfall-security.com/rails-occ/


Category: Blog Cyber Security Digital Revolution Operations Safety

Tags:


About the author

Jesus is Waterfall’s Director of Industrial IoT. He is a security expert for the Industrial IoT with years of experience in both OT and IT security and also co-leads the Security Working Group at the Industrial Internet Consortium.

Mr. Molina started developing firmware attacks, worked in Trusted Computing and developed several patents on hardware-based intrusion detections and authentication. He published many research and articles (1732 citations and counting) and opened a consulting company working on offensive security, including kill switches for smart meters, building security infrastructure, IoT security and IIoT security, and co-organized the IoT Sandbox at the RSA conference. His research has been echoed by many publications, including Wired and The Register.

Currently focusing on manufacturing, rail and aviation OT/IT integration, Jesus holds a M.S. and a Ph.D from the University of Maryland.