Tunnel vision: Train security as critical as planes and automobiles

Train security

In recent weeks you’ve heard a lot of discussion around the cyber risks to aircraft and automobiles. After the Black Hat, DefCon and BSides conferences in Las Vegas, Nev., in July, it would seem that a great deal of necessary attention will be paid to the security of design and implementation of these two key critical transportation components. The cybersecurity volunteer organization I Am The Cavalry has created an awareness campaign (which I have signed on to and you should too!) aimed at automakers. Even prime-time television is getting into the act with the premier episode of CBS’ hot new drama, Scorpion, focusing on the security of aircraft. But what of the trains?

America’s railroads account for 40 percent of intercity freight volume. Over three million cars filled with food, two million cars filled with chemicals and more than 70 percent of all the coal we use in America are transported by rail every year.  Without rail, the economy is at risk. And if just one of those two million railcars filled with chemicals was to crash in your neighborhood, you’d have a risk of another nature.

“The Obama Administration is committed to improving our nation’s infrastructure, which is crucial for both creating jobs and remaining competitive in today’s global economy,” said U.S. Secretary of Commerce Penny Pritzker in July. In fact, President Obama has now signed Executive Order 13636 (EO13636), directing each of the critical infrastructure sectors to work more cooperatively to better defend themselves and the nation from cyber attacks.  

With Transportation Systems identified as one of the nation’s Critical Infrastructure Sectors, and with rail making up a large part of that sector, we cannot afford to overlook the security of our railroads, and our railroads cannot afford to overlook cybersecurity. While many IT-enabled components exist on the modern train, the biggest change in rail systems today is the introduction of Positive Train Control, or PTC.

PTC, a processor-based/communication-based train control system designed to prevent train accidents, is capable of automatically controlling train speeds and movements. Railroads now are required to install and implement PTC systems on rail lines where any poisonous or toxic-by-inhalation hazardous materials are transported, and on any railroad’s main lines where regularly scheduled passenger intercity or commuter operations are conducted. This covers more than 70,000 miles of track and approximately 20,000 locomotives in the U.S.  While PTC is designed for safety, whenever we turn over control of thousand-ton rolling bombs that run through our backyards to computers and industrial control systems, we also must account for the introduction of the cyber threat.  

Railroads have historically considered their computing, controls and communications to be proprietary, and therefore more secure. With today’s use of commercial off-the-shelf products and standard protocols, such as TCP/IP, yesterday’s “security through obscurity” defenses no longer are valid. Today’s railroads, especially with the rapid introduction of PTC, must adopt a stronger stance in the cyber defense of their critical infrastructure.  

Basic controls are a great place to start. Just like the SANS Institute’s recommended top 20 Critical Security Controls for enterprise computing, guidelines for PTC infrastructure should be implemented. Basics such as making inventories of devices and software, establishing trusted standard configurations, performing regular vulnerability assessments, segmenting life-threatening train and track controls, controlling full-spectrum radio-based access, limiting use of administrator privileges while enforcing need-to-know, performing regular security training, and conducting regular penetration tests all will go a long way toward improving security and engendering trust, but even that is just a start.

With rail such a critical component of a nation’s economic infrastructure, adversaries have developed more than basic attack scenarios in an effort to cripple a country. Custom zero-day malware designed solely to take over vital control systems, insider threats from willing and duped employees, and patient attack vectors from tier-two and tier-three ecosystem partners are now the norm in critical infrastructure sectors. These extraordinary threats, coupled by the extraordinary harm that could be caused to life and the economy, necessitate extraordinary security responses.

Just as automakers are hardening their cyber designs and ecosystems, it’s critical that the railroad industry proactively enacts advanced malware sweeps, architects insider-resilient systems and services, and establishes crystal-box security controls for all components of their ecosystem.  While EO13636 provides the impetus, federal law enforcement has useful services, and several ISACs have relevant experience and infrastructure, it’s key that railroad boards and executives get ahead of this critical issue – before it’s too late.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.