Cyber crime has become a lucrative business, and the threat it poses is constantly evolving, forcing railway operators to continually adapt their threat abatement strategies. Much of the discussion around cybersecurity tends to focus on technological methods to address these threats.
This is not particularly surprising, as technology is at the heart of the digital transformation that railways are undergoing. The adoption of IP-based networks and Internet of Things technologies are enhancing safety, increasing operational efficiency and improving the passenger experience, which are all net positives. Yet these developments increase the vulnerability of railway operations to cyber attacks.
Unfortunately, there is no easy technological fix for this problem. It has become clear that multiple layers of protection, both technological and procedural, are required to keep trains running. But where to start?
Nokia recommends that railway operators consider implementing a security life-cycle strategy, applying a combination of technical solutions and enhanced security practices or processes. They should also explore moving from legacy, reactive security infrastructures (detection and response) to a more proactive stance. Nokia has found the security orchestration, automatisation and response model, introduced by Gartner, to be a particularly effective approach.
Evolving regulatory landscapes
There are multiple factors driving railway operators to develop cybersecurity strategies. Notable among them is regulatory pressure: failure to prepare adequately for cyber-security threats is itself a substantial risk.
Regulations such as the European Union’s Network & Information Security Directive demand that comprehensive protections be put in place, and failure to do so can result in substantial penalties. While the interpretation of NIS can vary from country to country, it is clear that certain fundamental standards need to be met and maintained. That said, keeping these preparations up to date in the face of a fast-evolving regulatory and threat environment is no small task.
Monitoring and mitigation
Any successful plan will depend on the ability to detect risks, ideally in advance, and mitigate threats. Real-time monitoring and reporting capabilities are a baseline requirement to enable security teams to track and respond to emerging events.
This is where SOAR comes into play, providing the necessary tracking and analysis capabilities. These solutions can deliver a variety of benefits, notably the elimination of unauthorised access and mis-configuration, faster root cause analysis, faster response times through the application of pre-defined rule books, and simplified and standardised reporting to national or regional incident response teams.
Nokia’s SOAR solution, NetGuard Security Management, can interact with technologies from a variety of providers that collect data and/or trigger specific actions. Through the application of advanced analytics and machine learning techniques, NetGuard Security Management can provide complex correlation and detection capabilities for precise security risk prediction and later root cause identification.
Similarly, customisable dashboards with powerful search and reporting capabilities can be optimised for the individual needs of security management teams. Automated workflows facilitate the investigation and mitigation of threat incidents, enabling specialists to accelerate their response.
Access and configuration management
One of the classic vulnerabilities that railway operators face is unauthorised access to their systems, through human error such as the use of weak or stale passwords. Eliminating this security hole is critical, and this requires robust and consistent security policies to be coupled with automated, network-wide security measures such as password aging and complex password requirements.
Security can also be improved through the use of unified access security policies across the network infrastructure, such as the implementation of identity management systems for privileged users of critical networks. Techniques such as comprehensive video and text logging enable railway operators to better track who has accessed the network, and when, to help identify and eliminate ‘back doors’. This long term forensics capability is often also required by regulators.
Improper configuration of systems can also lead to vulnerabilities. Automated configuration audits can help to identify and address these risks, providing much-needed peace of mind for operators. A key element of such audits is the implementation of fully automated error identification, which can eliminate time consuming manual processes and make for more effective troubleshooting.
The Internet of Things promises to transform railway operations. The billions of ‘things’ that will be connected (sensors, cameras, meters, monitors, actuators, controllers) have essentially the same security requirements as mobile phones, computers and consumer electronics devices.
However, the autonomous operation of IoT devices introduces additional security challenges that are not fully addressed by conventional security management. The vast majority of IoT devices are unmanned and may not even have a conventional user interface. Also, many are meant to operate unattended for extended periods of time.
For devices that are part of a mission-critical application, alerts or faults must be processed in real time, and corrective actions initiated automatically, to ensure seamless service continuity. Fortunately, state-of-the-art security tools can monitor network traffic generated by IoT and warn of abnormal behaviours.
Because many IoT devices do not have the capability to regularly share information with the network, it is essential that these devices be properly identified and certified at the time they are deployed. Existing 4G LTE networks, and emerging 5G networks are designed with certificate management systems to perform this function.
Developed as an open, multi-vendor framework that can integrate a wide array of devices from a potentially limitless number of suppliers, the certificate management capability built into the LTE standard is particularly well-suited to the challenge of securing IoT devices.
Humans and machines: a perfect combination
When it comes to addressing the challenge of railway cybersecurity, a strong combination of security technologies and well-established and yet dynamic management practice is essential. Cybersecurity threats are ultimately directed by human actors, and railway personnel have a critical role to play in mitigating those risks. Providing them with up-to-date, state-of-the-art tools to defend these systems is an important contributor to keeping trains running.