Rail Cybersecurity is a Journey, Not a Product

Learnings from Wabtec’s cybersecurity collaborations

Introduction: More than cybersecurity mandates

Long before the TSA issued Security Directive 1580/82-2022-01 to help reduce risks posed by  cybersecurity threats on critical rail operations, rail operators proactively banded together to form the Rail Information Security Committee (RISC) and tackle cybersecurity concerns as an industry.

Yet even with this laudable head start, rail cybersecurity remains a work in progress as operators and their ecosystem partners grapple with the complexities of making a vast, mainly legacy infrastructure more resilient and secure.

A big part of the challenge, one rail shares with industrial players at large, is that implementing cybersecurity measures at scale isn’t simply an information technology (IT) problem – it’s also an operational technology (OT) one. There is no single security software vendor with a plan, patch, or solution for the extensive mix of physical and digital assets that comprise today’s rail fleets.

There is no silver bullet.

Developing and evolving the right set of cybersecurity solutions for the rail industry is going to take time and collaboration among carriers and vendors who know the industry best – and an approach rooted not simply in software acumen, but in a deep understanding of operational technology, some of which predates the Internet. 

Getting started

A big part of accomplishing this task will be understanding that big fixes take time – and need to be implemented with great care. While tempting to think that bolt-on security solutions can make rail operations  more ‘compliant,’ short-term fixes for challenges with long-term safety and security implications won’t cut it.

One major implication of bolt-on solutions is that they are difficult to manage and maintain, making them more costly to operate over time. The most efficient way forward is to think through the problem thoroughly up front and design solutions that will stand the cybersecurity test of time.

“Railroads have a lot on their plates when it comes to cybersecurity,” says Susan Peterson Sturm, Senior Director, Cyber Product and Strategic Partnerships at Wabtec. “The TSA is mandating security capabilities that aren’t organic to the original physical and digital assets in their networks, and the security stack that is emerging now for the enterprise isn’t suited to the realities and rigors of rail operations. That said, the rail industry is experienced at rolling up its sleeves and working with its partners to meet big challenges. Just look at what we accomplished together in developing Positive Train Control (PTC).” 

Setting standards, establishing frameworks

One catalyst helping spur rail cybersecurity solution thinking and development is the establishment of standards and frameworks well matched to meeting regulatory demands. These standards and frameworks provide rail operators and their ecosystem partners a common language and point of reference for planning and executing cybersecurity measures.

Image

For example, the National Institute of Standards and Technology Cyber Security Framework (NIST CSF), a voluntary set of guidelines, standards, and best practices, is structured around six core cybersecurity functions – Identify, Protect, Detect, Respond, Recover, and Govern. This framework has emerged as a useful guide for railroads to improve their cybersecurity posture.

The ISA/IEC 62443 series of standards is another resource influencing rail cybersecurity solution development. Specifically, these standards define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS). Wabtec has worked quickly to achieve IEC 62443-4-1 certification for its secure product development processes, a nod to its customers that it, too, is committed to the highest cybersecurity standards, both in its approach and new product delivery.

The company also actively participates in industry standards groups such as CENELEC TS50701, IEC 63452, and UNIFE to support cybersecurity in digital rail innovation. This collaborative effort enables Wabtec products to meet evolving industry requirements.

“We recognize that being compliant to a standard isn’t synonymous with an organization being secure,” notes Peterson. “Yet adherence to standards and frameworks does help, and it does matter, because an ad hoc approach to cybersecurity simply won’t scale.

“Today, the rail industry is in the process phase of meeting its cybersecurity mandates. We are deeply involved in that process – listening to our customers and adhering to industry standards and frameworks – which will improve everyone’s chances of making the execution phase – from new software development to implementation – that much stronger and effective.”

Design In, Design Out

Augmenting a standards-based approach, Wabtec is championing a set of design and engineering principles to further refine how the industry develops solutions to deliver on cybersecurity promises. First and foremost among these principles is “Design in, Design Out.”

Image

“Design In” builds on practices such as Secure by Demand and Cyber Informed Engineering to “make security a core consideration from the earliest stages of the product development lifecycle” (Source: CISA). When rail operators engage manufacturers and service providers of cyber physical assets early in their product development cycles, chances are higher that security can be maintained for longer durations at less cost across rail operations. 

“Design In” is ultimately about intentionality – building cybersecurity into products from inception.

“Design Out” is also about intentionality, but it focuses instead on easing the time, cost, and burden of maintaining security solutions once they are in operation. The goal of Design Out is to reduce security and operations complexity, so that the solution actually gets used – and used correctly – and is also properly maintained. (For more on Design In and Design Out principles, see the whitepaper).

It takes a program

As much as “Design In” and “Design Out” thinking must, and will, play a prominent role in rail’s cybersecurity future, the industry can’t simply fast forward to greater resiliency through software innovation. Getting to ‘resilient’ is going to require an extremely thorough approach, one that fully accounts for the interdependencies of legacy rail assets.

For example, one rail operator found that changing secure shell (SSH) passwords on controllers unintentionally broke infrequently used scripts, leading to intermittent and significant interlocking outages for months. Such unintended consequences are a clear reminder of the interconnectedness of rail operations and why a ‘proceed with caution’ ethos in cybersecurity, one built on the bedrock of thorough planning and staged rollouts, will best serve railroads and their customers.

Wabtec has embraced such an approach, focusing first on developing a cybersecurity ‘program’ vs. cybersecurity ‘solutions’ (though those solutions are forthcoming). In developing its  program, Wabtec has focused on developing a best-in-class rail cybersecurity team, one with deep experience in both rail and industrial automation, led by Larry Lowe, Chief Product Security Officer. The company has also studied industrial cybersecurity frameworks and achieved key certifications, rooting itself in a standards-based approach to strengthening rail’s cyber defenses.

Most importantly, Wabtec has listened to its customers, committing to collaboration as a key tenet of cybersecurity problem solving. Chief among its findings:

1. Achieving cybersecure rail operations is going to take a village. This is not a job for a single vendor. As such, carriers should look to partner with solutions providers who know how to partner and win in this industry.
2. Cybersecurity should deliver operational benefits, not just protection. In rail, cybersecurity isn’t an add-on –it’s an enabler of safer, more reliable, and more efficient operations. From minimizing unplanned downtime to streamlining secure remote access and reducing manual interventions, smart cybersecurity investments can boost network availability, speed-up recovery times, and improve overall system performance.
3. Embrace open systems. When it comes to cybersecurity solutions, rail operators want to avoid vendor lock in. Open systems approaches, ones that will be able to fold in the best new breakthroughs, no matter who develops them, will keep operators on the most efficient cybersecurity path.
4. Design In and Design Out principles for cybersecurity bring resiliency concerns and expertise into the beginning of solution development – where they belong – while recognizing the importance of the time and effort to support these solutions once they are implemented.
5. Legacy matters. Today’s rail networks are comprised of many assets, both old and new. Making them more resilient will require more than IT innovation; it will necessitate extraordinary operational technology IQ. Working with partners who understand legacy assets and their many interdependencies is paramount to success.
6. Take a holistic, standards-based approach to cybersecurity. No one should have to re-invent the cybersecurity wheel. Leveraging established best practices will lead to quicker wins and more scalable solutions.

###

Wabtec and Mandiant, a Google company specializing in cybersecurity services, have teamed on a new whitepaper, “Innovating in Rail Cybersecurity: Planning and Design Perspectives to Enhance Operational Efficiencies.” Download your copy here.