There’s little dispute that the growth of the World Wide Web and the internet which has relied on it for more than two decades has transformed our society. The internet has been especially impactful during these trying times when an infectious disease has many of us working from home or reaching out to family and friends in ways no other form of electronic communication allows. Unsurprisingly to security professionals, however, the internet is not an unalloyed good. Many components of our national critical infrastructure, including surface transportation such as railroads, increasingly depend on the internet to carry out operations. Meanwhile, no threat confronting the nation has grown as quickly as the danger from cyber threats and protecting the country’s rail transportation networks from them is vital.
Rail’s Crucial Transport Mission
The United States is a vast territory, with the “Lower 48” states comprising an area of more than 3.7 million square miles. Add in Alaska’s more than 663,000 square miles and the U.S. is easily larger than all continental Europe by hundreds of thousands of square miles. In fact, there are 11 states which are larger than the entire United Kingdom, and many other European countries are also much smaller – both in land area and population — than some of our states. With a population currently exceeding 330 million people, the U.S. relies on a gargantuan transportation network to convey the goods necessary to keep all of us fed, clothed, healthy and safe. Rail is vitally important in this regard. But why?
Rail is Irreplaceable
Annually, U.S. railroads transport over 2 billion tons of freight across the nation, including Alaska, on more than 140,000 miles of privately owned rail infrastructure. Consider that without rail we would need an additional 120 million trucks, which would clog public roads and burn four times more fuel, all of which would end up in the atmosphere as smog or CO2, just to transport the amount of freight rail moves on a routine basis. Any large-scale disruption to rail transport, then, would soon enough have potentially devastating effects on many communities. In short, those cities and towns depend on rail’s ability to economically, quickly and safely deliver an endless variety of vitally needed goods to railheads and freight depots near them.
Without rail service, the quality of life in many parts of the United States would decline, and sometimes greatly so in more rural areas where rail lines have been a fact of life since the mid-1800s. It is therefore no surprise that those with bad intent – whether for economic or terror-related reasons, or simply because they want to commit mayhem – want to disrupt rail transportation by attacking the cyber networks which keep everything running efficiently.
Securing Rail Networks
Every form of transportation network within our critical infrastructure requires varying degrees of protection, both physically and digitally, from those with bad intent. It might surprise many people not involved in transportation security that the Transportation Security Administration’s mission also extends to freight and passenger rail. TSA works with a variety of other security and intelligence agencies to safeguard U.S. rail against evolving terrorist threats, including helping railroads defend against cyber threats. Additionally, a few highly skilled private security consulting groups work with railroads to help them “harden” their cyber networks.
Rail Vulnerabilities
Rail has been built on what’s known as a “distributed network architecture”. Rail’s many electronic components and industrial control systems – which now work through the internet – are spread across an endless combination of rail lines and rolling stock such as locomotives and railcars, as well as those industrial control systems, which are known as operational technologies, or OT.
Plus, over the last decade, railroads have become increasingly reliant on “smart rail” and “Internet of Things” (IoT) systems which could make them more, not less, vulnerable to cyberattacks and hacking attempts.
U.S. rail critical infrastructure has already been the subject of cyberattacks, with varying levels of severity and frequency. For example, a cyberattack in November 2016 took place against a municipal light rail system over two days and created significant passenger transportation disruption. The attack is believed to have originated with hacker groups supported by a foreign government hostile to U.S. interests.
Multi-Faceted Approach
Railroads did not become as successful and vital to the nation as they are by being dumb, and they realize their electronic networks could be threatened or even attacked, so no rail system is taking the threat lightly. Working with TSA and certain private security consulting groups, railroads have been taking a multi-faceted approach in implementing security techniques and practices to protect themselves from cyberattacks such as the one highlighted above.
Protection of U.S. rail networks is driven by intelligence and is risk-based, which requires that all networks be examined for vulnerabilities and the risks those weaknesses may create. Rail cyber networks at higher risk of attack will receive more attention than those at little to no risk of attack, either because those networks aren’t important to rail operations or because they’re sufficiently protected from threats.
The result is a menu of critical infrastructure protection activities which include security awareness, information and intelligence sharing, detection and deterrence and a whole host of hardening measures to keep cyberattackers and hackers out of rail’s electronic networks – such as data control centers and train operations facilities.
IT and OT Challenges
According to leaders at the Chertoff Group, an internationally recognized leader in security and risk management advisory services, a real challenge for rail when it comes to security is when its information technology (IT) systems are connected to its OT systems, such as when computer networks are operating railroad industrial control systems. Historically, such OT systems have not been designed with the same secure network “backbone” or foundation configurations and attack detection systems as IT systems have, mostly because rail has only been subjected to cyber threats relatively recently while attacks against IT networks began almost as soon as the first network was created decades ago.
U.S. rail has had to play catch-up, in effect, when it comes to hardening its systems. However, the fact railroads and their network professionals have been working diligently with TSA as well as taking on the services of players in the cyber security realm, such as Chertoff, speaks volumes about how seriously such matters are being taken.
Building for the Future
The U.S. Bureau of Transportation Statistics predicts steady growth for U.S. rail through the year 2045, so rail is only going to grow more important over the next 25 years. Digital technologies, including electronic networks which help operate U.S. rail, are also expected to continue their growth. More and more activities than ever before are now being operated and overseen by cyber systems, and protecting it all against tactics, techniques and procedures (TTP) wielded by cyberattackers and hackers is vital.
All electronic systems operated by U.S. rail, especially its IT and OT systems, must be built with the future in mind and, unfortunately, also with the idea that rail’s system architecture must be protected against attacks originating in cyberspace. The cost of sufficiently hardening any electronic network against attack can also be significant in some cases, both in terms of intelligence gathering, security awareness training of personnel, threat detection and threat deterrence, and in hardware and software solutions. But given the billions and billions of tons of vital freight transported across the country, as well as the millions of passengers traveling via rail every year, U.S. rail will continue to take cyberattacks seriously and to design protections into their systems to diminish and even eliminate the likelihood of such attacks in the future.
