Are Railroads the Next Infrastructure Attack?

We already know that water plants (another one in Kansas was attacked this week), power and healthcare are under constant attack. The industries and the government are paying attention to these with some limited success, but at least it is on everyone’s radar.

One sector that has tried to stay out of the spotlight but which, if compromised, could have very serious impact, is the rail industry. If the trains stop running millions of tons of freight come to a screeching halt. Hopefully trains won’t crash into each other, but sometimes that happens even without a cyber attack.

Until a couple of years ago the government didn’t bother to regulate rail and the industry liked it that way.

But, in 2022 the Transportation Security Administration issued the first ever cyber regulation for rail. While the rules are simple – like patching requirements and access controls – it is a start. The TSA tried to put some lipstick on the pig and said the industry has a long track record of efforts to secure their networks, but I am pretty skeptical.

BUT, the biggest challenge for rail, just like for everywhere else it is used, is their reliance on operational technology, AKA Industrial Internet of Things or IIoT.

One security industry expert, Chris Warner of Guidepoint Security, said “resources in the railway industry are limited when it comes to cybersecurity, not only in terms of financial budgets but also a shortage of knowledgeable employees who can implement mature cybersecurity regulations and modern approaches”

The industry will likely have to redesign a lot of their train control systems to keep the bad actors out. That takes, time, money, talent and desire.

At one point in time we tried to isolate IIoT from the rest of the network – the so called air gap – but now, with all of the automation that is in place, that is either a pipe dream or a nightmare and cannot happen in reality.

The attacks have already happened, although infrequent. New York’s MTA was hacked in April 2021. In the same month the Santa Clarita Valley Transportation Authority was hit by ransomware and in 2020 the Southeastern Pennsylvania Transportation Authority was hit by a ransomware attack.

Last year the TSA issued regulations which will expire in a couple of months that require the industry to disclose hacks, create an attack recovery program and name a chief cyber official. I assume that they will replace these rules with something new based on what they learned in two years, but they are not saying yet.

The White House’s Anne Neuberger hosted a classified briefing to rail execs last months to discuss what the feds know but is not public (that is scary by itself).

This is definitely a work in progress; the question is whether the progress will stay ahead of the hackers and that is an unknown.

Credit: The Record

by