The rail industry is increasingly viewed as a viable target by cyber-criminals, and the stakes for effectively guarding against attacks are high, so how exactly do you stop a hack?
The importance of cybersecurity is made more significant with the move the industry is making towards digital, automated systems. While integrated networks undoubtedly offer a vast range of benefits, greater connectivity increases the ‘attack surface’ – the number of potential entry points – hackers can target. If a single vulnerability in one system is discovered, a hacker can exploit it to potentially compromise all systems on the network.
As demonstrated by 2016’s ransomware attack against the San Francisco Municipal Transportation Agency and the 2017 WannaCry attack, successful system breaches can inflict significant financial damage.
Intrusions often result in a system being taken offline, which inevitably causes delays and can also have knock-on financial consequences resulting from the loss of earnings, the work needed to resume normal service and the work undertaken to safeguard systems for the future. Those working within the rail industry also need to consider the legal implications of not taking cybersecurity seriously.
The NIS Directive came into force in the EU in May 2018, with new demands placed on operators, and the threat of significant fines for non-compliance; GDPR legislation may also have an impact, if customer data is stolen as part of an attack.
Transport operators therefore need to have adequate safeguards in place. Thankfully, by implementing stronger defences, they can detect attempts to enter a network early and, if blocking a specific breach isn’t possible, can eliminate, or at the very least minimise, any resulting financial impact.
With over 17 years’ experience in delivering onboard communications solutions within the transport industry, cybersecurity is an extremely important consideration for Icomera, and one in which it is continuously working to monitor, test and strengthen network protection for its customers.
Time is critical
Knowing how to set up cyber-defences requires an understanding of the process behind a typical hack. It’s a common misconception that a cybersecurity breach is a discrete event.
In reality, a hack may take place over many months, with the hacker undertaking scouting, reconnaissance, preparation and coding of tools, prior to actually being able to compromise a system. Furthermore, once ‘in’, exploiting the hack may take many months. The hacker might use the first compromised system to launch attacks on other systems or may replicate their methods on other devices. If data theft is taking place, this could take time to acquire and transfer. A typical hack may take over three months to detect, according to Mandiat Consulting’s M-Trends 2018 Report.
A key point to note here is that the financial damage from a hack increases over time – it’s not fixed at the point of the first compromise. More time allows for greater disruption, increases the number of affected systems, produces greater damage to the confidence of staff and customers, and increases the chance for data theft to take place.
Time is therefore a critical element in defeating an attack, and it’s important to recognise that a whole chain of events must fall into place for a successful attack to occur. Stopping the hack revolves around breaking this chain of events. Early discovery allows for a hack to be stopped in its tracks, minimising the financial impact.
Breaking the chain
Thankfully, solutions exist to disrupt or break the cyber-attack chain at every stage. At root, rail operators need to make sure they have robust security protocols in place. Henning Ankarudd, CISO and VP Digital Strategy at Icomera, states: ‘Businesses must take a systematic approach to managing sensitive information, so that it remains secure. Following ISO 27001 best practices by having an Information Security Management System in place and taking certain actions such as encrypting sensitive data, configuring user-management, keeping software up to date, carrying out security reviews and monitoring system logs, all helps give businesses a solid foundation from which to build from.’
In addition, by utilising vulnerability scanning tools and carrying out regular penetration tests, an operator can observe their system from a would-be hacker’s perspective, analysing the protection in place around a system, and probe for weak-spots and potential security issues, such as configuration errors and unpatched software.
But more must be done than following basic security routines to effectively fortify a system. By building multi-layered lines of defence, in which various methods and tools are used together, a powerful protective web can be formed around a network.
Daniel Jaeggi, Head of Business Development at Icomera, says: ‘I like to think of cybersecurity like I do home security: I’ve got locks on my windows and doors but I need to check they’re properly locked when I leave the house; if someone is snooping around my garden, then I’ve got a CCTV camera to see what’s going on; if someone breaks in, my alarm will go off.’
Monitoring tools can scan for anomalous network traffic and attempts to access parts of a network that should be inaccessible. Similarly, intrusion detection software can be used to detect attempts to break into a system, picking up suspicious behaviour such as port scans and brute-force password attacks.
If a cyber-attack does happen, operators should have an incident response playbook on hand and ready to deploy. Automated rules can be set-up to block suspicious traffic, ban malicious users or even shutdown the Wi-Fi in case of a verified live attack. In terms of system architecture, it often makes sense to segment networks into granular security zones, minimising the risk of an attack spreading. Remediation processes should also exist to regain control of the system, shutdown any entry-points which were exploited and get a compromised network up and running again as soon as possible.
Finally, it’s vital for rail operators to learn lessons from any cyber-attack, and to adapt and improve their cyber-strategy moving forward. ‘Every hack will leave a trail which can be traced back, the dropped breadcrumbs providing valuable insights into the way in which the systems were exploited’, Jaeggi explains.
By investigating how and when a breach occurred, operators will be better equipped to deal with future break-in attempts. Operators must recognise that security is an ongoing and evolving process, in which the risks from new vulnerabilities can’t be taken for granted; no-one can afford to become complacent in thinking that a system is fully protected; a defensive measure which was effective today, may not be tomorrow.
Unfortunately, even with a myriad of protective measures in place, the reality is that you won’t always be able to stop every hack. Those carrying out system intrusions are doing so with ever more guile, persistence and sophistication, and there is always the possibility that they will find a way to gain unauthorised entry.
Nonetheless, there are a wide range of actions operators can carry out to strengthen and improve their system defences, breaking the chain of preparatory events a hacker must undertake and reducing the risk of financial damage by reacting quickly. By deploying additional cybersecurity tools and proactively monitoring system defences on an ongoing basis, operators will become better equipped to protect against, detect, respond and recover from cyber-attacks in the future.