Sam Sherwood-Hale spoke to Amir Levintal, CEO of Cylus, about cyber security, BREXIT and how TOCs and others can protect themselves
Amir Levintal is Chief Executive Officer at Cylus Cyber Security. He has over 20 years of experience in managing hardware, software and cyber R&D in the IDF Intelligence corps. In his last role, he led a cyber division managing cutting edge research and development, delivering complex multi-disciplinary products under tight schedules.
How important is cooperation within the EU to cyber security?
As opposed to physical attacks, geography and borders are meaningless in the cyberspace. Threat actors anywhere in the world can take control over the rail systems. The best way to deal with this emerging global threat is to join forces and to design a comprehensive and practical cyber security strategy.
In 2016, the EU made the first major step toward securing its critical infrastructure by issuing a directive for securing the essential services, called the Network and Information Directive (NIS). The directive gives EU member states until May 2018 to pass laws in the spirit of the directive. The most important provisions of the directive are the requirements to implement cyber security measures, safeguarding member states’ critical infrastructure and to build a process of sharing information between countries in the EU regarding cyber incidents.
The EU’s railway infrastructure is unique and much more complex since trains run between countries. Since several countries share the same path, if a hacker successfully attacks a train in one country, there is a high likelihood of being able to move laterally towards other countries. Implementing the NIS is vital to mitigating the cyber threats in this connected and complex network architecture.
How do you predict this will change after BREXIT?
The cooperation between the UK and EU is mutually beneficial in the struggle against cyber threats. In 2017, the UK government confirmed that the NIS will be implemented in the UK despite Brexit, and the government has announced stiff fines for violators. I assume that this trend of cooperation in the cyberspace will also continue in the long run.
What sort of plans should be discussed now in order to make sure measures are in place to protect us in the future?
Cyber security is about technology, processes and people. Technology-wise, security by design should be implemented by the vendors of new components that are being deployed. In parallel, since the life cycle of components in the rail industry is 20 to 30 years, security measures on the operational networks should be implemented to protect the network as a whole and also to secure legacy and new technologies which are not secured by design.
In addition, rail companies should develop and maintain processes related to cyber security. For example, rail companies should have incident response plans that clearly lay out what measures will be taken in a variety of situations, whether it’s a suspected cyber incident, a proven incident, or even an incident in another country that could spill over.
Lastly, cyber security is strongly influenced by the performance of the people in charge of the railways. Rail companies should raise awareness around the importance of cyber security, train relevant employees at all levels, and perform exercises to verify readiness in the event of a cyber-attack.
What are the day-to-day threats that commuters and commuter rail services face?
Cyber-attacks on the rails could have a wide range of consequences. Service disruption is among the most obvious, and even mild to moderate service disruptions can do serious economic damage. Even more disconcerting is the possibility that malicious actors could hijack rail systems and wreak serious damage, potentially causing human casualties.
Where are these threats coming from?
There are several sources that create these kinds of threats and allow threat actors to penetrate a network.
One of them is misconfiguration. It is difficult to maintain a complex network, and it is reasonable that there will be unplanned connections between the operational network and other networks due to configuration malfunctions. Wireless signaling might also be a threat. The new signaling standards and technologies are based on a wireless channel to control the trains. Wireless communication may be intercepted over the air and might also be used as an attack vector.
An insider is a person with authorized access, who uses that access, wittingly or unwittingly, to penetrate the network through data modification to create a backdoor, malware injection, etc. Rail companies employ thousands of employees and several service providers, so they are a good substrate to insider’s recruitment.
Furthermore, operational networks consist of different subsystems which usually include equipment developed by different vendors. The fact that each product within the network has been evaluated and is considered secure doesn’t mean the whole network is well secured.
What can TOCs do to mitigate these threats?
TOCs and infrastructure companies can incorporate cyber security solutions to detect traces of cyber-attacks in their early stages. Rail operators should implement a multi-layered, in-depth defense strategy to deal with breaches.
The first step of this strategy is to secure the network level, establishing visibility to detect attackers who work within the network. The next step is to have proper secured components on the edges of the network. If a threat actor penetrates the network, he or she will be discovered at an early stage of the attack.
Rail companies should adopt security cultures based on technologies, processes and people. Any solution must account for new connected technologies, including wireless communication for signaling, remote monitoring, and others. The complexity and connectivity of rail networks is what makes them such high-value targets for threat actors.
An additional challenge to consider is that railways often rely on the convergence of legacy technologies and new technologies, and a one-size-fits-all cyber solution therefore cannot suffice for the rails.
Finally, given that threat actors could exploit passengers (hacking their data, for instance) as attack vectors, it is crucial to integrate advanced services for a secure passenger experience.
What strategies would you like to see rail operators adopt?
Infrastructure companies and operators are the main stakeholders, and therefore we expect that they will lead the way among all parties, including regulators, network managers, and all relevant manufacturers. Beyond that, it is critical to implement a policy of education and awareness surrounding cyber threats, while instilling clear-cut procedures and discipline among employees, suppliers, and consumers.
Since railway systems traditionally operate very conservatively, it is important that they develop an approach for responding to rapidly evolving cyber threats. This may require rethinking organizational roles. Companies who appoint a C-level executive to oversee this challenge are much better equipped than companies that lack the mechanism and the authority to make bold moves within the company and with external partners.
How have cybersecurity threats evolved in recent years?
As new connected technologies have been integrated, rail companies are more connected than ever. That also means they’re at more risk than ever of potentially disruptive cyber-attacks.
From the threat actor’s point of view, this leaves open many potential vulnerabilities to exploit. Bad actors also have much more access to resources and information to help them compromise rail companies’ cyber systems, particularly with respect to information on vendors’ websites and public tenders, as well as the ability to gain access to insiders through phishing attacks.
Which companies and countries are currently, in your opinion, taking the right steps in the fight against cybersecurity threats?
The EU deserves recognition for taking comprehensive steps to mitigate the threat by setting directives, establishing groups of experts and more. But these are macro steps and it will take time to see the impact of them. The threats are already here, although cyber threats sometimes are not tangible like physical threats, and the rail companies should take internal actions to secure their network, whilst also facilitating an umbrella strategic process from the EU.
Which areas do you think are most at risk?
As opposed to physical threats, cyber-attacks have no borders and therefore everyone might be at risk. Since every rail company has different risks and threats, in order to estimate any potential risks, it’s very important for companies to perform professional cyber risk assessments.
What sort of security does Cylus offer?
We provide rail companies with a product-based solution to detect traces of an attack in its early stages. By analyzing the network as a whole from the threat actors point of view, we can adapt our solution to the specific needs of the customer.
Our solution detects traces of attackers and we raise alerts in case of signs to cyber-attacks together with actionable insights to mitigate those attacks. We think that visibility is the key to preventing cyber-attacks, and we have developed our solution to do just that.
What does Cylus hope to achieve in the rail sector?
Cylus provides a comprehensive cyber security solution tailored to the specific needs and infrastructure of rail companies, and we support them over time, enabling rail companies to respond in real time to emerging threats.
We aim to be a partner in developing strategic cyber security approaches by all stakeholders, including rail companies, standard organizations, and regulatory authorities. No less important, we promote awareness of cyber threats and help railways adapt their cultures to their needs in this arena.
What is your personal background in cybersecurity and security threats in general?
My 22 years of service in the elite technological unit of the Israeli intelligence corps was a world-class education in understanding modern threats and how to develop sophisticated, full-spectrum responses to them.
In my latest role, I served as a director of the R&D Cyber division, led 150 cyber experts and software engineers. During my military service, I managed multiple complex cyber projects throughout the complete life cycle from entrepreneurship through R&D to operation and maintenance and led cutting edge R&D from diverse technological areas.
The employees in the company have vast practical experience in the cyber domain from the military service, from high-end research to strategy, and they’ve developed a deep understanding of cyber from both an offensive and a defensive perspective.