Recent developments in rails cybersecurity
Recent developments in rails cybersecurity
By Jesus Molina
Alstom’s recently published white paper on rail cybersecurity provides much needed information about the current attack threat, upcoming standards, and security requisites associated with safety. The paper also gives voice to leading experts in the field, such as Christian Schlehuber, who is responsible for the cybersecurity of operational technologies at Deutsche Bahn, and Serge Van Themsche, representing Cylus, which is one of Waterfall Security Solution’s rail partners. One of the most interesting aspects of the paper is the discussion of multiple projects and the security controls chosen for the threat level required for each project.
In the introduction, Eddy Thesse, VP of cybersecurity at Alstom explains that they were able to meet requirements even when “cyber-threats are particularly critical, as is the case in Israel”. Later in the document, Sangeeta Chomal, the Cybersecurity Leader for the MEA Region for Alstom, provides context to Eddy’s comment. It boils down, she explains, to implementing “multi-layered and zone-based network architecture based on IEC 62443 to ensure strong separation of applicable core networks”. She later explains that one of the implemented measures is physical unidirectional technology. She adds that “These types of perimeter security are more secure than many software solutions, where vulnerabilities can appear for hackers to exploit.” She also explains that the technology “allows for data interchange to be restricted as necessary between the critical system and other networks with varying levels of security”.
Hardware-Enforced vs Software Security
There is a lot to take in here, and the reader may be wondering why unidirectional gateways are stronger than software solutions. The answer is that the security provided by firewalls or antivirus systems or other security measures are based on software. While these solutions may be sold as what seems to be a hardware component, such as a network firewall appliance or VPN server appliance, these solutions in fact rely on software.
It does not matter how visually appealing these solutions look or if they are labeled as industrial – all of these solutions will need to be patched regularly for security problems. Such patches will be necessary not only when a vulnerability is found in the security software itself, but when a vulnerability is found in any part of the software stack, from firmware, to operating system to application. Such vulnerabilities are discovered routinely – for evidence of this simply go to Google and search for “VPN vulnerabilities”. Software solutions such as firewalls will also need to have complex rulesets designed, configured, documented and tested to properly provide the security benefits advertised.
If you have ever rebooted your computer for a critical security patch or configured the ports, connections, protocols and users to be permitted through a firewall, you may understand that vulnerabilities will always exist, and that configuring security software correctly is no child’s play. Industrial firewalls are routinely breached, as demonstrated for example in the BlackHat briefing “Deep Dive into an ICS Firewall, Looking for the Fire Hole,” where researcher were able to attack the software of a leading ICS firewall and bypass its security using a “fire hole”.
What is the alternative? The security of unidirectional gateways from Waterfall Security Solutions is based on hardware-enforced protections, not mere software. The premise of the protection is that data can travel only one way through the Unidirectional Gateway, not because of a software ruleset, but rather because the optical system transferring the information is physically able to send data in only one direction. Unidirectional Gateways also have software connectors that are used to move industrial data, such as OPC-UA data, files and database contents from the more secure network zone to a less secure zone. But this Unidirectional Gateway software, even if it contains bugs, cannot impact the action of the hardware in preventing remote connections to the protected network zone. Together, this means that Waterfalls have no fire holes.
Unidirectional Gateways in Rail Networks
Practitioners who have never deployed unidirectional gateway technology may suspect that having data travel in only one direction is somehow limiting. This is not true. There is a whole family of unidirectional technologies and products under the Waterfall umbrella, reflecting a wide range of communications patterns and business needs. For example, the Waterfall FLIP is a kind of unidirectional gateway whose orientation can reverse periodically to send essential updates back into a unidirectionally-protected network. The system is always unidirectional, and so can never sustain TCP connections to an attacker’s command-and-control center, but the product does periodically replicate IT systems back into OT networks.
More broadly, the practicality of Unidirectional Gateways is demonstrated by the fact that the technology is deployed routinely in many industries, such as power generation, refining, water treatment and pipelines. These industries share many of the safety concerns that are central to rail automation systems. In addition, in the electric sector for example, Advanced Distributed Management System control centers share many similarities with Rail Operations Control Centers.
Leaders in cybersecurity for the rails industry are embracing unidirectional gateway technology. These leaders have recognized that in today’s increasingly automated systems, there are no assurances of safe, reliable, or efficient operations without robust cybersecurity. These leaders are extending the definition of safety engineering and reliability engineering to include cybersecurity engineering. These leaders conclude that software-based and hardware-enforced security solutions can and should coexist in a layered defense in depth strategy, minimizing data flows entering core rails automation networks while transferring operational data out to enterprise networks in a disciplined manner. In the modern day, cybersecurity is essential to correct, continuous and efficient operations.
The alternative, again, is Gruyere-cheese-like industrial security programs riddled with “fire holes” - unpatched VPNS, intrusion detection systems that regularly provide both false positives and false negatives, and vulnerable firewalls whose configurations are nearly impossible to decipher or verify.
Conclusion
Today’s targeted ransomware attacks use the same types of attack tools and techniques as do nation-state attacks – the two have become indistinguishable. Whereas there was a time when we might imagine that “we are not important enough to be the target of a nation-state attack,” such sentiment is irrelevant today. Today’s targeted ransomware criminals use nation-state attack techniques to target everyone who they suspect will pay their significant ransom demands. Worse, history proves that cyber attacks only become more sophisticated over time. It is difficult to imagine more powerful attacks than today’s targeted actors, but such attacks will inevitably become the norm.
The good news: cyber attacks are information. This will always be true, no matter how sophisticated such attacks become. Secure rail networks are choosing hardware-enforced Unidirectional Gateways to protect their safety and automation infrastructures, in addition to software solutions that provide second-tier, defense in-depth style protections. Physically controlling attack information flows with Unidirectional Gateways reliably defeats both today’s cyber attacks, and future attacks, no matter how sophisticated those attack information flows might become.
Further reading: CyberSecurity Imperatives for Vital Rail Networks at Operation Control Centers
Upcoming webinar on this topic: Cybersecurity for rail digital transformation projects during the pandemic, featuring Marie-Helene Bonneau,Head of Security Division at International Union of Railways (UIC), Vish Kalsapura,Principal Engineer – Network Services Network Rail and Vijay Devnath, General Manager (Infra & Security), CISO Centre for Railway Information Systems (C.R.I.S), Indian Railways. Moderated by Dr Stefan Deutscher,Partner & Associate Director, Cybersecurity & IT Infrastructure Boston Consulting Group (BCG).