(Roie Onn, CEO & Co-founder at Cervello)
Roie Onn is the CEO & Co-Founder of Cervello. He previously worked at the Office of the Prime Minister of Israel as a Senior Security Researcher. Roie Onn attended Reichman University (IDC Herzliya).
In a recent interaction with Metro Rail Today, Roie has explained how cyber security is importatnt for rail & metro sectors?
Rail systems face several unique risks and challenges, including operational disruptions that translate into service disruptions or delays; damage to physical infrastructure, which can be incredibly costly to fix and have direct implications on passenger safety; and data breaches, which compromise confidential passenger and business information, jeopardizing the railway’s reputation.
The challenge for rail lies in the complexity of its networks. Rail systems rely heavily on advanced computer networks, while much of the critical infrastructure still includes legacy systems that may have inherent security vulnerabilities. The increased connectivity, including the integration of digital technologies, IoT devices, and remote monitoring systems, has expanded the attack surface for rail networks. Furthermore, the blend of old and new systems generates a unique cybersecurity challenge that is difficult to address without proper rail-specific tools.
Another factor that contributes to the vulnerability of rail systems is the reliance on third-party suppliers and contractors. These collaborations introduce additional entry points for potential cyber attacks. Cybersecurity vulnerabilities within the supply chain can then expose the overall rail system to those same risks.
Finally, insider threats should not be taken lightly. The rail industry in the US employs more than 140,000 people. Whether they are railroad employees, contractors, or third-party service providers, that is a lot of people with access to rail systems and who can intentionally or unintentionally cause irreparable damage through simple misuse.
When systems are interconnected, an attack on one system has the potential to impact the entire network. Rail networks operate using many different technologies and systems, and include thousands of internal and external connections. The increased complexity of train networks and the dependency on digital technologies has exasperated the problem.
Likewise, integration of third-party systems and supply chain risks have created greater opportunities for malicious actors to exploit vulnerabilities. A breach at a third party vendor can prompt an immediate railway shutdown to prevent the endangerment of service operations, as was the case with Denmark's train network disruption in October.
Vulnerabilities can also appear during data transmission. Interconnected systems often involve the transfer of vast amounts of data, which can be intercepted or tampered with if not properly secured. OT systems, such as train control systems and signaling, were traditionally isolated from the internet. However, with increased connectivity and integration, the exposure of OT systems to potential cyber threats has significantly increased.
One of the immediate consequences of a successful cyber attack on a rail system is the disruption of operations – trains coming to a stop, schedules thrown off, passengers left stranded, and delays in the delivery of goods. Attackers gaining unauthorized access to train control systems or signaling infrastructure could manipulate train movements, leading to accidents, derailments, or collisions.
Broader long-term consequences can affect both the rail company and its customers, such as data breaches that expose personal passenger information or a customer’s operational data, which are detrimental to a rail company's reputation and customer trust.
Rail attacks have national security implications. Rail systems play a critical role in a country's transportation infrastructure, serving as a backbone for economic activities and national mobility. A disruption in rail services can have cascading effects on other sectors of the economy, such as logistics, tourism, and supply chains. The overall economic impact can be far-reaching, affecting not just the rail company but also the communities and businesses that rely on its services.
First and foremost, rail operators need to adopt a multi-layered approach to cybersecurity. It starts with conducting thorough risk assessments to identify vulnerabilities and potential entry points for cyber attacks. Implementing robust authentication mechanisms such as multi-factor authentication and role-based access controls is crucial to prevent unauthorized access.
Ensuring full visibility and network segmentation, as well as continuous traffic monitoring and analysis can help detect and prevent any unusual or lateral movement of cyber threats within the infrastructure. It’s critical to enable logging and analysis with contextual information and real-time visibility so security teams are quickly alerted about potential threats, anomalies, or suspicious activities.
Encryption is key, as well as regular patching and updates, which can be done together with the cybersecurity provider to ensure they do not interfere with service operations. Rail operators should engage with cybersecurity experts, industry associations, and government agencies to stay updated on the latest threats and best practices. Sharing information and experiences within the industry helps raise awareness and collectively strengthen defenses.
Additionally, being proactive and cybersecurity-conscious is key to preventing a cyber attack. Educating employees about cybersecurity best practices, social engineering techniques, and the importance of maintaining network security is crucial. Security-by-design is an approach we strongly recommend, as it means that the infrastructure receives a customized cybersecurity solution from the very beginning.
Finally, railways can prepare themselves for any event by establishing clear incident response procedures, roles, and responsibilities, as well as performing regular drills and simulations to help validate the effectiveness of the plan and ensure a coordinated response in the event of an attack.
A strong cybersecurity strategy is one that focuses on threat prevention rather than detection. A cyber attack is like a virus; little can be done once it has penetrated certain areas. It is crucial that rail security teams have complete visibility over their entire network and have already conducted a comprehensive risk assessment to prioritize the patching of vulnerabilities and misconfigurations, and the potential impact. They must establish robust governance structures, policies, and procedures to guide cybersecurity efforts within the rail organization.
Organizations with a proactive approach are also educating their employees on cybersecurity best practices, the importance of secure behavior, and methods to detect and respond to potential threats, while also encouraging reporting of security incidents and anomalous behaviors.
A critical component is, of course, to ensure continuous monitoring and threat detection and be consistent about maintenance and assessments of the organization’s security posture.
Through internal research and leveraging our external knowledge base. We work closely with all leading industry rail and cybersecurity associations and key stakeholders, with whom we discuss and share the latest research, trends, and rail cybersecurity challenges.
It’s important for us to not only be up to date with cybersecurity-related topics, but also with the latest technological trends in rail and OT/IT/IoT. We are part of various working groups focused on rail and transportation cybersecurity with some of the largest government and regulatory bodies. We also have very close relationships with our partners, who cover various sectors such as OT, rail, or IT cybersecurity; together we build a picture of the latest in all areas. There are numerous ways to be involved and learn, and it’s important to be proactive in staying updated with this quickly evolving sector.
It differs per region, but a few are leading the fight. At the international level, one prominent framework is the International Electrotechnical Commission's (IEC) 62443 standard series. This set of standards offers comprehensive guidance on the security of industrial automation and control systems, including those employed in rail operations. It covers risk assessment, security policies, network architecture, access controls, and incident response.
On the national level, countries have their own regulatory bodies and standards specific to rail cybersecurity. For example, the TSA Security Directive in the United States encourages a proactive approach to cybersecurity by enforcing risk assessments, security awareness training, incident response planning, and information sharing.
Additionally, various organizations are active in pushing for better cybersecurity standards. The International Association of Public Transport (UITP) and the International Union of Railways (UIC) are prominent entities that provide guidance and best practices for rail cybersecurity. These organizations facilitate knowledge sharing, collaboration, and the development of standards that address the unique challenges faced by the rail industry. We are active, collaborating members in various UITP working groups.
The adoption of emerging technologies mainly provides more entry points for hackers to exploit. If the rail system isn’t protected, those entry points become incredibly high risk. AI algorithms for example, rely heavily on data, and if that data is compromised or manipulated, it can undermine the integrity and effectiveness of AI systems, and, as mentioned previously, it can then affect many other areas within the network.
It depends on the railway, on the incident, on the interdependencies of the affected system, and much more. Upon detection of any cybersecurity incident or vulnerability, Cervello Platform will signal an alert and suggest a full incident response playbook. The playbook is an automated set of guidelines designed together with the rail company to help the security teams take the fastest, most efficient course of action to prevent any further disruption or breach. It provides a full contextual overview of the incident including a breakdown of the operational consequences of each action in the rails' systems
Employees are often the first line of defense against cyber threats. They interact with the systems, handle sensitive data, and make decisions that, due to the interconnectivity we discussed earlier, can impact the overall network. So yes, training and awareness programs are crucial to an organization’s cybersecurity approach. Through education, employees can implement best practices, learn about emerging threats, recognize common attack vectors such as phishing emails, and become more vigilant for suspicious, anomalous behaviors.
Cultivating a culture of cybersecurity awareness and providing continuous education will strengthen the organization’s defenses and fosters a sense of shared responsibility.
When a rail organization is looking to implement a cybersecurity solution, budget is rarely the issue. Hesitation mainly stems from the uncertainty of how it will affect the existing systems and if they can trust us as third-party providers. When an organization is ready to implement a cybersecurity plan, they look at which solution can provide them the best, most effective and efficient platform to manage and secure their assets. Cervello is a one-stop-shop cybersecurity platform. We do offer our solutions separately depending on the needs of the rail organization; however, cybersecurity is like insurance, when you need it, you’re very happy you have it.
We expect to see a lot more of machine learning and artificial intelligence (AI). These technologies have the potential to revolutionize how we detect and respond to cyber threats in real time. Cervello uses AI to help with incident response automation, for example, which is critical in the effective mitigation of threats.
Also, the concept of zero-trust architecture has gained significant attention in recent years. Zero-trust architecture ensures every user, device, or system requesting access is continuously verified and authenticated, regardless of their location within the network. Cervello Platform uses passive, zero-rust monitoring to enhance the resilience of networks without interfering with service operations.
Collaboration and communication are key. We involve key stakeholders from both the cybersecurity and operational teams to understand their main challenges, objectives, and concerns. This way, we can align our efforts and build a practical plan of action that considers both the security requirements and operational constraints.
We always start with a risk assessment to identify the critical assets, potential vulnerabilities, and the operational impact of cyber threats. This enables us to prioritize cybersecurity measures.