Mounting cybersecurity pressure is creating headaches in railway boardrooms

The expansion of potential cyber threats has increased due to the integration of connected devices, the Internet of Things (IoT), and the convergence of IT and OT in railway operations.

In this Help Net Security interview, Dimitri van Zantvliet is the Cybersecurity Director/CISO of Dutch Railways, and co-chair to the Dutch and European Rail ISAC, talks about cyber attacks on railway systems, build a practical cybersecurity approach, as well as cyber legislation.

The railroad industry is going through a significant shift. Whenever a connected device is added, an attacker has a new opportunity to exploit it. How has your job evolved with increasing digital transformation?

At the Dutch Railways (but this goes for our entire sector), our cyber jobs have evolved to focus more heavily on cybersecurity in the face of increased digital transformation, -threat landscape, and -cyber legislation. With the integration of connected devices, the IoT and IT-OT convergence throughout our operations, the attack surface for potential cyber threats has greatly expanded.

As such, our main responsibilities include implementing and maintaining robust security measures to protect our systems and networks from cyber-attacks. This includes regularly assessing and mitigating risks, implementing security protocols and controls, and ensuring compliance with railway sector regulations.

Additionally, our IT- and operations teams work closely with our strategic and GRC teams to integrate security into the design and deployment of new technologies, as well as to develop incident response plans to address any security breaches that may occur. In summary, the increasing digital transformation in the railway industry has emphasized the need for a top level, proactive and comprehensive approach to cybersecurity to protect the company’s assets and customers’ and employees’ data. Cybersecurity has become ChefSache!

Safety incidents and service disruption can cause havoc for railway systems. Are cyber-attacks increasing? What type of attacks do you see the most? Any interesting techniques you can share?

Yes, 100%. We keep track of all incidents that are happening in the sector together with our (European) Railway ISAC, local NCSC’s and ENISA. Cyber-attacks on the railway industry have been increasing in recent years, as this vital sector too becomes more reliant on digital systems and connected devices as you mentioned before. The types of attacks that we see include:

• Phishing and social engineering: These attacks involve tricking employees into giving away sensitive information or installing malware on their computers.
• Ransomware: a hacker encrypting RU’s/IM’s files and demanding a ransom to be paid to restore access to the files.
• DDoS attacks: This type of attack involves overwhelming a network with traffic to disrupt its normal functioning.
• Supply chain attacks: vulnerabilities and hacks in the software of our suppliers.
• Insider threats: espionage, sabotage and data leakage are risks we have on our radar.
• With the ongoing war in the Ukraine we see increased attacks on railway infrastructure in that region where new Tools, Techniques and Procedures (TTPs) are developed and deployed. We are closely watching OT malware developments and wiperware attacks with possible spillover effects to western companies.

We educate and train employees on the importance of cybersecurity and the methods as described above. This includes regular security awareness training and simulated phishing campaigns to test employees’ susceptibility to social engineering attacks. Finally, we have implemented and are continuously working on a multi-layered and zero trust security approach that includes both traditional IT security controls such as firewalls and intrusion detection systems, as well as OT control system-specific security controls and new approaches like continuous cyberpolicy enforcement.

What advice would you give to a newly appointed CISO that wants to build a practical cybersecurity approach for a railway system? Where to start?

Well, there are several key steps that you can take in your first 100 days:

• Start building your (internal) network and map your stakeholders. You are the trusted advisor for the organization but they need to know where to find you. Conduct interviews and listen to what’s brewing in the organization. Understand how you can contribute to the business drivers.
• Conduct a risk assessment: Begin by conducting a thorough risk assessment of your organization’s assets and systems to identify potential vulnerabilities and threats. This will allow you to prioritize your efforts and focus on the areas that are most critical to the organization.
• Develop a security strategy: Based on the results of your risk assessment, develop a comprehensive security strategy that includes an Information Security Management System (ISMS), policies, procedures, and controls to protect against identified threats. This should include both traditional IT security measures and OT control system-specific security controls.
• Oversee the implementation of those security controls: Once you have a strategy in place, have the necessary security controls implemented to protect your systems and networks.
• Train employees: Cybersecurity is a shared responsibility, and it’s essential that all employees understand the importance of cybersecurity and know how to spot and respond to potential threats.
• Monitor and maintain: Ongoing monitoring and maintenance are essential to ensure that your security controls remain effective and that any new threats are identified and addressed in a timely manner.

Don’t limit yourself and your teams to those bullet points but also work on compliance, incident response, and supply chain collaboration. Don’t be afraid to ask your colleague CISO’s for advice, I will be happy to give some guidance too.

How do you deal with legacy assets that don’t have patches or upgrades available?

Yes, that’s always a challenge as these systems may still be in use but are no longer supported by the vendor. Some assets (like trains) have a lifecycle of 30 years. It depends a bit on the Purdue level this asset is working in, but some of the ways to address this issue include:

• Network segmentation: logically isolate them from the rest of the network, so that if an attacker does manage to compromise the system, they will not be able to move laterally to other parts of the network.
• Air-gapping: Another option is to physically separate the legacy system from the rest of the network, either by disconnecting it completely or by placing it on a separate, isolated network.
• Limit access: Limit the number of people that have access to the legacy system and control the access by implementing strong authentication and authorization controls.
• More controls are possible off course but in the end; seriously consider replacing the legacy system with a newer, more secure alternative.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) covers institutions, groups, and companies whose service interruptions might jeopardize the economy or public security. What are your thoughts on this?

We closely follow what our friends on the other side of the pond are developing. Your president seems to have embraced cybersecurity and I recently had the privilege to meet with his Cyber Security Director Chris Inglis. Vital infrastructures will be specific targets for attacks so having legislation in place to speed up the resilience is perfect to my opinion. Having the possibilities to fine organizations that purposely do not comply is necessary as well. We’re only as strong as the weakest supply chain link. In Europe we are similarly working on implementing the NIS directive and recently the Commission has issued the NIS2– and Critical Entities Resilience (CER) directives. I applaud these initiatives.

In general, I believe that requiring institutions, groups, and companies whose service interruptions might jeopardize the economy or public security to report cyber incidents is a positive step towards improving the security of our critical infrastructure. By mandating the reporting of incidents, organizations will be able to share information about threats, vulnerabilities, and best practices, which will help to improve the overall security of the sector.

I also believe that new cyber legislation is an important step in the right direction, but it’s just one piece of the puzzle. Organizations must take a holistic and proactive approach to cybersecurity to effectively protect their critical infrastructure from cyber threats. I am positive that if we have the right commitment to do this, that the Railway Sector will become more resilient day after day!