Rail remains one of the most popular modes of transportation. In a typical year, US freight railroads move around 1.6 billion tons across nearly 140,000 miles of track. US citizens traveled more than 12.5 billion kilometers by rail in 2021. Thousands of railways — from national and regional networks to intra-city light rails — have been built to connect the country and its industries, turning rail into a critical component of the nation’s economy.
Given this enormous volume, and in light of the few available cybersecurity tools designed for rail, the appeal to target railways is obvious.
Consider what would happen if a cyber threat actor decided to disrupt the delivery of life-saving pharmaceuticals in the middle of a pandemic or a nation-state cyber force targets the transport of ammunition to a US Army military base.
Safety vs. Security
The challenge of rail cybersecurity versus traditional enterprise cybersecurity stems from the volume and complexity of the equipment and the number of critical networks — the large size of the rail network, the volume of endpoint devices, the volume of different networks (SCADA, rail, regular IT, dedicated IT, such as ticketing, and more), and the fact that most systems cannot be patched. In addition, most rail infrastructure is 30-plus years old and expensive to replace.
The fact that rail infrastructure is designed for safety puts it in direct conflict with cybersecurity protection. Software systems have been set up to exacting standards by the original equipment manufacturers (OEMs) — Bombardier, Siemens, etc. — and if the internal software is altered in any way, the OEMs can withdraw their safety certifications, rendering the entire rail network inoperable.
In addition, even a single railcar has a vast threat surface that cannot be easily protected. The car’s public Wi-Fi and entertainment network can provide easy access into the operational network, which controls HVAC, brakes, doors, and fire equipment; the signaling system, which may stop the train completely, causing a collision with the train coming up behind it; and, finally, the remote access OEMs use for regular preventative and predictive system maintenance.
Source: Dark Reading