Unidirectional Protection For Railway Signaling Networks
Protecting Rail Signaling Networks From External Cyber Threats
Customer/ Partner:
North American metro and regional rail operator.
Customer Requirement:
Enable 100% secure monitoring and protection of rail signaling and control networks, to allow SOC and corporate IT systems visibility into signaling networks connected to safety requirements.
Waterfall’s Unidirectional Solution:
Secure and physically protect control and signaling system network perimeters from external threats with Unidirectional Security Gateways, enabling enterprise-wide and vendor visibility for operations status, as well as safe OT network monitoring from a central enterprise SOC.
Protecting Rail Signaling Networks From External Cyber Threats
With cyber attacks on railway networks speckling the globe in recent years, the growth in rail cyber security awareness is on the rapid uptick. Signaling and rail control networks, such as CBTC in metro networks, and PTC and ETCS in North American and European Railways are becoming increasingly vulnerable to remote cyber sabotage. Modern cyber threats cannot be defeated reliably by common IT security such as firewalls. Hardware-based Unidirectional Security Gateways enable the digital efficiencies of a modern connected rail system, while providing the strongest protection for signaling systems from online attacks.
The challenge
Provide secure, real-time access to signaling data for the IT corporate network, including logs, alert messages, train location data and scheduling and other security data needed by the SOC. The console screen of the signaling system must be remotely visible from the corporate
network.
As the signaling network contains vital systems ecessary for the correct operation of the rail system, including safety rated systems, that network should be physically protected from all outside networks.
Waterfall solution
Waterfall Unidirectional Gateways were deployed to replicate SYSLOG for logs, SMTP for specialized alert systems, XML files for signal status. Waterfall Remote Screen View was deployed to provide secure remote access to the signaling system for enterprise users. Unidirectional Gateways provide physical, hardware-enforced protection for the signaling network, while allowing the corporate SOC and other monitoring networks to access realtime data, and to respond rapidly to alerts coming from the signaling system.
Results & benefits
- Enables 100% secure integration of signaling networks with corporate networks
- Provides visibility from the corporate network into real-time signaling status information
- Prevents all attacks, no matter how sophisticated from reaching signaling systems from the Internet
- Maintain safety requirements for safety systems with hardware-enforced security
- Signaling networks are protected absolutely from any threat propagating via connections to the Internet, to 3rd parties, or to vendors.
Theory of Operation
Waterfall Unidirectional Security Gateways replace firewalls in industrial network environments, providing absolute protection to safety critical and control system networks from attacks emanating from external less-trusted networks. Waterfall Gateways contain both hardware and software components. The hardware includes a TX Module, containing a fiber-optic transmitter/laser, and an RX Module, containing an optical receiver, but no laser. The gateway hardware can transmit information from a critical network to an external network, but is physically incapable of propagating any virus, DOS attack, human error or any cyber attack at all back into protected safety-critical and control networks. Unidirectional Gateway software replicates database servers and other systems unidirectionally. The replica databases on the IT networks provide IT users, customers and passengers with the same data as would have been sourced from control-critical databases, without ever sending even one message from IT networks back into control-critical networks. It does not matter how sophisticated attacks become or how clever attackers are – if no information or attacks can enter control-critical networks. Modern rail system operators embrace both increased efficiencies and reduced risk by deploying physical, unidirectional protections from cyber attacks as part of on-going automation improvements.
Unidirectional Security Gateways Benefits
Enable 100% secure, real-time reporting of metro car or EMU location, tracks, and operational status to passengers, business management, track technicians, infrastructure partners, and other rail operators.
Protect the reliability of operations, the safety of worker, and the public
safety from external cyber-attacks.
Safe remote supervision of changes to protected systems.
Protect rail operators from brand and reputational damage due to service outages.
Global Cybersecurity Standards Recommend Unidirectional Security Gateways
Waterfall Security is the market leader for Unidirectional Gateway technology with installations at critical infrastructure sites across the globe. The enhanced level of protection provided by Waterfall’s Unidirectional Security Gateway technology is recognized as best practice by leading industry standards bodies and authorities such as NIST, ANSSI, NERC CIP, the ISA, the US DHS, ENISA and many more.
Share
Trending posts
From Blind Spots to Action: OT Threats Exposed
Where does IT Security END and OT Security BEGIN?
Insights into Nation State Threats – Podcast Episode 134
Stay up to date
Subscribe to our blog and receive insights straight to your inbox