Cybersecurity for Rail Systems – Harder Than it Sounds | Episode 113

Transcript of this podcast episode #113: 
Cybersecurity for rail systems – harder than it sounds
With Miki Shifman – CTO & co-founder at Cylus

Nathaniel Nelson
Ah, welcome. Everyone to the industrial security podcast. My name is mate Nelson I’m sitting as usual with Andrew Ginter the vice president of industrial security at waterfall security solutions andrew’s going to introduce the subject and guest of our show today. How’s it going.

Andrew Ginter
I’m very well. Thank you Nate our guest today is Miki Shifman he is the chief technology officer and co-founder at Silas and our topic is cybersecurity for rail systems harder than it sounds.

Nathaniel Nelson
Okay, well then without further ado here’s you and Miki

Andrew Ginter
Hello Miki and you know welcome to the podcast. Thank you for joining us. Um, before we get started. Can you say a few words about yourself and about the good work that you’re doing at Cylus.

Miki Shifman
Hey Andrew thank you for having me. It’s a pleasure to be here in the podcast I’m really excited towards it so my name is Miki Shifman and I’m city young co founder at Cylus um, so we founded Cylus at 2017 prior to founding Cylus I served as an officer in a technology unit. In the Israel defense forces and dealt mainly with cyber security communication systems, embedded systems and everything in between within Cylus um overseeing product and technology and so in Cylus our mission is to protect. Railway systems all around the world from cyber threats we’ll explain later on why is it even a topic um and other than my work at Cylus I’m also contributing to various cybersec security working groups in the rail field worldwide. Um, the latest is actually an ic group that’s currently working on developing the latest standard for rail cybersecurity something that should be drafted like sorry published over the next year and we’re looking forward to it. It’s supposed to. Be an important milestone for rail security worldwide.

Andrew Ginter
Thanks for that. Um, and our topic today is trains. It’s rail system cybersecurity. Um, we’ve had a couple of guests on the show some time ago talking about rail systems. Um, you can you remind us. You know what. What is a modern train. How does it work. How is it automated.

Miki Shifman
Yeah, so before digging into how the trains actually work I want to put like a few facts here just for the audience to get more familiar with the operating constraints. So first is that trains can operate in speeds that are over three hundred kilometers per hour and have a stopping distance of one kilometer and more sometimes the reason I’m mentioning that is to explain that only automation can enable that because a normal driver can’t really see in such a distance. And of course in such a speed. You can’t really notice the state of the signal so you need to have something that transmits the information to the cab or makes decisions on your behalf The second thing is that you have more and more services for passengers and that results in. Modern trains and of course the safety constraints and the requirements for high availability trains are now many times have hundreds of connected device in a single train and they communicate with each other through safety critical and nonsafecritical communications. Other than that you have wireless links so a train operator can sometimes have ah a huge wireless network in Europe. It’s gsmr for positive train control. They use many times the two hundred and Twenty Megahertz radios

Miki Shifman
And other signaling systems have other wireless modes of communication such as Cbtc which is used for metro many times uses just wifi and all of them together as a single system. Cause the train to be heavily reliant on technology and this technology is very proprietary and used only in the rail.

Andrew Ginter
Um, let me? yeah, let me jump in here and and give just a bit of background. Um Miki used the word signaling a couple of times. Um in the old days. What was signaling in my. Dim understanding of it. Um, it was an electrical process. Ah if a train was on a segment of tracks. It closed an electrical connection between the two tracks and so you could sense that hey you know there’s a train on the tracks or you know. Suppose a metal bar could have faked it out but you’ve got you’ve got electricity. You know a small amount of it a signal moving from one track to the other and this um told the you know a light at the beginning of that segment of track to go red saying there’s a train on the track you have to stop and it was you know. Similarly electrically connected to the previous segment to track so that the light at the beginning of the previous segment went yellow so that an engineer driving another train sitting in the locomotive um coming up on a segmented track if that engineer saw a green light and I might have the colors wrong. But. Let’s use the the the traffic light you know convention if if the engineer saw a green light knew that the next 2 segments and track ahead of them were you know clear if they saw a yellow light. They knew that the next segment ahead was clear and the one after was not if they saw a red light. It was stop stop now you’ve got something on the tracks ahead of you.

Andrew Ginter
Um, this was old school and it relied on the reflexes and the attention of the engineer nowadays. It’s all been automated and the the buzzword is positive train control. Um you know train control basically means you get a signal from computers saying which tracks are. Are clear which tracks have locomotives on them or you know trains on them and um, the ah the computer in the in the locomotive it brings the the locomotive to a stop if if it needs to um, positive train control means that it’s It’s not a stop signal. That is sent to the locomotive by the the the computers it is a go signal and if the computer and the locomotive ever fails to get a go signal in ah a given amount of time it immediately stops. That’s what the the positive in the positive train control means it means you continue moving. Only if you continue getting a positive signal saying the road ahead E was clear so this is sort of the the modern world that it’s all automated.

Andrew Ginter
Okay, so um, you know these are safety critical environments. There’s there’s challenges in terms of you know, being able to see what’s coming down the track you know, stopping these say these very large very fast trains If if there’s an issue. Um. How does that relate to Cyber Security. You know what? what is sort of the the unique challenges for cybersecurity in the Rail systems.

Miki Shifman
Yeah, so the main aspect of rail system that is quite unique is the long lifecycle. So a train can be operated in 30 years usually I give the analogy of like we can think of what we knew about cyber security thirty years ago and that would approximately be the level of security that exists in many of the current trains that are in operation. The other thing is safety so to achieve this high level of safety and making trains the safest mode of transport. You need to have a lot of constraints. And many times those contrains constraints they come in conflict with security. So just an example in many countries in order to patch a device on a train or a safety critical network. You need the government to sign off the batch and that can take just. Months of approval from the time that you even have the patch are valuable sometimes years sometimes you just don’t touch it because it’s so hard to change and you don’t want to go through this costly process of updating the other is that train manufacturers and the technology is used in trains. There are many times really dedicated for the rail industries. So they’re not used in other industries you have technologies that just have been developed for a single industry and the know-how in the industry doesn’t necessarily contain a lot of cyber security. It’s mainly around safety and operations.

Miki Shifman
Because these used to be the core values of those systems. Other than that you have passengers on those Trains. So Although it’s a critical infrastructure. It has high interfaces with the public and people can be on trains they’re in stations trains are Moving. So. Ah, they’re not in a fixed location that you can kind of like protect or put walls just to protect it and all of those are quite significant challenges that the industry works around in order to improve the security of those systems.

Andrew Ginter
So A clarifying question. Um, you know you it sounds like you’re saying if you know when passengers come into ah ah a transit. Ah you know car or ah, you know, ah a commuter car. Um, it. It sounded like you’re saying some of the computers are are there exposed or are the networks exposed in what sense is this automation exposed to the public and and how big a problem is that.

Miki Shifman
Yeah, so indeed of course not not in all cases in many cases. It isn’t indeed. There are cabinets that are exposed to the public and I can give you a few examples and some of them you can see them in train stations they use just a key that everyone can buy online. Um. And you can see them like monitors on trains and as I mentioned in the stations themselves that are like that and someone could potentially abuse the other example which is a bit more. Let’s call it. Exotic was something that we saw in some trains that apparently the toilet computers or the. Systems that are ah responsible for mentioning the state of the toilet to the passengers like whether they’re occupied or not. They’re connected to the network of the train and they are just communicating in a bus with all the other devices in the network. 1 interesting thing about it is that sometimes either their controller or other controllers. There are architectures in which they are located inside the toilet cabinet for example, behind the mirror and in such cases. Someone could potentially just go to the toilet a place that is not monitored at all because they’re not cameras and of course inside a toilet. You cannot put them there and manipulate something inside the train network. So this is actually a scenario that we’ve seen ah happening at least in.

Miki Shifman
Some attack simulations and it was actually ah executed by the ones who simulated those attacks.

Nathaniel Nelson
So Andrew, I’m thinking through it now and if I’m a cyber attacker who wants to do as much damage as possible in a railway scenario I think what I do is after breaching the network. Turn the bathroom light to occupy the whole train rides that nobody could pay the whole time I think that is the best idea to cause as much pain as possible within the system I’m so confused why this is digitized in the first place.

Andrew Ginter
Um, yeah, so unfortunately, unfortunately there’s there’s far worse scenarios. But um, let me give you just a little background in in my understanding modern passenger trains um have not 1 network automating the train but 3 of them. There is obviously the control network where the the positive train control happens. Um you know and other kinds of control functions on on the on the vehicle there is the entertainment network because a lot of the modern trains have wi-fi they might have an internet connection. You know that you do or don’t have to pay for. They might have movies you can watch on on long rides. Um, and you know of course people are connecting their cell phones and their laptops and their tablets to these these entertainment networks and there’s what’s called a comfort network which is focused on you know automation that involves the comfort of passengers like. Are the the washrooms occupied. Um, what’s the temperature in the cabin you know control the air conditioning you know control the I don’t know the if you’ve got the on the the truly modern cars the you know the opaqueness of the windows so that the sun isn’t blasting in on you. Um. You know the lighting if it’s if it’s at night this kind of thing so and these networks you generally want to see you know you want your passengers to be able to see where you are and you know a very small amount of information that’s coming out of the control network that’s tracking location and and other aspects so you know how are we late.

Andrew Ginter
Um, you generally want passengers to at least be able to see what’s going on Comfortwise so they know you know which ah which restrooms are are available and how many cars they got to hike down to find one? Um, but you know you should at least have firewalls if not you know unit directional communications. Ah, between the more critical networks and the and the the less critical networks certainly in the Entertainment Network Older older systems older rolling stock may not have these distinctions. You know they may have mixed up some of these networks that are more separate on on the newer Stuff. Ah.

Nathaniel Nelson
I got to say Andrew the kinds of trains that I’ve had experience riding. Do not appear at least from the passenger perspective to have all of these comforts and amenities is this common.

Andrew Ginter
It’s It’s a mixed bag out there.

Andrew Ginter
Um I believe it’s common in the newer vehicles. The newer rolling stock. Um, but ah, you know a if it’s not there. You know, sorry for you. It would be nice to have a movie on the ride you know b if it’s not there. It also means you don’t have any of tvhese risks because. It’s not there. So you know it’s a mixed It’s a mixed blessing so nate let me let me explain or not so Nate let me let me yeah dive a little deeper there um in a lot of critical infrastructure.

Andrew Ginter
Wow I mean that’s nasty. Um, it reminds me that very recently we had a scenario in Poland where we saw a bunch of trains like 20 of them I think um suffer emergency stops because of of some hacking attempt. Can you give us the details there. What what happened there.

Miki Shifman
Yeah, so according to what’s known on the public. Um, what basically happened there was that there is a legacy system that isn’t used for ah train communications in Poland and this system is. Receiving or capable of receiving wireless signals and those signals are effectively subtones and a specific sequence of those subtones can make a train stop and that’s by definition by design. So I want to talk about a few points related to this case, 1 of them. Is the user wireless communication. It’s not very trivial that critical infrastructure uses wireless communication. So heavily as rail and that’s a unique attack factor in rail network that should be secured as much as possible. Not necessarily There is a lot of things you can do in such a situation. But. Something to be considered here. Specifically it’s a very old system. But even if it would be replaced with in your system. Ah those systems also rely on wireless communication and these are also digital wireless communication. So it’s even more susceptible to attacks because you can do much more more other things. Many times those wireless communication links are not properly encrypted or using old encryption or no- encryption at all. Um, and these are interfaces. They should definitely be looked at and protocols like Etms or cbtc they’re different.

Miki Shifman
Potential security challenges. There. The other thing is more related to let’s say motivation and that’s something that we’re seeing now along those geopolitical disputes but real systems are high quality target for threat actors and. The people within the rail company The operators. Ah they are responsible for ensuring that the public is secure in those systems and what we are unfortunately seeing here is threat actors are increasing and setting their sites On. Those Rail systems and showing the motivation to attack them. Ah and in my opinion it should be a wakeup call to many people in the industry that not necessarily looking at security not to sell in this case by the way that’s just an example of one company that got targeted none to necessarily even my cyber attackers. But. Over Wireless radios. But in general in the industry I think that we should look at ah the fact that Frat actors are actually looking and inspecting those systems and they can be aware of many of the specifications and these systems definitely should be treated. With security in mind.

Andrew Ginter
So um, let’s talk about about wireless communications for just a minute most heavy industry is deeply suspicious of wireless any kind of wireless. Um, you know why? you know it’s because cell phones are. Walking wireless attack vectors. Among other reasons you know how does that work imagine that you know your pizza delivery guy has downloaded a trojan game you know delivers pizzas into a refinery or a power plant. Um, and the Trojan game. While it’s inside the power plant is scanning for wi-fi networks and reporting their geographic location to a command and control Center Now The bad guys decide. They want to target a particular power plant. Um, they know in their database. They’ve got I don’t know six wi-fi networks in that plant One of them has the name control The other one has you know. Suggestive names they launch a phishing attack. They steal the credentials to log into those those wi-fi networks and now the next time anybody carries the compromised game on their cell phone doesn’t have to be the same pizza. Delivery guy can be anybody carries a compromised cell phone into the site. Um, the bad guys can connect to the cell phone over the cellular Network operate the trojan on the cell phone give the credentials connect to the wi-fi network in the site and you know work their will upon it So you know heavy industry is.

Andrew Ginter
Deeply suspicious of wireless for this attack scenario and and many others the problem with the rail system is that you have no choice. You have to use wireless communications to to communicate with these these you know locomotives that are traveling at three hundred kilometers an hour you know all over the countryside. You have no choice. And so yes, you have to encrypt everything. Yes, you need credentials everywhere and you’ve got to train your people not to leak these credentials because you know there’s just so it’s a hard problem. You have to use wireless but nobody wants to you know. And and so there’s a lot of of you know focus on on wireless security in the rail system policy. So Nate you know, thinking about this um a lot of people might ask? Ah why are we focused on.
-14:46

Andrew Ginter
Okay, so that’s ah you know that’s a distressing picture of sort of constraints and and issues in you know the security and in Rail systems. Um, can you talk about sort of the the what are. What’s the response. What’s the industry doing to address these things.

Miki Shifman
Yeah, sure. So of course the topic of security is quite broad. We know it from all other industries as well and there are a few motions there. 1 of them is securing the install base the other is develop. Products that are trying to be secured by design and also in each one of them you can dig deeper and see the controls that are being used in order to achieve those purposes so there are some controls that are harder to use many times like for example, encryption is unnecessarily being used in. Industry for other reasons can be about latency and potential impacts on the operations. Ah, other than that you have methods of things like segmentation in which we also cooper with waterfall. Um, and solutions like dials or firewalls as such what we’re doing is another thing which is being nonintrusive and trying to be as much easy as possible to deploy. So.

Miki Shifman
As as I mentioned before the main constraint environment is safety so you are trying to secure as much as possible without compromising safety and operations and that’s not such an easy task because in order to secure. Optimally you of course need to make a lot of modifications you would like to maybe change the devices themselves as I mentioned before you might want to introduce encryption wherever it’s possible. But sometimes what we’re seeing is that making those changes is much more expensive. And of a cost than just introducing an external solution that will give you the right? compass any control over the fact that those controls do not exist and when I say expensive I’m mostly mean into the need of recertifying the systems. Passing them for safety approvals upgrading and huge install base etc and our approach in Cylus One was to help operators to be able to meet the best security practices and follow the security frameworks in a way that is tailored for their environment. As well as make sure that all of those processes are indeed aligned with the safety processes and they’re not introducing another risk or a challenge with that regard.

Andrew Ginter
Okay, and you know, um in terms of of solutions in this space. You know Cylus is I mean you folks. Ah you know, have services offerings. You’ve also got technology. You’re selling technology into this space. Um. What are you? What are you producing and and you know how does it work.

Miki Shifman
Yeah, so our solution Cylus One which is the solution that the company develops is what we call a real tech security platform. So a Rail tech security platform is a comprehensive platform that is capable of providing several benefits to. Operators. So The most important thing about this type of a solution is the context that it has so we haven’t invented the space of operation technology monitoring. But I think that the major innovation that we bring in the rail industry and is so much needed in the rail industry is the ability to put context around the information. So our ability to provide operators

Our ability to provide operators with visibility which is precise and is tailored for their Environment. So the ability to differentiate between assets whether they’re safety critical or not whether they’re interlocking light signals. Point machines or things on the onboard such as braking systems and door control units this ability helps them to actually identify their environment understand the exact titles of their security poster.

Miki Shifman
And also remediate security issues as they occur in a much faster pace because they have this context think about it if you could have a network of hundreds of thousands of devices and you don’t really know what’s the role of each device. It’s very hard for you to prioritize. Whether an alert is severe or not ah understand who’s the owner of a specific device and who should treat the security issue understand the context of the device in the broader rail system and whether operations can continue as normal or not and these are all things that our solution brings. So. Broadly speaking our solution helps with visibility with detection the response piece of it which is very important because detection is 1 nice thing that you can do by detecting various sorts of tactics techniques and procedures. But understanding. How should you properly respond under the constraint of the rail environments is part of our secret sauce and part of the value that we’re bringing to the customers to make sure that they’re not just lost and flooded with lots of alerts and also of course compliance because compliance is paramount in the industry. So the ability to comply with rail security frameworks. As well as security. Best practices while meeting the safety constraints. These are all things that you get through our product and it helps you to also of course meet the requirements of all the latest regulations such as the TSA directive.

Miki Shifman
And the us and is two directive in Europe and standards and best practices such as Ts 57 one and ic 6 3 4 5 2 that will be developed that will be released in the future. Sorry and the system of course will also help operators to. Comply with it.

Andrew Ginter
Okay, so that’s ah, that’s a lot of Benefits. You know these are all important benefits of of a solution but you haven’t really said how it works I Mean. If you want to understand sort of the the purpose of each piece of equipment. Do you enter its Ip address by hand and enter the data by hand and now you have it available when an alert comes up or do you discover this stuff automatically or or what I mean. How? how are you gathering this data and and how much of it is sort of of manual how much of it’s Automatic. Can can You can you lift the hood for us.

Miki Shifman
So there are several ways that it works first as I mentioned the purpose is to be as much non-intrusive as possible and the way of doing it is first like. We collect information via network traffic. So we passively connect to the network via tabs or spend ports or diodes what is approved by the customer and collect the information passively for a platform that’s raw network traffic and we extract the context that I mentioned through this raw network traffic. So it starts by analyzing the protocols which is probably the easier part but then it builds out over our algorithms for as a database and anomaly detection and compliance and helping actually to make sense out of this data so that’s one source of data that we treat. The other source of data comes from integrations. Um integrations can be through operational systems that exist in the environment and these operational systems already gather insights about the operational state of the real environment. This can be like maintenance systems for example and our system can seamlessly integrate with them. And by collecting this information users can get a single pane of glass over their operational and security data in the sense that when security data is out there. You can actually correlate it with the operational input that you have in the environment and that usually helps you to spur false positives.

Miki Shifman
And have shorter investigation cycles other sources of information can include asset management databases risk management databases other security solutions that are used in the networks whether in the endpoints or other locations and we collect information from all of those in order to. Put this information into the context that they mentioned before so with this with these capabilities of information Collection. You can actually get a very comprehensive view of your network and very precise view of your environment whether it’s trekside onboard. The operation center or the stations themselves.

Andrew Ginter
So So listening to this you know I think some of our listeners might ask why? The great. Focus on you know, detecting and responding to incidents if cybersecurity is critical to safety then do we need not need to to prevent the incidents. Um, and you know I think I think the answer is partly. Got a lot of legacy equipment out there. It’s weaker than we want it to be and so one of the compensating measures we can put in place is you know a strong detection. It’s It’s not as good as changing the systems to prevent attacks. But you know it’s It’s something that especially in a passive mode. It’s something we can. Very quickly. Add after the fact without without arising the the ire of the of the Regulators. The safety Regulators. You know you might also and don’t don’t don’t get me wrong, you might you might also ask um you know. But if we were able to prevent these attacks by applying security updates by doing better segmentation by whatever um, could we? you know? do we then still need detect respondent recover and you know the answer is yes we need both. You know.

Andrew Ginter
the the nit cybersecurity framework has 5 pillars and you don’t choose between them based on your industry you might prioritize them based on your industry but a robust security program has all of them the most sophisticated um intrusion detection the most sophisticated you know. Detect respondent recover programs that I’ve ever seen are at sites that also have the most sophisticated prevention programs. They they sort of go hand in hand so you know on the one hand. It’s a compensating measure. You can. You can get some of your your assurance back with detect respondent recover and on the other hand. It’s a long term investment. You know we we need it going forward

Andrew Ginter
So you know ah a couple of things that that I I heard you sort of speak to glancingly could I ask you to go maybe a little deeper on um, response playbooks you know if there is something that might be an incident or definitely is an incident.

Miki Shifman
Yeah.

Andrew Ginter
You know it sounds like you have some support for dealing with the incident. So Can you speak to response playbooks and you’ve also mentioned compliance. It sounds like you can compare what you’re seeing to what needs to be there compliance-wise So Can you talk about sort of response playbooks and compliance. How do you?? How do you do that? What does that you know what does that look like under the hood.

Miki Shifman
Sure of course so let’s say we response playbooks so in response playbooks our goal is to have the operator capable of handing our alerts in a way that fits their environment. So it starts actually by helping the operator to get all the relevant context over a specific alert. So it’s the ability of identifying similar alerts very quickly and correlating it with them. Um. The ability of understanding whether maintenance activities took part of a specific on over specific asset. It’s the ability to see what other things this asset has experienced prior to this alert. Um, and it’s basically this and others that create the context. Helps the operator to first understand whether this alert should be there or not whether it’s expected maybe um and it also afterwards helps them to adjust it accordingness or justice in activity of the system and ensure that. They will see more or less of those alerts in the future. Other than that there is the part of by identifying the context of the alert. The context of the asset. The context of the operations understanding. How do you actually should respond to this event.

Miki Shifman
And by responding you can take several elections um some actions will be hard to take over a specific type of systems. Some are more possible. Um, generally speaking. The industry is. Just starting in terms of like the active response Capabilities. So the ability to actually like micro segmentment or do something similar over assets. It hasn’t been the case until now. But we see more and more sparks of it specific and specific systems that are inside the industry. Um, and. This general ability of like providing the operator a context it spares a lot of time something that you can effectively measure by the time that your sock team or your operations team needs to take when it analyzes Alerts and I think that’s an important metric to look at when you’re. Having some sort of a sock and Railil company or you’re setting up this monitoring or detection program inside your company and that’s where context is mostly useful so that’s about the response piece in Nutshell if we go into Compliance So Compliance is a very broad topic. Um, and. Especially in Rail It has a lot of tailwind coming from the different standards that are being developed and the suppliers themselves because the industry is used to develop things that are certified to something and that’s.

Miki Shifman
That’s the stamp that the industry provides to their components. So the general. Let’s say major capability of the major rail suppliers is the ability to have high level of safety and certification and that’s very hard to achieve. So what we’re seeing more and more is that the trend in the industry is to have a similar approach with security so to ensure that there is a baseline of security that is by design in those devices and ensure that is being enforced over those devices and this baseline of security can be a standard like. I c 6 to four free dash free family which is um more of the system integrator side. Um, and it can be something around iis free dash that dash 2 sorry that is coming more of the asset on their side and. All of those together are being embedded into this new set of frameworks that is developed in the industry and what our solution helps with is the ability to first understand your compliance status to some of the requirements as these those that are related to controls. Ah, because many of the requirements are to processes which are not necessarily things that are visible through just monitoring of traffic or analysis of data. Um, and other than that it helps you to understand like your general level of.

Miki Shifman
Complies to specific framework where the system helps you to achieve the goals that you have on specific requirements and that’s something that can also serve potentially as a competent and control for requirements that you don’t have because the truth is. It’s very hard to apply security to especially legacy systems but the term legacy is really stretching the rail domain because it’s thirty years so even if a system was developed like five years ago it’s already legacy and doesn’t necessarily throw security by design and with our product you can actually look at the different parts that you’re not compliant with. And see what coverage you can actually achieve through using the solution. So for example, if you have an unencrypted link. That’s that’s bad like that’s not something that you would like to have but let’s say the second best of like encrypting it or authenticating it would be probably to ensure that. There is no abnormal communication over the link that could potentially compromise you because it’s 1 thing to knowledge you have a risk The other thing is to actually be able to mitigate it or identify whether this vulnerability is being exploited and that’s something that we can definitely help with. The operators that are trying to meet those frameworks even with partial ability to implement controls.

Andrew Ginter
So I’m I’m still a little confused on the compliance side. Can you give me a couple of examples. What what kind of things can you you know, detect on the compliance side and and report on.

Miki Shifman
Yeah, Sure. So Maybe just to Catholic Go back to the previous question and start from there. So. Another important aspect of compliance is what happens the day after a system is being handed over so most of the compliance or most of the Frameworks are focused in complying at a certain point of time which is usually the handover time from the system integrator to the asset owner to the Rail operator. And from that point it’s under the responsibility of the operator but it’s very hard to enforce it over Time. So Even if there is a configuration that took place initially in a good way over the lifespan of 30 years that could be changed so.. For example I mentioned before the idea of vulnerabilities and patches. Um and one of the things that you can potentially do is to actually like through your vulnerability management and patch management Program. You can track the vulnerabilities of your devices. And ensure that the patches that needed to be installed based on your patch manager program which is adjusted to your environment adjusted to the safety constraints are actually being installed and that’s something that is essential because you’re probably not going to end up installing all the patches but you’re going to end up installing at least.

Miki Shifman
Part of the patches that are needed in order to meet your objectives and that’s something that we can actually track automatically so the vulnerability side and also the installation of patches and the software versions of the devices. So that’s 1 thing. The other thing is actually more more exotic examples of like. Systems that haven’t been properly segmented large systems and 1 of the challenges. The operator had that they wanted to kind of like divide the system into security zones and conduits like canbi I c 6 four free terminology. So this requires you effectively to. Install ah, of course some segmentation appliances inside the network. Um and they had them in several location but several occasion and didn’t have so one of the things that we could help with for virtual segmentation. Capability was actually to.

Miki Shifman
Divide automatically or provide a suggestion automatically to security zones and conduits over the environment of that operator and then have the operator kind of ah enforcing policies or policies can be enforced for a product in a way that. If there is aoral communication. One of the Rail application protocols between security zones that should not take place the system will automatically alert on that and help the operator to fix this misconfiguration and that’s something that helped them in order to. Achieve a sort of a compos in control over lack of segmentation, a specific location and later on to properly segment their system using those insights on recommendations was it okay.

Andrew Ginter
Um, thanks for that and and you on the topic of compliance. Still um, you’ve mentioned a few times there are standards that are out there for cybersecurity and in Rail systems. There are standards that are under development. There are standards that are still a gleam in the eye. Ah, can you can you survey for us What what does the regulatory landscape look like for cybersecurity and Rail systems. Okay.

Miki Shifman
Yeah, yeah, of course so I think there are few things to look at like a few dimensions to look at one is frameworks versus regulations. Ah the other is the geographical dimension because different countries have their own. Regulations. So if we start from the regulatory landscape so in the us psa with the help of Csa has published a few security directives that are basically used as regulations ah and from what we know more expected to come in. Europe the regulations are mostly derived from nis and nistu that cover critical infrastructure in general and rail is part of it but part of it is also for the member nations to identify their operations. Operators of essential services and kind of identify. How can they comply with the overall directives and this trend of having the regulation part of the krieka infrastructure regulation something that we see in rail. Because almost every rail operator is part of a critical infrastructure in their country. Other than that there is the landscape of standards. So.

Miki Shifman
The most comprehensive standard that’s currently available only for rail is called technical specification five zero seven oh 1 developed by San Alex and it was published in the end of 2021 and this standard is part of an initiative by both. Operators and suppliers mostly from europe that have taken the IC 6 to four free series and try to identify how rail is different or where rail is different and developed. Sort of like paper or technical specification that includes the different phases in the lifecycle of rail systems and how they should be handled in terms of security. 1 of the interesting parts of the unique parts I think is the interface between safety and security which is. The topic that is generally intention. So this tiny specification it was what is in the end ofstone twenty one served as a basis for another group that I’m actually para of part of and it’s a group ic which is a global standards organization and this group took ps 57 to 1 as well as isis six to form free Syria and is currently working together to establish this de facto global standard that can be used by each individual country to align their security within rail systems.

Miki Shifman
Other than that you have groups like Uatp and apppta in the us that are developing lots of useful papers but things like how should you run a tendering process about maturity programs for railway and transit operators. Both ot visibility detection within Raille and all sorts of very interesting topics that I really recommend for anyone wants to go and deep and dig deeper into the topic to read them and. Gain more understanding of how the rail environment works and what are the best practices to protect it.

Andrew Ginter
Okay, well you know this has been good. Thank you Miki! Thank you for joining us. Um before I let you go ah you know can you sum up for us what what should we take away from what you’ve been telling us here.

Miki Shifman
So thank you Andrew um, so if I could summarize it to a few takeaways of first is that it’s important to notice that rail environments they have unique nature and they’re very evolving in terms of technologies that are being used. Within them. So that’s 1 thing. The second thing is that in order to operate effectively security within the rail environment. You should really understand how operations in rail work and the different principles around safety because without that like I feel like it’s very hard to. Get to proper solutions in securing those environments and I really recommend to every one of you trying to secure them to really talk to your operations people and get more understanding of whats on their mind and what are the risk that they’re seeing. The other thing is that a real tech security platform can really ease your way into securing your environment and the changes that you need to make in order to secure your environment are not as bad as you might think and other than that I just. Encourage you to visit our website at Cylus.com and we’ll be happy to assist you with your journey within rail cybersecurity. We have a lot of experience that I really prefer from others to kind of for others to kind of explore the mistakes that.

Miki Shifman
We’ve seen happening in various places and try to take the shortcut and we’re happy to have you for the journey and help you with our solutions and of course please feel free to connect with me on linked connect with me on Linkedin I’ll be happy to chat with any of you. On the topic and have interesting discussions about it.

Miki Shifman
And of course, thank you very much Andrew it was a pleasure chatting with you today and I really look forward to more up is episode podcast. Thank you.

Nathaniel Nelson
Wait pause. So Andrew that was your interview with Miki. Do you have any final thoughts to take us out with today?

Andrew Ginter
Yeah I mean one of the one of the insights I got from from Miki, um, was that this industry is much more heavily regulated than I realized.

Nathaniel Nelson
Yeah, you know, ah sorry to interrupt you but it does bring me back to a point that we had thought about earlier in the episode I think he mentioned that the government has to approve like every patch in this industry which correct me if I’m wrong that that that kind of sounds crazy right.

Andrew Ginter
I mean in a sense it does but you know it’s all about safety I mean this industry from the very beginning we’re talking you know I don’t know the mid eighteen hundreds or something in my understanding this industry has been focused on safety from the very beginning you know to my understanding the the telegraph was invented in large part because or was deployed you know continent-wide in large part because of the needs of rail systems. Um, you know if ah and I don’t know what Europe but in North America most of the track that crossed the continent. Was single track you could put one train on it. There. There wasn’t a parallel set of tracks. Um except at stations where you know trains had to get by each other or or switchyards and so one of the in my you know in my understanding the history one of the jobs of the engineer the the person who. Ran the engine in in the the freight trains crossing the continent or passenger trains. If for example, the train was not scheduled to stop at a station I was taking the the track beside the station blasting on by not even stopping. 1 of the functions of the engineer 1 of the roles was to stick their arm out. There was a boom that swung out with ah a piece of paper on it. Grab that piece of paper and read it. This is a telegram telling the engineer whether it’s safe to continue on the next section of track or not.

Andrew Ginter
Or if there’s been a delay and you know there’s ah or if there’s been a derailment or something safety has been job one in this industry since the very beginning and you know it it persists to this day to me the real challenge that it sounds like is the the industry is facing is. Is the the dilemma between safety and cybersecurity in the modern world cybersecurity is essential to safety. The threat environment is deteriorating. We urgently need to make cybersecurity changes to these these you know safety critical systems that are the rolling stock in our rail systems. Um. You know this is the dilemma that the entire industry it sounds like they’re struggling with and you know the good news is not all bad. News. The good news is that folks like Silas are rising to the challenge and and they’re coming in with technology and you know not just a set of technology but they continue to to develop and innovate as they’re. Participating in these these industry forums to you know, develop solutions that can be deployed against systems both old and new.

Nathaniel Nelson
…then with that. Thank you to Miki Shifman for speaking with you Andrew and Andrew thank you as always for speaking with me this has been the industrial security podcast from waterfall.

Andrew Ginter
Um, it’s always a pleasure. Thank you Nate.

Nathaniel Nelson
Thanks to everybody out there listening.