OT Insights CenterTransportationTSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management

TSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management

The TSA Notice of Proposed Rulemaking for Enhancing Surface Cyber Risk Management is out. This is the long-awaited regulation that replaces the temporary security directives issued after the Colonial Pipeline incident.

Andrew Ginter

• November 26, 2024

“This…replaces the temporary security directives issued after the Colonial Pipeline incident…[which] had to be re-issued annually. The new regulation will be permanent – at least until it’s changed or revoked.

The TSA Notice of Proposed Rulemaking for Enhancing Surface Cyber Risk Management is out. This is the long-awaited regulation that replaces the temporary security directives issued after the Colonial Pipeline incident. Those directives had to be re-issued annually. The new regulation will be permanent – at least until it’s changed or revoked.

So I’m trying to read through the proposed rule, and the document is daunting – 105 pages of technical language intermixed with very legal language, riddled with cross-references, only some of which I understand. That said, at a high level, the new rule, if passed as-is, looks to apply to some:

• 73 of 620 freight railroads in the USA,
  
  
• 34 of 92 public transportation & passenger railroads,
  
  
• 115 of 2,105 of the nation’s pipelines, and
  
  
• 71 bus owner/operators,

though the bussing rules seem focused on incident reporting rather than full-blown cybersecurity programs.

Some of the most confusing legal language seems focused on rationalizing how the TSA issues security directives, since before this it seems there were different procedures for security directives applicable to different forms of transportation. Another bunch of confusing language seems to be rationalizing physical security requirements and separating them from cybersecurity requirements. And then it gets a little bit more readable:

• 49 CFR Part 1580 – Freight Rail Transportation Security – starts on pp 71
  
  
• 49 CFR Part 1582 – Public Transportation and Passenger Rail Security – starts on pp 82
  
  
• 49 CFR Part 1584 – Highway and Motor Carrier Cybersecurity – starts on pp 92, and
  
  
• 49 CFR Part 1586 – Pipeline Facilities and Systems Security – starts on pp 96

The freight rail, passenger rail & pipeline sections have a lot of familiar language. I haven’t gone through them line by line comparing them to the previous security directives – eg: TSA SD 2021-02E the current directive that applies to pipelines – but just reading through the requirements rings a lot of bells in terms of language I’ve read before.

At a high level, in-scope owners and operators will need to:

• Carry out annual enterprise-wide evaluations documenting the current state of cybersecurity and comparing that state to a ‘target profile,’
  
  
• Document a ‘target profile’ that includes at least the measures and outcomes described in the new law / rule, and ideally includes all of the applicable parts of the NIST Cybersecurity Framework (NIST CSF),
  
  
• Develop an implementation plan and identify people responsible for carrying out the plan, and
  
  Identify critical cyber systems and detailed measures to protect those systems, as well as detailed measures to detect cyber incidents, respond to them and recover from them.

At a higher level, as you’ve probably guessed by now, I’m struggling to understand the legalese. I would welcome a call from someone who can explain how to make sense of the complicated cross-references. I promise to take detailed notes on the process and publish them as an article so other interested people can figure out how to do the same – with copious thanks to my generous instructor.

BTW – one of the reasons I’m trying to understand this new rule is because I’m hoping to include insights into the rule in a webinar that’s coming up: Evolving Global OT Cyber Guidelines, Recent Developments and What is Driving Them.

If you’re interested in seeing what’s common, what’s different, and what’s changing in this space, please do join us on Wednesday Nov 27.

I also invite you to get a complimentary copy of my latest book, Engineering-grade OT Security: A Manager’s Guide.

About the author

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Share

Trending posts

IT/OT Cyber Theory: Espionage vs. Sabotage

January 6, 2026

Ships Re-Routed, Ships Run Aground

January 6, 2026

New CISA, CCCS et al Alert | Advice on Pro-Russian Hacktivists Targeting

January 6, 2026

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post TSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management appeared first on Waterfall Security Solutions.

In this presentation, viewers will be introduced to Christopher Crawford, a renowned thought leader in the Transportation Industry, who will delve into the fascinating history of rail transportation cybersecurity. Mr. Crawford will highlight the evolution of systems integration and complexity, leading to the core concepts of Operational Technology (OT) Cyber Security in the rail sector. He will emphasize its growing importance due to escalating business demands for connectivity and digitalization.

The presentation will feature a review of practical use cases that demonstrate the real-world impact of cybersecurity threats on transit systems. Mr. Crawford will also discuss upcoming standards and TSA Cyber Directives, including the emerging TS 50701, which focuses on network segmentation as a key strategy to improve cybersecurity. By exploring these topics, viewers will gain an understanding of the historical context of rail transportation cybersecurity, the growing importance of OT Cyber Security, and the steps being taken to address cybersecurity risks in the industry.

Key Take Aways

The key takeaways from this presentation will emphasize the need for greater connectivity, the rising cybersecurity challenges, and the ongoing development of enhanced security standards. Overall, this presentation will provide valuable insights for those interested in the Transportation Industry and its cybersecurity challenges.

Watch the Full Recording

Resources – Rail Transportation Cybersecurity eBook

Explore future-proof cyber protections against cyber adversaries from the mundane to the most sophisticated.

About Chris Crawford, Transportation Industry Director – Waterfall Security Solutions

Chris Crawford leads Waterfall’s cybersecurity strategy and business development functions for transportation industries including rail transport and airports. In addition to his role at Waterfall, Chris is a Managing Partner at nTEG and a co-chair of the Cyber and New Technologies Committee at the American Public Transportation Association.

The post Rail Cybersecurity – New Solution for an Old Industry | Recorded Webinar appeared first on Waterfall Security Solutions.

The publication is very timely for Railway and Public Transport Operators (PTOs), as 2022 saw an unprecedented number of cyber-attacks on critical infrastructures around the globe.  In addition to the rise in the number of attacks, there is an increase in attack sophistication enabled by tools and methods now freely available on the dark web and traditionally seen only in the hands of state-sponsored actors.

The UITP’s Cyber Working Group, consisting of internationally recognized transport operators, OEMs, and solution vendors, identified the problem of lack of clarity and consistency across PTOs and the supporting supply chain to address cybersecurity.  As a result, the UITP Cyber Working Group agreed to pool resources and bring forward a practical and cross-functionally applicable publication recommending cyber solutions to the problem.

There are five noteworthy areas that are addressed in the UITP guide that are best represented as needs:

• Need for more cybersecurity awareness in public transportation
• Need for PTOs to distinguish between OT vs. IT systems
• Need for commonality and reference to applicable cybersecurity standards
• Need for cybersecurity alignment of PTO buyers and vendors
• Need for more cybersecurity engineering in the V-Model

Need for more cybersecurity awareness in public transportation

Public transportation has always considered safety the top priority and cultivated the culture and engineering disciplines commensurate with this priority.  Cybersecurity, on the other hand, is a relatively new discipline.  Despite its relative newness, safety and security are siblings. The interdependencies between the two have grown ever more apparent over the last decade with the increased need to share data.  Digitization initiatives in public transport are cross-functional endeavors touching almost every employee, from those in the legal department, procurement, engineering, and through to the maintenance worker in the depot.  

No one is immune from the digital, and in public transportation, if it is not steel or concrete, then it’s a functional system with a digital element, either firmware or software.   This reality that digital is everywhere drives the need for more cybersecurity awareness in public transportation organizations, including setting up the right policies, procedures, training, roles, and responsibilities so that every department contributes to improving the organization’s security posture.

Need for PTOs to distinguish between OT vs. IT systems

Digitization of the transportation industry has been primarily led in recent years by the need to share data, and this opening up of operational systems to share data invariably has introduced new cyber threat vectors.  By way of example, the need to share train location information (operational system-derived data) with publicly available mobile applications network-connected to the internet.

Even though transportation systems are engineered to be inherently safe (think ‘fail safe’), the interdependencies between critical Operational Systems (OT) and business-critical Information Technology (IT) related systems make it difficult to create precise segmentation, especially in a ‘brown field’ / existing transportation operation.

The distinction between OT vs. IT is the challenge that must be addressed so a PTO can confidently state that a cyber-attack on an IT system shall not impact safe operations.  Moreover, the importance for PTOs to classify systems as OT vs. IT acknowledges that they understand the material differences in the consequences of IT systems being attacked vs. an OT system being attacked, i.e., business consequences (IT) versus physical consequences (OT).

No CISO wants to wake up to learn that a phishing email or a denial-of-service attack on an IT-related system has directly impacted a traction power substation or signaling system, which is vital to the safe movement of passengers from New York to Boston, or on Metro Line 1 of Paris.

Need for commonality and reference to applicable cybersecurity standards

Public Transport and Railway Operators are very familiar with the need and benefits of standards.  However, while other critical infrastructure industries (e.g., the Energy sector) have made several years of headway on contextualizing and applying relevant cybersecurity standards, PTOs are only recently addressing cybersecurity at the level commensurate with being designated as a critical infrastructure custodian.  Why is this the case?  The main reason is historically poor cross-functional cybersecurity awareness.  Another contributing factor has been the need for more consistent and referenceable cybersecurity standards in the passenger transportation domain.

Fortunately for Public Transport and Railway Operators, instructions on how to apply the well-established industrial control system (ICS) cybersecurity standard IEC 62443 has been published by CENELEC in the form of Technical Specification TS 50701. And now the UITP Practical Guidance on Cybersecurity report provides valuable examples of how Railway procurement personnel should  use TS 50701 to help write tendering documents for any Systems under Consideration (SuC).

Need for cybersecurity expectation alignment of PTO buyers and vendors

The need for common references to relevant cybersecurity standards in transport also helps to establish joint authority across multiple functional areas (procurement, engineering, supply chain) and, most importantly, between buyers and vendors.

Vendors complain that PTOs’ tendering requirements must be more explicit, specific, and applicable in the System under Consideration. In addition, PTOs need help finding within their internal organizations the expertise required to sufficiently establish the cybersecurity requirements that will meet their future needs and do so in a manner that is not bespoke, outdated, or wholly not applicable to the SuC.

There is a mutual benefit for PTOs and vendors to ensure cybersecurity expectation alignment.  On the one hand, vendors who have invested in their product roadmaps to meet stringent cybersecurity certifications and standards are afforded the appropriate level of consideration during a request for qualification (RFQ).  Equally, PTOs can quickly weed out vendors who cannot demonstrate that they understand or are prepared to introduce solutions into the OT environment of a safety-first critical infrastructure environment.

Need for cybersecurity engineering in the V-Model

PTO and Railway engineering professionals are very familiar with the product/systems life cycle V-Model, which provides a systematic phased approach from project/product/system concept through development and implementation to ongoing operations and maintenance.  The V-model is foundational in the systems engineering discipline and is used regularly to manage risk, validate, and verify that what was intended to be realized is now performing in line with original requirements.

Security by design must also be foundational in critical infrastructures such as railways and metros. As such, there is a need to verify and validate cyber-related deterministic behavior in OT digital systems.   Practically, this means that OT systems perform as designed and are not subject to external or internet-based cyber-attacks.   There is indeed no such thing as 100% secure, as security is fundamentally a continuum; however, reducing the cybersecurity threat as low as reasonably possible (ALRAP) is consistent with the core principle of cyber network engineering.  By way of example, this rude awakening of an IT system hack propagating to an OT safety-critical system can be engineered out of the realm of possibility with IT vs. OT segmented networks, utilizing unidirectional gateway technology.

The UITP guide highlights the need for cybersecurity engineering in the system/product life cycle and recommends that a specific Information Security System (ISS) document/chapter be included in all public transportation tender documents of relevant systems under consideration.  This ISS will outline the main principles and detailed requirements for which prospective solution vendors must align themselves.

Cyber-by-design: Meeting the complexity of Passenger Transport and Rail Operations

Meeting the complexities in system designs of passenger and rail transport operations with a cyber-by-design approach is essential, and with the recent release of the UITP ‘Practical Guidance on Cybersecurity Requirements’ report, the job of PTOs tendering for a new system under consideration is now made easier.

Again, a big shout out and kudos to the authors and UITP Cyber Working Group, especially our Waterfall colleagues Serge Van Themsche, Jesus Molina, and Andrew Ginter, for bringing clarity and practical guidance on cybersecurity requirements to the transportation industry.   The usefulness of this effort across multiple stakeholders will be positively received. More importantly, if the advice is followed, there is no question that the security posture within the industry will be improved.

The post 5 Key Takeaways From New ‘UITP Practical Guidance on Cybersecurity’ Report appeared first on Waterfall Security Solutions.

At the highest levels, the new rules expand the scope of earlier directives. The 2021 directives were focused on incident reporting and incident response capabilities. The new directive expands the scope of required cyber security programs to encompass all five pillars of the NIST Framework. In doing so, the new rules reflect the complexity of trying to require strong security in an industry where many owners and operators have complex interdependencies between their IT and OT systems.

Critical Cyber Systems

The new rules define “Critical Cyber System” as any IT or OT system or data whose compromise could result in operational disruption. While some safety critical systems such as signaling would qualify as an OT System, the definitions of IT and OT systems is more nebulous in other cases:

• In passenger rail systems, the ticketing systems might be considered critical to continuous operations and ticketing systems are most often hosted on IT networks,
• In freight systems, container tracking is often critical to on-loading and off-loading and these tracking systems are most often hosted on IT networks, and
• Cyber security programs at most operators are comparatively immature, and so there tends to be a host of lesser interdependencies between IT and OT networks.

Unlike the North American electric power sector where there is a strong emphasis on separating control-critical from non-critical networks, making such a separation in most rail networks is going to be very difficult, no matter how desirable such separation might be in the long run.

Confusing Rail Cyber Security Elements in the New Directive

Given these interdependencies, it may seem strange that rule III.B in the new directive requires network segmentation “designed to prevent operational disruption to the OT system if the IT system is compromised or vice-versa.” If most physical operations require both IT and OT systems running, what good is independent operation? The answer may be aspirational. If there are no OT dependencies on IT services, strong segmentation, such as with a Unidirectional Gateway, means that physical operations can continue if the Internet-exposed IT network is compromised. Ultimately, if operators can move away from these dependencies, then the reliability and resiliency of the entire system is improved through stronger rail cyber security.

Similarly confusing are III.D rules on spam and phishing emails, restrictions against known C2 Internet addresses, and restrictions against known malicious websites. Common OT security practices already forbid connections from anything on an OT network out to an email server, and similarly forbid connections to anything but known-good IP addresses and web domains – or completely forbid all connections out to the Internet for that matter. The reason here, again, appears to be that these rules apply to “critical systems” and those systems can be found on both IT and OT networks. Worse, critical systems such as passenger ticketing and freight tracking may themselves be exposed to customers through web services, and so may be intrinsically Internet-exposed.

Problematic Elements

The obvious problem with the directives is that they are regulations, and auditable regulations produce a lot of costly paperwork. It is not enough to implement robust security programs to comply with the rules. Given the potential for external audits, robust security programs must now be demonstrably compliant, which means a lot of paperwork and tracking.

A deeper problem stems from requirements in III.C that talk about eliminating shared passwords, MFA, password refreshes and least privilege. The only practical way to implement these policies reliably in an OT network, with thousands or tens of thousands of cooperating systems, is a central password and permission manager, with Active Directory (AD) servers being the elephant in the room. The problem with these systems is that they introduce new single points of compromise and are favorite targets of ransomware criminal groups. By way of contrast, the NERC CIP regulations effectively forbid OT systems from depending on IT AD servers, by flagging AD servers as “electronic access control devices,” which are subject to almost as many CIP rules as are critical cyber systems. Such rules are seen as onerous for IT AD systems, and so in practice, no CIP-compliant enterprise has their OT systems depend on or even trust the IT AD servers.

Another problem reflects the IT/OT spam and Internet-blocking confusion that we looked at a couple paragraphs ago. The directive really should require or encourage owners and operators to set up strong segmentation for all critical rail cyber systems, whether on IT networks or on OT networks, and either forbid outright any connections to the Internet from those critical networks or permit only connections to known-good destinations. Trying to track known-bad IP addresses and domains is a never-ending game of cat and mouse with our adversaries; one eventually doomed to failure if it persists long enough.

Residual Cyber Security Risk

One obvious residual risk here is pivoting paths. Pivoting is when our attackers take control of one machine in one of our networks and then use that machine to attack other machines in other networks. Targeted ransomware actors, hacktivists, and nation-states all use pivoting routinely. All three demonstrate routinely that they can push their attacks through firewalls. There were thousands of ransomware incidents last year, and all of them managed to plant their malware on IT networks through the Internet firewall, didn’t they? Any time there is only firewalled segmentation in place, there are pivoting paths from the Internet, through IT networks, into critical IT systems and OT networks.

Perhaps because of the deep distribution of critical rail systems throughout both IT and OT networks at most operators, the fundamental problem remains that only IT-grade cyber security solutions protect physical operations. The new rules require us to try to detect spam attacks and try to keep up with known-bad Internet destinations. We do this in the “hope” that we can discover and respond to attacks before truly unacceptable consequences are brought about on rail switching systems, the most consequential of our critical systems. The problem here is that “hope” can never pass as an acceptable engineering design practice.

Proper Engineering-Grade Rail Cyber Security

The engineering profession is charged with protecting public safety. Engineering-grade designs do not “hope” that a bridge will carry a specified load for a specified number of decades. Neither should engineering-grade  rail cyber security designs “hope” that adversaries can be prevented from switching tracks maliciously and causing trains to collide. Engineering-grade protections are deterministic in that they always provide the same degree of protection, no matter what kind of cyber attack is thrown at them.

The new TSA directive is a step in the right direction security-wise, but rail system operators can both do better than meet the minimum security requirements. A simultaneously simpler and cheaper design is available that meets the new TSA requirements. For a look at Waterfall’s current recommendation at how to provide simple, predictable, and unbreachable protection for network segmentation, please have a look at our guide: Cyber security Imperatives for Vital Rail Networks at Operational Control Centers.

The post Strengths and Weaknesses of the New TSA Rail Cyber Security Directives appeared first on Waterfall Security Solutions.

Key points on cloud security gateways

Eddy Thésée points out that “the usage of data within railway is increasing. Because of this usage we are able now to improve the operational efficiency. One of the ways to address the challenge of more data is to use the cloud.” Lior Frenkel adds: “We see a trend of course, going towards using more cloud based systems […] the flip side of that is that they need to connect their operational technology environments to cloud services which creates a lot of cybersecurity concerns and in this case also privacy [concerns].”

Operational efficiency and enhanced passenger experience are two clear focuses for modern rail. Paradoxically the increased connectivity needed to realize these goals exposes railway networks to new and evolving cyber threats. In an infinitely connected modern world, having assurance that operational systems can be protected with an unbreachable cyber security solution might be a surprise to some transport authorities. The Unidirectional Cloud Gateway (a cloud security gateway) for Rail combines impenetrable hardware with unlimited software-based connectivity.

Gateway Testimonials

“The unique and only railway cybersecurity standard that exists today (TS 50701) is recommending the use of these (Unidirectional Cloud) Gateways.”

Eddy Thésée, Vice President Cybersecurity, Alstom

“Waterfall has developed a solution which is specific to connecting operational environments to cloud services taking into consideration both the cybersecurity and privacy, and I think it will help many customers move a bit faster towards more wide spread use of cloud services.”

Lior Frenkel, CEO and Co-Founder, Waterfall

Note that viewers may also find our related use-case publication, Unidirectional Protection for Railway Signalling Networks, very informative.

PR: Waterfall Announces Cybersecurity Partnership With Alstom>>

More about Rails

About Waterfall

Waterfall Security Solutions’ unbreachable OT cybersecurity technologies keep the world running. For more than 15 years, the most important industries and infrastructure have trusted Waterfall to guarantee safe, secure, and reliable operations. The company’s growing list of global customers includes national infrastructures, power plants, nuclear generators, onshore and offshore oil and gas facilities, refineries, manufacturing plants, utility companies, and more. Waterfall’s patented Unidirectional Gateways and other solutions combine the benefits of impenetrable hardware with unlimited software-based connectivity, enabling 100% safe visibility into industrial operations and automation systems.

The post Unidirectional Cloud Gateway for Rail | Waterfall & Alstom appeared first on Waterfall Security Solutions.

Alstom is known as the global leader in rolling sock – delivering high speed trains and monorail. Alstom is also globally known for the user end of their mobility products. This has resulted in very connected systems – embedding privacy and cybersecurity in the DNA of Alstom’s products.

Increased Demand for Sharing Operational Data

In the age of increased business demand for sharing of railway operational and signaling system data to non-secure networks, Rail system operators urgently need cybersecurity partnership designs and solutions that can meet the challenge of sharing of information while preventing cyber-attacks. When 100% prevention from online cyber-attacks is required, Waterfall’s Unidirectional Security Gateways are the clear choice.

Waterfall Unidirectional Gateways replace one layer of firewalls in an industrial network environment, providing industrial control systems with absolute protection from targeted attacks, secure enterprise-wide visibility, and safe remote access. The Gateways replicate servers, emulate industrial devices, and translate industrial data to cloud formats, enabling vendor monitoring, industrial cloud services, and visibility into operations for modern enterprises and customers.

Waterfall and Alstom’s Cybersecurity Partnership

Waterfall and Alstom’s cybersecurity partnership is based on a common commitment to increase the security of the railway industry.

“[Waterfall’s] ability to provide physical protection is essential for us”

Waterfall has a steadily growing install basis in the rail industry and Alstom, the global leader in smart and green mobility, is already integrating Waterfall’s patented unidirectional gateways in projects.

“Together, we bring to public transport operators Waterfall’s expertise and technologies, which have been proven and applied in other critical infrastructures”

PR: Waterfall Announces Cybersecurity Partnership With Alstom>>

New eBook by Waterfall: Cybersecurity Imperatives For Vital Rail Networks At Operation Control Centers>>

More about Rails

About Waterfall

Waterfall Security Solutions’ unbreachable OT cybersecurity technologies keep the world running. For more than 15 years, the most important industries and infrastructure have trusted Waterfall to guarantee safe, secure, and reliable operations. The company’s growing list of global customers includes national infrastructures, power plants, nuclear generators, onshore and offshore oil and gas facilities, refineries, manufacturing plants, utility companies, and more. Waterfall’s patented Unidirectional Gateways and other solutions combine the benefits of impenetrable hardware with unlimited software-based connectivity, enabling 100% safe visibility into industrial operations and automation systems.

The post A New Cybersecurity Partnership for the Rail Industry | Waterfall & Alstom appeared first on Waterfall Security Solutions.

Rail system digitalization is yielding unprecedented efficiency gains and customer service improvements. Eddy Thésée, VP Cybersecurity at Alstom, explains the consequences of this digitization is resulting in a need to communicate between zones with different levels of security and criticality. Unidirectional gateways are the best way to achieve this communication safely.

“We believe that unidirectional gateways are necessary in public transportation”

Rail Security Standards

Industrial security standards such as IEC 62443 and TS-50701 position unidirectional gateways as superior to firewalls, and thus a better fit for protecting connections between zones with different levels of criticality.

How A Unidirectional Gateway Works

Unidirectional gateways are a plug-n-play solution replacing one layer of firewalls in an industrial network environment, typically between IT and OT environments. Unlike firewalls, Waterfall’s Unidirectional Gateway products are a combination of hardware and software. The hardware is physically able to send information in only one direction: usually from a high-criticality network to a lower-criticality network. The unidirectionality of Waterfall’s Unidirectional Gateways is physically enforced, in the gateway hardware. Customers can be confident of the unidirectionality of Waterfall’s gateways because the products are Common Criteria certified to be unidirectional with a high degree of confidence, even in the face of the most sophisticated nation-state and organized crime attacks possible.

“In the rail industry you are responsible for tens of thousands of lives per day, their safety is the most important thing.”

Cybersecurity and Safety

Cybersecurity in vital networks is a precondition for safety. Mobility experts at Alstom are providing valuable insights about pain points of rail industry, enabling Waterfall to continually improve and provide the best cybersecurity solutions. Waterfall’s Unidirectional Gateways and surrounding suite of products allow Alstom and the rail industry to reap the benefits of digitization, without endangering critical operation networks.

PR: Waterfall Announces Cybersecurity Partnership With Alstom>>

New eBook by Waterfall: Cybersecurity Imperatives For Vital Rail Networks At Operation Control Centers>>

More about Rails

The post Unidirectional Gateway for the Rail Industry | Waterfall & Alstom appeared first on Waterfall Security Solutions.

OT Insights CenterTransportationUnidirectional Protection For Railway Signaling Networks

Unidirectional Protection For Railway Signaling Networks

Protecting Rail Signaling Networks From External Cyber Threats

Customer/ Partner:

North American metro and regional rail operator.

Customer Requirement:

Enable 100% secure monitoring and protection of rail signaling and control networks, to allow SOC and corporate IT systems visibility into signaling networks connected to safety requirements.

Waterfall’s Unidirectional Solution:

Secure and physically protect control and signaling system network perimeters from external threats with Unidirectional Security Gateways, enabling enterprise-wide and vendor visibility for operations status, as well as safe OT network monitoring from a central enterprise SOC.

Protecting Rail Signaling Networks From External Cyber Threats

With cyber attacks on railway networks speckling the globe in recent years, the growth in rail cyber security awareness is on the rapid uptick. Signaling and rail control networks, such as CBTC in metro networks, and PTC and ETCS in North American and European Railways are becoming increasingly vulnerable to remote cyber sabotage. Modern cyber threats cannot be defeated reliably by common IT security such as firewalls. Hardware-based Unidirectional Security Gateways enable the digital efficiencies of a modern connected rail system, while providing the strongest protection for signaling systems from online attacks.

The challenge

Provide secure, real-time access to signaling data for the IT corporate network, including logs, alert messages, train location data and scheduling and other security data needed by the SOC. The console screen of the signaling system must be remotely visible from the corporate
network.

As the signaling network contains vital systems  ecessary for the correct operation of the rail system, including safety rated systems, that network should be physically protected from all outside networks.

Waterfall solution

Waterfall Unidirectional Gateways were deployed to replicate SYSLOG for logs, SMTP for specialized alert systems, XML files for signal status. Waterfall Remote Screen View was deployed to provide secure remote access to the signaling system for enterprise users. Unidirectional Gateways provide physical, hardware-enforced protection for the signaling network, while allowing the corporate SOC and other monitoring networks to access realtime data, and to respond rapidly to alerts coming from the signaling system.

Results & benefits

• Enables 100% secure integration of signaling networks with corporate networks
• Provides visibility from the corporate network into real-time signaling status information
• Prevents all attacks, no matter how sophisticated from reaching signaling systems from the Internet
• Maintain safety requirements for safety systems with hardware-enforced security
• Signaling networks are protected absolutely from any threat propagating via connections to the Internet, to 3rd parties, or to vendors.

Theory of Operation

Waterfall Unidirectional Security Gateways replace firewalls in industrial network environments, providing absolute protection to safety critical and control system networks from attacks emanating from external less-trusted networks. Waterfall Gateways contain both hardware and software components. The hardware includes a TX Module, containing a fiber-optic transmitter/laser, and an RX Module, containing an optical receiver, but no laser. The gateway hardware can transmit information from a critical network to an external network, but is physically incapable of propagating any virus, DOS attack, human error or any cyber attack at all back into protected safety-critical and control networks. Unidirectional Gateway software replicates database servers and other systems unidirectionally. The replica databases on the IT networks provide IT users, customers and passengers with the same data as would have been sourced from control-critical databases, without ever sending even one message from IT networks back into control-critical networks. It does not matter how sophisticated attacks become or how clever attackers are – if no information or attacks can enter control-critical networks. Modern rail system operators embrace both increased efficiencies and reduced risk by deploying physical, unidirectional protections from cyber attacks as part of on-going automation improvements. 

Unidirectional Security Gateways Benefits

Enable 100% secure, real-time reporting of metro car or EMU location, tracks, and operational status to passengers, business management, track technicians, infrastructure partners, and other rail operators.

Protect the reliability of operations, the safety of worker, and the public
safety from external cyber-attacks.

Safe remote supervision of changes to protected systems.

Protect rail operators from brand and reputational damage due to service outages.

Global Cybersecurity Standards Recommend Unidirectional Security Gateways

Waterfall Security is the market leader for Unidirectional Gateway technology with installations at critical infrastructure sites across the globe. The enhanced level of protection provided by Waterfall’s Unidirectional Security Gateway technology is recognized as best practice by leading industry standards bodies and authorities such as NIST, ANSSI, NERC CIP, the ISA, the US DHS, ENISA and many more.

Share

Trending posts

Bringing Engineering on Board and Resetting IT Expectations

December 25, 2025

We can’t – and shouldn’t – fix everything – Episode 147

December 17, 2025

Medical Device Cybersecurity Is Tricky – Episode 146

December 11, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post Unidirectional Protection For Railway Signaling Networks appeared first on Waterfall Security Solutions.

What does this mean for the rest of the world? Critical Infrastructures are Targets

Governments have already warned that national critical infrastructures are likely to be targets of cyberattacks, and this is doubly true in times of physical conflict. In addition, some governments have cautioned that targeting critical infrastructures with cyber-attacks may constitute acts of war. Cyber acts of war, however, will have to get in line behind physical acts of war if the Russia/Ukraine conflict escalates into a physical conflict where Ukraine, Ukrainian allies, and NATO are in effect at war with Russia and her allies.

Keeping The Lights On

The attack on the Belarusian rail system is yet another example of an attack that cripples IT systems, and so brings about OT consequences, like the Colonial Pipeline attack, and the JBS meatpacking attack. In this case the rail system attack brought about confusion, delayed passenger trains and cancellations, all because of crippled ticketing systems. As a rule, such physical consequences are unacceptable to societies and their governments when those consequences impair critical national infrastructures.

In the USA for example, shortly after the Colonial Pipeline attack caused widespread gasoline shortages, the TSA issued a new cybersecurity directive to the nation’s largest pipelines. While initially secret, a redacted version of the directive was made available via the Washington Post, in response to a freedom of information request. Directive 2(b) of the document directs pipeline owners and operators to:

“Implement network segmentation sufficient to ensure the Operational Technology system can operate at necessary capacity even if the Information Technology system is compromised …”

This is the heart of the directive. Modern societies depend on critical infrastructures, and IT networks are intrinsically more exposed to Internet-based and other online attacks than OT networks should be. The government ordered pipeline operators to keep the pipeline going, even if IT assets have been breached. But it takes a number of things working together to keep a pipeline or power plant or rail system running while IT networks are crippled. The most important two are:

1. Network segmentation measures strong enough to prevent OT networks from being shut down “in an abundance of caution,” when IT is compromised, and
2. Manual business processes or other contingencies able to compensate for crippled ticketing systems, billing systems, shipment tracking systems or other crippled IT resources.

Both these measures are necessary. It does no good having a pristine OT/ICS network if we must shut down operations because those operations rely on functionality in a crippled IT network. And it does no good having workarounds for crippled IT functions if the attack drifts or pivots from IT assets into the OT/ICS network and there forces a shutdown of physical operations.

Waterfall Can Help

Waterfall Security Solutions can help, especially with the directive to employ strong network segmentation. Waterfall’s Unidirectional Security Gateways are the strongest possible kind of IT/OT segmentation for OT networks. The gateways are a combination of hardware and software. The hardware is physically able to send data out to the business network, and physically not able to send anything back into operations. It does not matter what kind of chaos has consumed the IT network, no online attacks, no matter how sophisticated – nothing – gets back into the operations networks through a Waterfall Unidirectional Gateway.

Unidirectional Gateway software makes copies of servers. The software logs into OT databases, historians, OPC servers, pub/subsystems, and other servers and asks for all the latest real-time data. The software converts the data into Waterfall’s internal unidirectional protocols and pushes the data out to the IT network. On the IT network, the Unidirectional Gateway software receives the data and then inserts it into an identical server. IT users and applications log into and use the replica database, historian, OPC, pub/sub, etc. servers normally. Unidirectional software makes deployment of the unidirectional hardware painless and seamless.

Difficult Times

These are difficult times. The incident in Belarus is very likely only the first of many incidents targeting critical national infrastructures. If the crisis worsens, we should expect many more such incidents targeting infrastructures in NATO nations and in any other nations that support either Russia or Ukraine. And bear in mind – while the incident in Belarus was hacktivists, Russia is a cyber superpower. Russia has the means to bring very sophisticated attacks to bear on critical infrastructure targets – this was the point of the recent DHS warnings in the United States.

And it is a mistake to think that these threat actors will target only large and heavily-defended critical infrastructures – smaller, “less important” and less well-defended infrastructures will be very attractive targets as well.

The good news – deploying Waterfall’s Unidirectional Gateways is straightforward. Most often, the gateways are “set and forget” – unlike IT/OT firewalls, there is no constant fiddling or monitoring needed for Waterfall’s products. Waterfall’s products are configured and managed and, if necessary, diagnosed and repaired using simple, thin-client, web tools. Installing a gateway usually takes less than a day, and Waterfall experts are there to help you every step of the way.

The time has come to make our OT/ICS networks essentially impenetrable to online hacktivist, ransomware and nation-state attacks alike. We need to do this before we are targeted and before we suffer consequences as part of this Russia/Ukraine crisis, or as part of any of the other geopolitical crises that await in the months ahead.

Waterfall’s latest rails cybersecurity report

RELATED Item:

The post Ukrainian Conflict Puts Critical Infrastructures at Risk appeared first on Waterfall Security Solutions.