A cyber attack on Friday impaired railway signage throughout Iran. The attack changed rail terminal signage to say that most or all trains had been delayed or cancelled and urged customers to call the phone number of the office of the Ayatollah Ali Khamenei for further information. Iranian news services initially reported “unprecedented chaos” at rails stations, but later withdrew that report. A subsequent post stated that the attack caused no problems whatsoever.
This attack mirrors comments made in an Industrial Security podcast six months ago. In that episode, Shannon Ramsaywak pointed out how important signage was to rails systems performance and even to rails systems safety. Shannon also explained how senior decision-makers often did not realize how exposed their signage systems were to sabotage.
While details on the Iranian attack are scarce, signage systems are often much more exposed to cyber attacks than are rails signaling and dispatch systems. After all, most rails systems all over the world post their latest schedule updates to their website and sometimes even to cell phone apps, both of which are Internet-accessible. In all such systems, there must be a communications path that connects the Internet to sources of locomotive location data.
Modern rail systems do not permit such connectivity through mere firewalls. Instead, they push location and schedule data from rail control systems out to the Internet through Unidirectional Security Gateways. The gateways are not physically able to send any attack information from the Internet back into the switching systems. The risk of online, Internet-based attacks vanishes entirely when Unidirectional Gateways are the only connection between control-critical and Internet-exposed business systems.
More generally though, the attack in Iran reminds us of the importance of correctly classifying our IT and OT systems. A table-top exercise I recommend to all OT security practitioners is to look at what happens when all IT-connected computers are utterly compromised. In this worst-case scenario, can physical OT operations continue?
Specifically, is any of the compromised or crippled IT equipment in fact essential to minute-by-minute physical operations? In the Iranian rails scenario, the signage was vital to directing passengers to their trains, and such signage is often accessible from IT networks. In the recent Colonial Pipeline incident, there were reports that pipeline product tracking and billing systems were so tightly integrated between IT and OT networks that the pipeline could not continue operating with the IT network crippled.
If we discover this situation in our table-top exercise, we need to bring it to the attention of senior business decision-makers. A crippled IT network is bad. Crippled physical operations are generally worse. If the business decides that an OT outage due to an IT compromise is not a tolerable risk, then we need to take measures. We might need to move some IT systems, such as rails signage systems, into the OT network and protect those systems unidirectionally, just as we protect our other control-critical OT systems.
Or we might need to store a copy of important OT information, such as pipeline product and flow measurements, closer to where that information is produced in the OT network, not only in the IT network. This way we can continue physical operations, and when IT systems are finally restored from backups, we can push our stored data back out to those IT systems. We might also need to cache one or two weeks of production orders or scheduling information in our OT systems. This way, if the IT systems that produce this data are crippled, our OT systems still have the instructions they need to continue while we repair the IT network.
Expensive, software-based OT security programs are of little value if they cannot prevent IT attacks from propagating into OT. They have even less value if every IT breach forces us to shut down operations because we left critical functions in the breached IT network. While Unidirectional Gateways eliminate IT threats to OT systems, and are cheaper than costly software-based cybersecurity, the gateways are no substitute for doing our homework.
Do the table-top exercise. Figure out which IT systems are critical to operations. And if we want to prevent operations outages, yes protect our OT networks unidirectionally. But we also need to put all of our ops-critical systems into the unidirectionally-protected networks, and cache in those networks all incoming and outgoing data that is needed to enable continuous operations during IT outages.
For deeper insights into how to protect OT networks unidirectionally while still meeting a wide variety of business needs, including build-to-order, anti-virus updates, and remote access, ask for a free copy of this author’s latest book: Secure Operations Technology.
Or ask for a free consultation with one of Waterfall’s Unidirectional Solutions Architects.