Rail Operations Center

Protecting Rail Vital Networks From Imminent Cyber Threats
Customer/ Partner:

North American major metropolitan rail network.

Customer Requirement:

Enable safe enterprise and Internet visibility into Operations Control Center vital networks, including visibility into locomotive locations, track outages, and network security status, while providing the greatest security protection from external attacks.

Waterfall’s Unidirectional Solution:

Unidirectional Gateways were deployed at the Operations Control Center providing one-way replication to the external network for OPC-UA servers, SQL Server databases and Syslog files residing in the Train Safety vital network. This architecture provides compliance with IEC 62443, ISO 27001 and other industrial security standards such as the upcoming TS50701.

Rail Networks Are Facing Modern Cyber Threats

Cyber attacks have already impacted rail systems in the USA, UK, Poland, Korea, Japan and countries. The more digitized rail networks become, the more vulnerable critical control centers are to cyber sabotage. Increased network connectivity and digitalization at the Operation Control Center (OCC) enable adoption of modern train protection systems such as positive train control (PTC) systems, cloud analytics, enterprise visibility into operations, and vendor-monitored predictive maintenance systems, while at the same time introducing threats to safe, reliable and cost-effective operations. To maintain the highest level of safety and reliability, OCC network perimeters must be protected by Unidirectional Security Gateways.

The Challenge icon
The challenge

Provide safe external connectivity to the Operation Control Center vital networks to provide maintenance workers with positive control over when track outages are cleared and provide enterprise cyber-security teams with visibility into their most important operations networks, without putting those networks at risk of cyber attacks.

Waterfall solution - icon
Waterfall solution

A Waterfall Unidirectional Security Gateway replicates OCC SQL Server databases containing real-time locomotive locations and track outage data to the Metro’s enterprise network, and beyond that network to the Internet. In addition, OPC-UA server tags are replicated to provide real time operational information from stations. Finally, Syslog data is replicated to provide network alarms in case of internal intrusions.

Results and benefits - icon
Results & benefits

Security: OCC networks are absolutely protected from online attacks originating on enterprise networks and from Internet-based attacks.

Visibility: Unidirectional Gateways provide online access to real-time operations data, with no change to end-user procedures or business application integration configurations.

 Compliance: Waterfall equipment is certified Common Criteria EAL4+ for security, is certified by NISA, ANSSI, NITES and others for critical infrastructures & simplifies compliance with IEC 62443, ISO 27001, TS50701 and otherindustrial security standards.

vertical red line
Theory of Operation
Click to enlarge

Waterfall Unidirectional Security Gateways replace firewalls in OT network environments, providing absolute protection to critical control systems from attacks emanating from external, less-trusted networks.

Waterfall Gateways contain both hardware and software components. The gateway hardware is physically able to transmit information in only one direction – out of the OCC network to enterprise and Internet networks. The gateway software replicates servers and emulates devices. External users and applications use the replica systems normally and bi-directionally. Waterfall products enable deep visibility into operations data and operations networks for enterprise users and systems, as well as for Internet-based websites, applications and cloud service providers. With

Waterfall products deployed, such visibility is safe from attacks originating on these external networks because of the physically unidirectional nature of the products. Waterfall Unidirectional Gateways and related products provide safe access to Operations Control Center data, without providing access to OCC systems. The Operation Control Center hosts vital, safety-critical networks, including energy systems, train safety and signaling networks. While these vital networks might once have been closed networks, modern digitization and efficiency initiatives demand new connectivity and data sharing capabilities. Control Systems standards, such as the IEC62443 or the upcoming European TS50701 recommend Unidirectional gateways for interconnecting critical networks to external networks

vertical red line
Unidirectional Security Gateways Benefits:

arrow red right Enable safe, real-time reporting of locomotive location, track and
other operational status to business management, track
technicians and the public, without putting safe operations at risk

arrow red right Eliminates risk to reliability, worker safety and public safety due to
external cyber attacks

arrow red right Enables safe connectivity with cloud-based security operations
and other service providers

arrow red right Enables compliance with even the strongest railway and industrial
cybersecurity regulations, standards and guidance


Stay up to date

Subscribe to our blog and receive insights straight to your inbox