Unidirectional Protection For Railway Signaling Networks

Protecting Rail Signaling Networks From External Cyber Threats
Unidirectional Protection For Railway Signaling Networks
Customer/ Partner:

North American metro and regional rail operator.

Customer Requirement:

Enable 100% secure monitoring and protection of rail signaling and control networks, to allow SOC and corporate IT systems visibility into signaling networks connected to safety requirements.

Waterfall’s Unidirectional Solution:

Secure and physically protect control and signaling system network perimeters from external threats with Unidirectional Security Gateways, enabling enterprise-wide and vendor visibility for operations status, as well as safe OT network monitoring from a central enterprise SOC.

Protecting Rail Signaling Networks From External Cyber Threats

With cyber attacks on railway networks speckling the globe in recent years, the growth in rail cyber security awareness is on the rapid uptick. Signaling and rail control networks, such as CBTC in metro networks, and PTC and ETCS in North American and European Railways are becoming increasingly vulnerable to remote cyber sabotage. Modern cyber threats cannot be defeated reliably by common IT security such as firewalls. Hardware-based Unidirectional Security Gateways enable the digital efficiencies of a modern connected rail system, while providing the strongest protection for signaling systems from online attacks.

The Challenge icon
The challenge

Provide secure, real-time access to signaling data for the IT corporate network, including logs, alert messages, train location data and scheduling and other security data needed by the SOC. The console screen of the signaling system must be remotely visible from the corporate

As the signaling network contains vital systems  ecessary for the correct operation of the rail system, including safety rated systems, that network should be physically protected from all outside networks.

Waterfall solution - icon
Waterfall solution

Waterfall Unidirectional Gateways were deployed to replicate SYSLOG for logs, SMTP for specialized alert systems, XML files for signal status. Waterfall Remote Screen View was deployed to provide secure remote access to the signaling system for enterprise users. Unidirectional Gateways provide physical, hardware-enforced protection for the signaling network, while allowing the corporate SOC and other monitoring networks to access realtime data, and to respond rapidly to alerts coming from the signaling system.

Results and benefits - icon
Results & benefits
  • Enables 100% secure integration of signaling networks with corporate networks
  • Provides visibility from the corporate network into real-time signaling status information
  • Prevents all attacks, no matter how sophisticated from reaching signaling systems from the Internet
  • Maintain safety requirements for safety systems with hardware-enforced security
  • Signaling networks are protected absolutely from any threat propagating via connections to the Internet, to 3rd parties, or to vendors.
vertical red line
Theory of Operation
Click to enlarge

Waterfall Unidirectional Security Gateways replace firewalls in industrial network environments, providing absolute protection to safety critical and control system networks from attacks emanating from external less-trusted networks. Waterfall Gateways contain both hardware and software components. The hardware includes a TX Module, containing a fiber-optic transmitter/laser, and an RX Module, containing an optical receiver, but no laser. The gateway hardware can transmit information from a critical network to an external network, but is physically incapable of propagating any virus, DOS attack, human error or any cyber attack at all back into protected safety-critical and control networks. Unidirectional Gateway software replicates database servers and other systems unidirectionally. The replica databases on the IT networks provide IT users, customers and passengers with the same data as would have been sourced from control-critical databases, without ever sending even one message from IT networks back into control-critical networks. It does not matter how sophisticated attacks become or how clever attackers are – if no information or attacks can enter control-critical networks. Modern rail system operators embrace both increased efficiencies and reduced risk by deploying physical, unidirectional protections from cyber attacks as part of on-going automation improvements. 

vertical red line
Unidirectional Security Gateways Benefits

arrow red right Enable 100% secure, real-time reporting of metro car or EMU location, tracks, and operational status to passengers, business management, track technicians, infrastructure partners, and other rail operators.

arrow red right Protect the reliability of operations, the safety of worker, and the public
safety from external cyber-attacks.

arrow red right Safe remote supervision of changes to protected systems.

arrow red right Protect rail operators from brand and reputational damage due to service outages.

vertical red line
Global Cybersecurity Standards Recommend Unidirectional Security Gateways

Waterfall Security is the market leader for Unidirectional Gateway technology with installations at critical infrastructure sites across the globe. The enhanced level of protection provided by Waterfall’s Unidirectional Security Gateway technology is recognized as best practice by leading industry standards bodies and authorities such as NIST, ANSSI, NERC CIP, the ISA, the US DHS, ENISA and many more.


Stay up to date

Subscribe to our blog and receive insights straight to your inbox