Monitor Without Risk of Remote Cyber Attacks: Unidirectional Security for Railways
By Martin Ashcroft
Investment in rail
Most major industrial nations are investing heavily in rail. The Canadian Government announced its new infrastructure plan in March 2016, allocating $C3.4bn ($US 2.6bn) in federal funding over the next three years to “upgrade and improve public transit systems across Canada”. In South Africa the state-owned ports and rail company Transnet is well into its Market Development Strategy, a seven-year R300bn ($33.82bn) investment scheme with a clear strategy to “rejuvenate the country’s ports, rail and pipelines infrastructure”. In Australia, trains carrying iron ore from mine to port can be over a mile long. Expecting its ‘freight task’ to double over the next 20 years, the Australian Government is targeting investment in rail infrastructure to meet this demand.
The UK is investing £billions in HS2, a new high-speed rail line linking London with Birmingham and Manchester. Germany, France and Spain, among others, have also invested in high speed rail networks. Suffice it to say, that rail is big business and it’s going to get bigger. It’s the mention of automation and remote control devices, essential elements of a modern efficient system that raises eyebrows in cyber security circles.
Chronology of railway cyber attacks
Cyber attacks on rail systems are no longer a hypothetical threat. In August 2015 Japan Railways Hokkaido was attacked by an allegedly Chinese-backed group, which used a remote access Trojan (RAT) to gain access to the rail company’s network in an attempt to steal information on transport security, in advance of the opening of the Hokkaido Shinkansen Line. In this kind of attack, called spear-phishing, the attacker identifies a number of people who are likely to have the access credentials he or she needs to infiltrate the network, then sends them a fake email (in this case purporting to come from a customer). Specialized malware is activated when an employee opens the email’s attachment; in this case, however, the subsequent attempt to steal files was apparently unsuccessful.
Some people believe that railway control and signaling systems are impenetrable because they are too complicated for anybody to attack. They probably haven’t heard that in 2008, in Lodz, Poland, a 14-year-old boy modified an infra-red TV remote control and used it to operate signaling equipment, turning the city’s tram system into his own personal train set. Four vehicles were derailed and twelve people injured in one of the incidents.
Trains have systems that control the engine itself and a network supporting Wi-Fi and other passenger services. “People like to see where the train is, and see an estimated time of arrival,” says Andrew Ginter, VP of Industrial Security at Waterfall Security Solutions. “It’s OK to see selected information from the control system in the passenger area, but we do not want passengers to have the ability to mess with the control system. We want nothing coming back from the passenger to affect the train.” It’s also important for the control center to keep in touch with maintenance workers on the tracks, without fear of network security breaches.
“We are concerned about connections between control center and the outside world,” he continues, “because every connection permits data to flow in and out and consequently permits attacks. Look, but don’t touch. Looking at data is not dangerous. Control is what we want to secure. A unidirectional gateway allows people to watch without touching.”
Ginter has been quoted before saying that all software can be hacked, but he makes no apology for saying it again. “This is absolutely fundamental to the security of critical operational systems and everyone involved in protecting them from malicious attacks needs to understand this as a first principle of protection,” he says. “No-one writes perfect software. There are always weaknesses and vulnerabilities. The worrying thing about the attack on the South Korean supplier is that if the thieves stole a copy of the control system software source code, it’s much easier for them to work out how to hack it. And if they can break in and steal things, they can also modify physical operations.”
Guidelines and regulations
There is a growing realization in organizations that regulate critical industries that software systems do not deliver the security they need. The American Public Transportation Association has already indicated that the IT approach to cyber security cannot offer an effective solution. The APTA points out that “In today’s interconnected environment, it is conceivable and possible for someone acting remotely to access and modify a control system”.
The truth is that nobody can write software that someone else can’t hack, and that message is getting through to the authorities. In the UK, where four cyber attacks were recorded on the rail network in 2015/16, the industry is preparing itself to tackle cyber security as it embraces digital rail technology.
The inaugural Rail Cyber Security Summit was held in London in March this year and the UK’s Department for Transport (DfT) subsequently released Rail Cyber Security – Guidance to Industry, which states clearly that signaling networks should be protected with unidirectional gateways and there should be a clear separation between enterprise and operational networks. The DfT is also engaged in an RSSB-led (Rail Safety and Standards Board) development of a cyber security strategy for the rail industry.
In France the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) is responsible for the country’s digital security strategy. ANSSI classifies networks into three groups. Group 1 includes networks that are not vital to society and are, to put it bluntly, expendable. They use a washing machine manufacturer as an example. If someone hacks into the control system and disables a production line, it’s a bad day for the manufacturer but France will not fall. Customers can buy a machine from somewhere else.
Class 2 networks include sites important to society, like a power plant, a water purification system or a chemical plant, while class 3 is reserved for those where, if the network is compromised, there’s a serious risk that people could die. The example they use is railway switching systems.
While the IT approach is perfectly adequate for Class 1 networks, with class 2 networks ANSSI discourages remote access and encourages the use of unidirectional gateways rather than firewalls. On class 3 networks, including railway switching systems, they forbid the use of firewalls to connect any class 3 network to a lower class network. They specifically use the word ‘forbid’, and they forbid remote access, too. The only connection that’s allowed between a class 3 network and a lower class network is a unidirectional gateway. Firewalls can be used inside a class 3 network, to separate one part of the network from another for instance, but at the ‘trust boundary’, ANSSI forbids firewalls.
“This is where the industry’s going,” says Ginter. “Increasingly, guidance and regulations are talking about Unidirectional Gateways. And there are safety critical systems not only in control rooms but actually on the trains, on the moving equipment itself. We need to make sure that nobody can control our assets without authorization or without physically being there in the control room,” he continues. “Control is the issue. This is why people are deploying Unidirectional Gateways so they can monitor without losing control.”
The only way is out
The Unidirectional Security Gateway is the hallmark of Waterfall Security Solutions, a cyber security specialist that produces hardware-enforced security products to protect industrial control system networks. The Unidirectional Security Gateway is the hardware part of the solution. This is, literally, a physical gateway that allows data to flow out of an industrial control system, but allows nothing back in. In other words, the unit at the network perimeter has a transmitter, but not a receiver. The only way is out. “We claim 100 per cent protection against attacks from external networks,” says Ginter. “While there is no technology that can prevent absolutely all attacks, these silent, online, network-based attacks are the workhorse of cyber sabotage, and are the specific risk that comes with increased network connectivity. Our gateways eliminate that specific threat vector entirely.”
There are perfectly good reasons for networks to be interconnected. The Internet is everywhere. Everyone has a cell phone, so people will naturally want to use the ubiquitous medium we call the Internet to conduct important communications, especially in a system as physically widespread as a rail network that spans an entire continent. “The problem is that if you connect control systems out through firewalls, or even multiple layers of firewalls, those protections let messages out and always allow certain attacks back in,” says Ginter. “This is why the guidance and regulations are starting to talk about Unidirectional Gateways.
“We represent an evolutionary alternative to firewall technology,” he concludes. “Firewalls are network routers with filtering capabilities. They forward network traffic from one network to another. They try to determine if a message is allowed or not, and if they think it’s allowed they let it through. When they fail to recognize a bad message that gets through, too. Nothing gets past a Unidirectional Gateway.”