Understanding the UK Department for Transport’s cybersecurity guidance to deploy unidirectional gateways
By Andrew Ginter, VP of Industrial Security, Waterfall Security Solutions
As a vital part of any national economy, the rail industry in the UK is undergoing an increase in demand for transporting passengers and freight. Unfortunately with the rise of sophistication of cyberattacks, Britain’s critical infrastructure, and its rail system in particular, is becoming more and more vulnerable. Due to interconnected systems, entertainment devices and services, and the integration of digital signalling systems, the attack surface of modern rail systems continues to grow.
Cyberattacks on rail systems are no longer a hypothetical threat. Just two examples occurred in 2015 when Japan Railways Hokkaido was attacked by an allegedly Chinese-backed group. Later that year, a more successful attack was conducted by (allegedly) North Korean hackers on a South Korean supplier of railway control equipment. Fortunately, we can remain optimistic despite this disturbing trend because there are ways to reduce the risks of cyberattacks. They can be diminished by following modern best practices for securing industrial control systems (ICS), with a major part of the new regulations including the deployment of unidirectional security gateways.
The British rail industry is preparing itself to take on cybersecurity as it embraces digital rail technology. As the threat landscape has changed for rail, all stakeholders must now have a shared responsibility of ensuring safety and reliability of critical national infrastructure. Particularly for rail, the industry needs strong cyber security guidance to provide consistency between organisations and interconnections.
Some believe that railway control and signaling systems are impenetrable because they are too complicated for anybody to attack. They probably haven’t heard that in 2008, in Lodz, Poland, a 14-year-old boy modified an infra-red TV remote control and used it to operate signalling equipment, turning the city’s tram system into his own personal train set. Four vehicles were derailed and twelve people injured in one of the incidents.
Trains have systems that control the engine itself and a network supporting Wi-Fi and other passenger services. “People like to see where the train is, and see an estimated time of arrival,” says Andrew Ginter, VP of Industrial Security at Waterfall Security Solutions. “It’s fine to see selected information from the control system in the passenger area, but we do not want passengers to have the ability to mess with the control system. We want nothing coming back from the passenger to affect the train.” It’s also important for the control center to keep in touch with maintenance workers on the tracks, without fear of network security breaches.”
“We are concerned about connections between control center and the outside world,” he continues, “because every connection permits data to flow in and out and consequently permits attacks, but don’t touch. Looking at data is not dangerous. Control is what we want to secure which is why a solution such as a unidirectional gateway that allows people to watch without touching is quickly becoming the industry standard.”
Ginter continues, “All software, such as firewalls or any IT-based solution, can be hacked. This is absolutely fundamental to the security of critical operational systems and everyone involved in protecting them from malicious attacks needs to understand this as a first principle of protection,” he says. “No one writes perfect software. There are always weaknesses and vulnerabilities.”
There are perfectly good reasons for networks to be interconnected. The Internet is everywhere. Everyone has a cell phone, so people will naturally want to use the ubiquitous medium we call the Internet to conduct important communications, especially in a system as physically widespread as a rail network that spans an entire continent. “The problem is that if you connect control systems out through firewalls, or even multiple layers of firewalls, those protections let messages out and always allow certain attacks back in,” says Ginter. “This is why the guidance and regulations are starting to talk about Unidirectional Gateways.
This explains why the UK Department for Transport (DfT) released Rail Cyber Security – Guidance to Industry stating clearly that signalling networks should be protected with unidirectional gateways and there should be a clear separation between enterprise and operational networks.
Waterfall’s Unidirectional Security Gateways are hardware-enforced protection enabling safe network integration. The unidirectional gateway allows data to flow out of a control network, such as the signalling system, into an external or corporate network, but prevents any flow of communications back. By deploying Waterfall Unidirectional Gateways’ application replication functionality, operational personnel are able to have real-time access to operational data and monitor their control system equipment as usual. The gateway makes it physically impossible to hack the control network through this external connectivity.
Network Diagram of a Waterfall Unidirectional Security Gateway
By instituting these measures, security teams can eliminate the possibility of online cyberattacks from these links and divert their resources to secure secondary and residual cyber risks. Following this best practice puts rail systems in the UK in line with defined blueprints for cybersecurity at industrial sites around the world. Moreover, unidirectional gateway technology has been adopted by international standards and best practices guidance by many governmental and industry standards bodies worldwide.
In France, for example, the Agence nationale de la sécurité des systèmes d’information (ANSSI) is responsible for the country’s digital security strategy. ANSSI discourages remote access and encourages the use of unidirectional gateways rather than firewalls. On class 3 networks, including railway switching systems, they forbid the use of firewalls to connect any class 3 network to a lower class network. The only connection that’s allowed between a class 3 network and a lower class network is through a unidirectional gateway.
“We represent an evolutionary alternative to firewall technology,” he concludes. “Firewalls are network routers with filtering capabilities. They forward network traffic from one network to another. They try to determine if a message is allowed or not, and if they think it’s allowed they let it through. When they fail to recognize a bad message that gets through, too. The difference is nothing gets past a Unidirectional Gateway.”
Waterfall Security already protects a growing number of rail networks in the North America, Asia and in other countries around the world. The company’s market leading unidirectional security products are deployed globally by all segments of critical infrastructure including power plants, water and wastewater facilities, oil and gas on/offshore platforms, refineries and others.
To speak to a solution expert, please be in contact.