How federal guidance can put cybersecurity back on the rails

In the U.S., train systems play an essential role in commerce as well as a means of transporting passengers safely and securely to their destinations. During a recent business trip, I was but one of the millions of people utilizing this service. While in the train station, I found myself gazing at the various screens. On each was a brilliant illustration of the marvels of modern transportation: trains moving seamlessly across multiple lines, their positions, destinations and tracks all displaying tightly orchestrated precision in real time. It was a compelling depiction of the complexity of a tightly woven network where data integrity is paramount.

Data integrity in public rail systems is not just about the accuracy of train locations or schedules; it’s about safety, reliability and public trust. A single glitch triggered by a malicious cyberattack can lead to costly delays or dangerous accidents caused by misrouted trains or worse, such as the Norfolk Southern train derailment in Ohio last year, which spewed toxic materials into a residential area. It seems obvious that protecting this data from corruption, unauthorized access or manipulation is critical.

The more I pondered the risks faced by a rail service provider (and I’d boarded my train at this point so I had plenty of time to think), the more complexity I found. Rail networks are vast. Amtrak is responsible for the oversight of more than 21,400 route miles across 46 states, the District of Columbia and three Canadian provinces. More than 70% of the miles are “host railroads” owned by other organizations — ranging from large, publicly-traded companies to state and local government agencies and small businesses. With these organizations and networks trying to work together, every point of integration increases their vulnerability, making the rapid detection and mitigation of vulnerabilities vital to maintaining the system’s integrity.

This is where the government professionals who are responsible for cybersecurity and infrastructure can help to swiftly identify and address vulnerabilities in the cloud-based software and systems. This monumental task requires the two co-sector risk management agencies for the transportation systems sector — the Transportation Department and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency — to serve as conductors.

CISA and DoT are well positioned to serve as navigational beacons to lead and support critical infrastructure organizations and operators that don’t have the funding, technical skill sets or acumen and guide them down the path as a partner to help solve these problems. To launch an effort like this requires a few basic steps from the federal government and transportation sector organizations.

Comprehending, mitigating risks

Compromised systems or infrastructure can have a variety of negative effects, ranging from safety concerns to operational disruptions, financial losses and legal ramifications. For example, just recently Norfolk Southern, the transportation company responsible for the previously mentioned train derailment, was ordered to pay a settlement valued at over $310 million. To properly comprehend risks facing any given transportation company involves evaluating the threat actor’s capability and intent against existing defenses and security controls. This assessment considers potential vulnerabilities such as undeleted user accounts, access control list issues, unpatched software and malware, among others.

CISA is updating its Cybersecurity Performance Goals to better align with the National Institute of Standards and Technology’s Cybersecurity Framework 2.0. However, it has been nine years since DHS has provided the transportation sector with a Cybersecurity Framework Implementation guide tailored specifically for the sector. Additionally, the last time DHS released a transportation systems sector activities progress report, which outlines the sector’s progress toward achieving its sector-specific goals, was back in 2018.

In the world of cybersecurity, five years or more is considered an eternity due to the nature of national level threats continuously evolving and emerging. Given this, it’s imperative for CISA and DoT to not only ensure the implementation of the latest cybersecurity frameworks, but also orchestrate more frequent and regular progress reviews of the sector activities along with revising the associated implementation plans.

With their movement and activity monitored online, trains may now be considered as part of the Internet of Things (IoT) — devices that are often controlled by external applications residing on cloud platforms. Accordingly, CISA and DoT guidance should focus on educating rail system operators on the components of zero trust security — specifically, strong identity management and verification in addition to enforcing the principle that users shouldn’t be granted system privileges beyond what’s needed to perform their respective jobs. Guidance should encourage operators to leverage zero trust network access (ZTNA) tools like secure access service edge (SASE), which provide secure, simplified connectivity to any network location or device, including IoT.

Identifying international threats, advanced persistent threats

CISA, the National Security Agency and the FBI are frequently identifying state-sponsored actors, particularly from China and Russia, who are behind these threats. In addition, hacktivist gangs and advanced persistent threats (APTs) are also emerging in these and other countries. These groups are able to leverage sophisticated tactics to exploit vulnerabilities in both cloud and on-premises systems.

The disruptive impact that could result from targeting transportation organizations makes them a target for threat actors who wish to cause such civil disruption. Staying ahead of these threats requires cybersecurity professionals to maintain best practices in access control, system configuration and patching, amongst others. CISA and DoT can support these professionals by developing and providing them a free toolkit to highlight the most relevant resources to protect against, and reduce impacts from, threats posed by malicious cyber actors looking to attack transportation systems — essentially recreating what the government has already done for water and wastewater sector organizations.

Adopting defensive strategies to combat emerging threats

As noted in CISA’s recent guidance, the adoption of artificial intelligence by hackers increases the frequency and complexity of cyber threats, underscoring the need for up-to-date cyber defenses. Moreover, the risks of phishing, malware, zero-day threats and ransomware demand comprehensive security measures, including sophisticated defense mechanisms, cyber awareness training and robust backup and recovery plans.

DoT’s Federal Transit Administration provides a variety of services to assist rail operators in their efforts to beef up cybersecurity. The agency provides grants, conducts webinars and has created a Cybersecurity Assessment Tool for Transit to “help public transit organizations develop and strengthen their cybersecurity programs to better identify and mitigate risks.” DoT and CISA should collaborate to ensure the tool gets into as many hands of rail operators as possible, as well as offer assistance to small organizations without the necessary cybersecurity resources in house.

CISA and DoT can take notes from what the Environmental Protection Agency has already done for water and wastewater sector organizations in terms of funding to expand opportunities for rail system operators who need assistance. There are several resources that drinking water and wastewater sector systems can use to increase their cyber resilience, including the Clean Water State Revolving Fund, Drinking Water State Revolving Fund, and CISA State and Local Cybersecurity Grant Program. Similarly, DoT and CISA can support and encourage rail companies to improve their cybersecurity posture by providing them with the necessary funding to do so.

Safeguarding our railroads requires a multi-faceted approach, combining rigorous risk assessment, adherence to legal standards, vigilance against international cyber threats, and the implementation of advanced security technologies and best practices. Through a combination of the solutions outlined above, CISA and DoT will enable transportation sector organizations to develop resilient transportation infrastructure that can withstand and quickly recover from any cyber incident.

As Sun Tzu states in the Art of War, “In warfare, there are no constant conditions. He who can modify his tactics in relation to his opponent will succeed and win.”

These systems will continue to transform and evolve, and in turn, so will the tactics of our adversaries. The collaborative efforts of cybersecurity professionals, technology providers and infrastructure operators are essential to maintaining the safety, reliability and trust that society places in these fundamental services.

Michael Ferguson is the global director for security transformation at Netskope.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.