Co-authored by Domenico Scardicchio.
What happens when cybercriminals target critical infrastructure such as railroads? The good news is that this type of attack is difficult to pull off — but certainly not impossible. Such an incident would most likely stop the train, resulting in financial loss and reputational damage, but nothing more than what we’ve already seen when cyberattacks hit organizations in other industries, such as financial services and health care.
Railroad signaling systems such as the European Rail Traffic Management System (ERTMS) and the European Train Control System (ETCS) are complex and composed of several subsystems that are interconnected, each of which requires its own deep security analysis. Protecting the entire system calls for a holistic approach to security.
Don’t Let Cyberthreats Derail Your Network Security
While not classified as pure information and communications technology (ICT) equipment, these subsystems integrate with many components that rely heavily on IT, thus inheriting numerous cybersecurity concerns. To secure these components, it’s important to think like a cybercriminal. That means focusing on protecting components that are particularly exposed and valuable to fraudsters, such as control systems, power management, and diagnostics and maintenance.
It’s easy to assume that if the railroad’s network is separated, it is impossible to attack. This may have been true when supervisory control and data acquisition (SCADA) systems used proprietary protocols and interfaces, but most railroad operators today use open systems to access the programmable logic controller (PLC) and networks based on IP.
Preventing an attack with traditional security tools is very difficult, but a security information and event management (SIEM) solution can pay big dividends. The key is to be proactive and to treat the railroad system like the human immune system. That means establishing several layers of defense and integrating them to automate policies and block threats consistently and comprehensively — just like the organs in the human body communicate with the central nervous system to create antibodies and prioritize responses.
All Aboard the Security Immune System Express
This security immune system approach is centered around a core of security analytics and orchestration that continuously understands, reasons and learns the many risk variables across the entire ecosystem of connected capabilities. Most importantly, it helps increase visibility into risks that would otherwise be missed.
The best way to achieve this level of visibility is to introduce cognitive security elements into the ecosystem of controls, starting with a smart SIEM solution capable of monitoring, detecting and generating insights related to potential threats. Applying this technology to the incident triage process requires analysts to understand the attack pattern by digesting structured and unstructured data from internal and external sources, such as events, logs, reports, blogs and more. This huge volume of information can be overwhelming; a cognitive system comes in to help analysts sort and prioritize threat data, reducing the incident triage process from months to mere minutes.
The railroad system may be complex and seemingly impenetrable, but cybercriminals make their living by striking when and where security professionals least expect it. A security immune system powered by cognitive technology is the best defense against cyberthreats, especially those targeting critical infrastructure.