As freight railroads move to digitize their processes, rail companies are also looking into safeguarding their systems against hacking and other malicious attempts to disrupt freight rail operations.
Those efforts to address cybersecurity are partly because federal regulations, not just in the U.S. but also for other countries, are starting to require companies to tackle the issue.
“The awareness [within the freight and passenger rail industry] is very high. There are many reasons, but one is that regulation in each country has started to focus on cybersecurity for critical infrastructure, and particularly for rail. The reason for rail is because the impact of that trains have on the economy,” said Amir Levintal, chief executive officer for Cylus, an Israeli-based company that focuses on cybersecurity solutions for rail assets such as rolling stock and signaling. Cylus works with companies in North America, Europe and Asia.
Currently, the U.S. government requires railroads to address communications and security requirements for positive train control (PTC) systems per federal code for PTC. The Federal Railroad Administration, which crafted the federal code for PTC, would include cyber threats to PTC systems as a potential security risk. But beyond that, it’s up to companies to decide how to implement cybersecurity measures.
The freight rail industry has been working on cybersecurity issues for decades, according to Association of American Railroads (AAR) spokesperson Jessica Kahanek. Much of that work and discussion is detailed in a April 2018 report.
“Railroads take a proactive, multi-pronged approach to prevent and provide resiliency against cyber threats. Since 1999, the industry has taken a unified, coordinated approach to its cyber security efforts through the Rail Information Security Committee (RISC). The industry routinely performs assessments of potential vulnerabilities and implements proactive countermeasures as well as recruits cybersecurity professionals,” Kahanek said.
The RISC consists of chief information security officers and cybersecurity leads from the Class I railroads, Amtrak, Genesee & Wyoming, VIA Rail and Railinc, with support from AAR.
Meanwhile, government efforts to address cybersecurity in transportation include the Transportation Security Administration’s initiatives to disseminate information on cybersecurity and a federal working group involving several agencies to address cybersecurity research and development among several sectors, including transportation.
Freight rail is working “in concert with public sector partners to enhance cyber countermeasures and share intelligence and information that is critical to the success of cybersecurity efforts,” Kahanek said.
The freight transportation industry also overall has been working to address cybersecurity, especially amid potential threats to the supply chain. The trucking industry and its supply chain rank fifth among all businesses at risk of cybersecurity attacks as the number of possible threats against the transportation sector has grown 100-fold in just four years, FreightWaves recently reported.
Passenger rail is also addressing cybersecurity through initiatives such as a cybersecurity working group through the American Public Transportation Association.
“Looking forward, railroads can expect to encounter robust cyber threats and will need to continue to evolve security programs, considering a dynamic risk environment and the potential for increasing use of technology for safe and more efficient operations,” the April 2018 report said.
Potential cybersecurity risks in freight rail
There are several characteristics to freight rail that make the industry vulnerable, according to Levintal, who co-founded Cylus in early 2017 after he and others couldn’t find other companies that dealt with addressing cybersecurity in the rail vertical.
One is that the “safety-critical network” can be vulnerable to cyber attacks because hackers could potentially trigger a train’s safety mechanism, telling it to stop. He defined that network as the rolling stock, the signaling network and the locomotive.
If someone can hack into a company’s rail network and stop a train, that could impact the company’s rail operations and disrupt the supply chain.
“If someone is sending a message to the safety-critical network and doing something that is not safe or not standard, the train will stop. It’s very easy to stop a freight train and then impact the profitability of a company,” Levintal said.
Another issue is the age of the technology deployed for PTC systems, which use wireless communications and connect trains to wayside signals. Although the deployment of PTC is still ongoing, the technology is already several years old and companies will need to keep up with newer potential threats.
“Usually attackers are trying to find the weakest link in the train, and interoperability or integration between two technologies usually leaves a weak link that might have vulnerabilities,” Levintal said.
New tenders for rail projects worldwide are taking into account the need to address cybersecurity, but existing systems must also take the issue into account.
“We see more tenders for new lines with cybersecurity requirements built into them. This is a good new start, but on the other hand, for existing rail and existing lines, I think there’s much more to do. If it’s important to incorporate cybersecurity measures to new tenders, it’s obviously very important to start developing working cybersecurity measures on existing ones,” Levintal said.
“Security is part of [maintaining] the safety of the network. If safety is important for the rail industry, they must be focused on cybersecurity,” he said.