Asset Management and Cyber Security in Rail Transport

Economics and technological transformation of business generally go hand-in-hand.  If revenue is down, or there is an opportunity to increase revenue through automation, most businesses are apt to make decisions that improve profitability and redundancy. After all, who can blame leadership for ensuring a return for stakeholders and keeping business in the black? In the rail transport industry, ridership is likely down, logistics need optimization, and technology is making all sorts of promises (when isn’t it?).

Keeping a business feasible centers around risk management and Return on Investment (ROI) decisions.  If I do X, there is a cost, and potentially a return (e.g., an ROI).  Conversely, if I do Y, and that is a negative cost with little return, then Y should be avoided unless it results in some benefit (e.g., brand recognition, legislation/regulatory compliance, long-term gain, or safety).  Unfortunately, cyber security is often considered a cost sink, difficult in Operational Technology (OT) or Industrial Control Systems (ICS), or it is an afterthought.

While most of the world is experiencing new challenges, various industrial companies pre-COVID-19 have had numerous scenarios that have led to an increased focus on automation:

• Global commodity/market price crashes (e.g., oil and gas)
• Increased competition by various nations (e.g., overseas manufacturing)
• Availability and affordability of technological solutions (e.g., commoditization of processing power)
• Increased focus on uptime, sales/revenue, and delivery commitments.

The last point is worthy of discussion because it is THE core driver in business, but it is a central piece of the puzzle when managing risk: cost vs. benefit vs. risk vs. direct vs. indirect consequences.  It’s often a mesh of interdependencies that might not be obvious at first, but they are there.

When implementing or deploying new technology, the idea is to thoroughly understand that short-term gains are often negated by ownership costs:

• The longer an asset is deployed, and the quicker it reaches End of Life (EOL), the more it costs if it is not properly maintained, the more vulnerabilities it acquires, and the likelihood of its involvement in a breach or cyber security incident increases
• Systems are often not standalone – they are systems of systems, interact/communicate frequently and depend on one another
• Securing any asset (legacy or new) requires mitigations or changes such that the organization’s risk threshold is maintained

For today’s discussion, Verve’s position is that an organization struggles to maintain and retain long-term gains from technology if cyber security basics are not in place.  In the rail industry, and like many industries before it, there has been variation of digitalization. So, while it is not new, there are lessons and observations that rail and transport should be aware of before leaping ahead into transformation projects.

At the end of the day, people and products need to safely and reliably get from point A to point B, and it’s possible that some IoT gadget will help you find revenue, but it may very well cost you – just like that derelict Windows maintenance laptop when it gets compromised.

Industrial cyber security basics and asset management: IoT and ICS commonalities

In continuation of the above, we are observing a global trend of purchasing new solutions and deploying them (which is not bad per se), but as concerned advisors, we are adamant that the IOT/IIOT or technology of tomorrow, will become the legacy device of yesteryear.

Rail transport organizations should ensure they have the following in place before committing to net-new technology projects:

Cyber security in rail needs to be adequately covered by governance, process, and procedure perspectives.

To be fair, a lot of organizations have traditional processes for ensuring safety or maintenance of physical assets, or even for IT, but OT processes might need updates for cyber security.  For example, how are security patches qualified and applied?  How are cyber-enabled disruptions handled in OT? (e.g., ransomware on a system that provides OT functions such as controlling signal lights or scheduling).  This may also include security requirements appropriate to OT, and even incident handling/recovery.

Technology should not dictate how your business operates, but rather guide it through organizational policies and procedures. Even the best-laid plans can go sideways, but with frequent training and process validation, governance assures all aspects are covered from identification to recovery.  Imagine trying to build an awareness program without clear objectives?  Or to manage assets if there is no process to inventory or secure them?  I didn’t think so.

Automated asset management and inventory are fundamental for assessing cyber risk, making technological decisions, performing vulnerability management, and assuring compliance.

It is not an afterthought because you cannot defend what you do not know, and you cannot make adequate risk management decisions without accurate and timely information or complete visibility. Today, proven OT-safe solutions actively interrogate assets, and reliable connectivity is not as rare as it once was; detailed asset management, inventorying, and patching has never been this feasible; even for transient, mobile, and embedded assets.

Any new assets should be recorded and tracked across their entire lifecycle (including user accounts, firmware, logic, and settings/configuration).  If embedded systems often outnumber Windows assets 5-10x, keeping track from the very beginning is critical for tomorrow (and far cheaper than after the fact).  It may be fair to assume all assets have vulnerabilities, but visibility on those risks is critical when managing changes and investments in a controlled manner.

Vulnerability and endpoint management is not limited to Windows systems.

Asset management also enables these capabilities, but vulnerabilities and risks relating to embedded/non-commodity systems, and even those that are IT/OT convergent require adequate protections. In many cases, this might be patching, but it also includes configuration hardening, user/account management, application whitelisting, backup/restorative images, and other compensating security controls. If new assets are added to assets owned by a corporation, the underlying basics for securing them will apply, and legacy caveats will emerge for any system or software over time. Initially, this might be a manual process, but ideally, when combined with a technology backed solution, the overhead will drastically reduce and allow operators to focus on their core duties. 

Endpoints are not limited to only Windows or commodity IT/OT convergent systems.  This includes embedded automation and control devices, IP-addressable systems, IoT devices, cloud components, remote laptops, Virtual Machines (VMs), network infrastructure, and more.  Most of the above have an Operating System (OS), are configurable, have users, and run software/applications – all of which need to be managed as best as they can be.

Network security requires more than perimeter and bastion-based security.

Technological diversity, proper network segmentation into “zones” and “conduits”, access controls, and modern networking infrastructure can go a long way to reducing the network-born risks in an organization.  Firewalls are not a cure-all (like patching or leveraging VPNs by themselves for that matter), but they are a critical component in a holistic security strategy.

Security is really about engineering, and engineering is about functionality and the removal of risks.  Many attacks (accidental or malicious) are network born, so limiting the impact of an eventual event while having the network bandwidth for recovery at scale or for data transmission is truly important.  Even passive anomaly solutions require double the bandwidth necessary to forward packets for analysis or network taps, but they will not stop or eliminate a cyberattack.  Air gaps are not a solution, and they will often result in users bypassing controls.  Therefore, control what you can control –but networking including remote access provides immense operational benefits if you manage the risks appropriately.

Alerts, logs, monitoring, and SIEMs do not work out-of-the-box.

All the aforementioned items need onboarding, connectivity, and incident/analysis playbooks, but they also need enablement.  For example, anti-virus alerts cannot be generated with active AV software and UpToDate, or without log forwarding to a system that digests them.

OT systems and embedded/ICS systems often generate logs and events, but these functions need to be enabled, understood, and acted upon.  This takes experience, but it is both feasible and critical for detecting anomalous behavior (especially for legacy and standalone systems like IoT products).  Alerts need investigation to ensure adequate context is provided, concisely defined processes are present, and personnel are trained to manage them.

Risk management frameworks are necessary for considering and managing cyber risk not only for Informational Technology (IT) but also for OT assets.

This may require rethinking cyber not in the Confidentiality-Integrity-Availability (CIA) triad, but instead, a shift to Safety-Reliability-Productivity (SRP).

IoT is not without its risks, and many of those risks are merely amplified given their standalone nature or their cloud-connectivity features.  Be aware, up-to-date, and ready to apply the 4 T’s to risk (Tolerate, Transfer, Terminate, and Treat) for current and future assets.  If new assets enable or are enabled through connectivity, assume it may be a two-way street and other assets may also be affected by a cyber-related incident.  

Technology needs people and processes.

To summarize the above lessons, whether your organization is within rail or transportation, OT security shares many of the same recommendations across all industrial segments (oil and gas, energy, pharma, manufacturing, and aviation).

Businesses are like houses – while built on a solid foundation, they require maintenance or renovation over time.  Due diligence needs to be applied for insurance, risk management, and regular human training & awareness can go a long way.  However, it’s important to recognize that in OT, detection is often over-relied upon as a capability, but not enough emphasis is present on Prevention, Action, and Recovery; organizations need to be prepared for an incident, and ready to get back on their feet ASAP.

Cyber security basics (or cyber security hygiene) provide immense benefits to a variety of organizations, including rail and transportation. In fact, they are often the enablers of the largest risk reductions an organization may invest in, so before moving to or deploying countless IOT devices, we recommend starting with the basics before the problem becomes insurmountable or any hard work becomes undone by tomorrow’s decisions.