6 cyber risk mitigation strategies for software obsolescence in railways

*The article was originally published in www.globalrailwayreview.com

Railway and Public Transport operators are today confronted with major obsolescence issues, a problem that will only grow with the increasing usage of COTS and IoT products. It’s easy to understand why. The expected long-life span of rolling stocks and other railway assets - that is from 20 to 40 years - collides with the much shorter life cycle of COTS hardware. The utilization of commercial firmware and Operational System within the railways’ OT (Operational Technology) environment and its hard-to-manage related software obsolescence, only amplifies the problem.

Concretely, it means that even with the best obsolescence management system, applying all the recommendations from the IEC standard 62402:2019, there will be a time when the rolling stock, signaling or any other railway sub-systems (e.g., SCADA, Passenger Information, Platform Screen Doors, etc.) will have to be operated with known obsolete elements. In fact, the International Association of Public Transport (UITP) cybersecurity sub-committee working group on obsolescence has identified that after 8 to 10 years, public transport operators must generally put in place mitigation measures to protect systems that inevitably become obsolete. This working group that Cylus led, wrote a comprehensive white paper defining a strategy for PTOs on how to deal with software obsolescence.

Let me be clear: obsolescence goes beyond cybersecurity risks. Sustainability risks with significant impact on operations and maintenance costs, as well as operational efficiency risks linked to RAMS (Reliability, Availability, Maintainability, and Safety) issues are also involved. For those interested with these non related cyber risks, I recommend to consult the IEC standard 62402:2019,  especially the section on risk assessment of obsolete assets and this UITP report.

Why can obsolete software become a time-bomb?

‍Here are the reasons why operators must tackle obsolescence from a cybersecurity perspective. 

1. Legal and regulatory compliance risks: Operators relying on obsolete solutions can face heavy fines and even legal action if they don’t comply with Government or industry regulations, particularly when a data breach occurs resulting from the use of older technology with known vulnerabilities.
2. No security patches: Hardware obsolescence can be the triggering factor of firmware obsolescence, since no security updates are made. Without patches sent, systems are becoming vulnerable to known attacks that could be easily prevented.
3. Discovery of new vulnerabilities: Software (i.e., Operating systems, firmware, application software) obsolescence on its own makes a rail network more vulnerable to cyberattacks. As time goes on, the probability of finding new vulnerabilities only increase.
4. Increased likelihood of exploitation: The more vulnerabilities are found, the greater the chance of exploiting them. To make matters worse, in the longer term, low-skilled attackers can slightly adapt an already developed malware from other verticals and replicate the attacks. Not having to develop from scratch the attack vectors will only increase the attacker’s pay-back motivation and the likelihood.
5. Excluded from security ecosystem: To aggravate the vulnerability’s impact, the obsolete software never really integrates the latest security controls coming from newer “secure by design” coding best practices, making the detection more difficult and the exploits more likely. Furthermore, the newer protections offered by antivirus and similar cybersecurity solutions are not tuned to malware attack signatures on outdated rail systems, increasing once again the difficulty to detect such attacks and the probability that it will happen. In other words, software obsolescence can become time-bomb without the right cyber mitigation measures.

Recommendation to mitigate obsolescence risks

Based on my experience and the work performed within the UITP cybersecurity sub-committee, here are my six recommendations to avoid obsolescence pitfalls:

1. Obsolescence planning: Obsolescence monitoring should start at the tender stage with requirements to be integrated within the system design phase and carried-on throughout the system’s entire lifespan. All Railway and Public Transport operators should establish an obsolescence management system that follows the IEC 62402:2019 standard, which demands planned obsolescence risk assessments.

2. Asset monitoring and obsolescence identification: Within their obsolescence policy, operators must map all their assets and identify when they are becoming obsolete. Though some follow-up can be done manually, with time passing by and the number of assets increasing, software driven Monitoring Solutions become mandatory. Monitoring Systems with auto-discovery functionalities not only identify all assets running on the network but are increasingly able to detect the hardware details with its software or firmware version and flag-out obsolete versions and their overall risk scoring. After setting a baseline, they also monitor any suspicious dataflow or unauthorized access attempts going to an obsolete equipment from an existing or new equipment.

3. Zone partitioning according to security levels: The monitored assets shall be assigned to consistent security zones and policies connected by conduits according to the new TS 50701 standard (Railway adaptation of IEC 62443), and based on an initial risk assessment. Asset partitioning should be possible according to the technology lifecycle (i.e., obsolescence) criterion, alongside the many other permitted segmentation criteria (e.g., risks of the asset in terms of integrity, availability and confidentiality, physical or logical location, access requirements, operational function, safety aspects, etc.). Modern Continuous Monitoring technology of OT networks allows for such partitioning and alert when these policies are being violated.

4. Treatment of obsolete IT solutions: The NCSC (National Cyber Security Centre from the UK) recommends that obsolete systems should be treated as “untrusted”. It even recommends using only solutions still supported by vendors, which implies migrating away from obsolete platforms and applying short term mitigations till this migration is completed. While applying this recommendation in IT environments is possible, it isn’t feasible for practical and economic reasons in OT rail networks.

5. Dealing with obsolete solutions in OT environments: Implementing a Monitoring Solution that include network traffic analysis and deep packet inspection capabilities is the only efficient mitigation measure besides isolating physically the network running the obsolete asset through a data-diode, a solution that generates many other complications in existing OT networks (e.g., latency, homologation). Just to emphasize once again, a Monitoring Solution is essential for asset supervision, obsolescence identification, and zone partitioning and can provide compensating controls to ensure real time detection of malicious behavior until these systems are migrated.

6. Dealing with obsolescence in safety-critical networks: Not all monitoring systems can deal with obsolescence in safety-critical networks. However, rail specific Monitoring Solution that understands the proprietary and dedicated protocols can do it. Indeed, such a solution must have the capacity to analyze the ongoing dataflow to the obsolete asset, including the ones from the higher levels of the OSI stack, which must then be compared systematically to an updated library of known viruses and threats. Furthermore, the operator must rely on a supplier that can update its rule-based Monitoring Systems to establish new barriers around the newer exploitable vulnerabilities caused by obsolescence.

To Conclude

The increasing usage of COTS and IoT products will improve railway and Public Transport operator’s efficiency while reducing in the long run, their cost. However, the benefits of this digitalization process will also amplify the problems linked to obsolescence, especially in safety-critical systems. Hence, Railway and Public Transport operators’ Compliance requires mandatorily an updated obsolescence management system and a Continuous Railway focused Monitoring Solution that will enable identification, partitioning and mitigation solutions to ensure that the obsolescence issues are dealt with.

Author

Serge Van Themsche

Serge is a senior executive who has over 30 years of experience in managing big international infrastructure projects and multinational divisions. His experience covers the railway, energy, IT and automation markets. Among his previous assignments, he was Bombardier’s turn-key division VP for the EMEA region. Serge headed the UITP working group on software obsolescence.