On October 18th, 2022, key constituents of the railway industry came together for the inaugural Hack the Railroad event in Columbia, Maryland, just outside the Washington D.C. area. The event was organized and jointly sponsored by the Maryland Innovation and Security Institute (MISI) and Cylus to create a forum for participants to discuss, debate, and collaborate on cybersecurity in the railway industry. In addition, a parallel technical track at the event included a railroad cyber overview, investigations into attack vectors and scenarios for railroads, and cyber exercise trainings.
Hack the Railroad brought together executives from government agencies like the U.S. Transportation Security Administration (TSA) and the Maryland Department of Transportation (MDOT); cybersecurity leadership from class 1 railway operators like Amtrak and CSX Transportation; former rail operator executives from CSX, Amtrak, and BNSF; representatives from a variety of rail and cybersecurity associations like Van Scoyoc Associates, APTA CCSWG, and MITRE; and cybersecurity vendors like Cylus.
During the event, a variety of key topics surfaced. Some were covered directly, while others were touched upon in multiple presentations. Below we summarize these essential topics with our own interpretation of the day’s events.
- Rail is Considered a key critical infrastructure industry for the U.S.
The U.S. and other partner nations rely heavily on the rail industry for the movement of large portions of freight, the transportation of passengers regionally and locally, and militarily for logistics allowing the projection of force globally. Additionally, the rail industry is tightly linked with the broader transportation ecosystem for all of the above, including maritime, port facilities, intermodal transportation facilities, aviation, and more. For these obvious reasons, the rail industry is identified as one of the critical infrastructure industries requiring special attention from a cybersecurity and resilience perspective.
- The threat landscape is an elevated concern.
One speaker at the event contends that “the hackers are winning” and that there is a clear and present danger, noting that hacking is “producing the 3rd largest GDP worldwide behind only the economies of the U.S. and China”. Others simply expressed elevated concerns due to increased geopolitical tensions partly as a result of the conflict in Ukraine and due to the observance of increases in cyber-attacks. Examples of cyber-attacks and physical attacks on rail infrastructure were discussed, including the rail attacks in Belarus by hacktivists earlier this year to prevent Russian troops from reaching Ukraine and this month’s physical attacks on the Deutsch Bahn GSM-R communications infrastructure by unknown entities. One conclusion from these discussions was that adversaries are demonstrating an improved and detailed understanding of targeting railways to generate desired outcomes.
- Cybersecurity regulatory requirements are increasing.
As a result of both the critical infrastructure designation by the U.S. government and the observed increases in threat levels, cybersecurity regulatory requirements are increasing. In fact, during the event, Scott Gorton, Executive Director, Surface Policy Division, Policy, Plans, & Engagement, at the TSA, gave the on-site and virtual audience a preview of a new TSA Security Directive (SD) for the domestic rail industry which was published later in the day. Mr. Gorton noted that this new SD was developed in conjunction with the U.S Department of Homeland Security (DHS), the Critical Infrastructure Security Administration (CISA), and, most importantly, with rail operators themselves and focuses on desired cybersecurity outcomes instead of prescriptive cybersecurity measures. The new SD has 4 key cybersecurity outcome requirements for rail operators, including
(1) implementing network segmentation controls in the operational technology (OT) and train control networks
(2) implementing remote access controls for critical cyber systems
(3) implementing continuous monitoring and detection and response policies for critical cyber systems in OT and train control networks
(4) reducing the risk of exploitation of unpatched systems in a timely and risk-based manner.
- Better rail cybersecurity protection requires a deep understanding of the business context.
Numerous presenters at the event discussed the need for cybersecurity solutions and services to incorporate a much greater understanding of the business and safety context within rail operational environments to deliver improved cybersecurity outcomes for all. This business context is especially important as it relates to both automated asset discovery and management and threat detection and response within the train control networks and to providing easily actionable insights for both rail operational control center (OCC) personnel and security operations center (SOC) personnel.
- The rail industry is working together to do what’s necessary.
One keynote speaker observed that rail cybersecurity is a team sport and requires a common vision and alignment throughout the rail ecosystem. Rail operators, government, industry associations, consultants, integrators, and vendors work together. A variety of examples of this collaboration were presented during the day, including the previously noted alignment between the TSA and public and private rail operators. Other examples included the joint development of new technologies for newly identified industry use cases, closer alignment between operational and cybersecurity teams, sharing of key threat intelligence across organizations, joint incident response plans among supply chain participants, the development of new cybersecurity maturity frameworks for train control network environments, the development of new threat modeling frameworks, and the improvements in developing internal safety and security cultures across organizations. One speaker summarized it nicely: "this is why we are all here today at the Hack the Railroad event.”
- There’s always more to do to improve the industry’s cyber resilience.
However, with all the marked improvements, some cautioned that there is always more to be done. Three important examples of this cautionary statement bubbled to the top. First and foremost was further alignment between regulatory agencies and associations, and rail operators to lightweight but effective guidance and requirements. The second was the continued proof of concepts and adoption of new rail cybersecurity technologies and practices, several examples of which the rail operators presented and demonstrated during the event. And third, the continued training of the broader cybersecurity workforce at the event and the continued infusing cybersecurity into rail cultures throughout the ecosystem at the leadership, group, and individual levels. One bonus area for improvement that was questioned but not directly addressed was the need to improve cybersecurity insurance such that it doesn’t create negative cybersecurity disincentives.
The inaugural Hack the Railroad event was a significant success based on feedback from speakers, trainers, trainees, and audience participants. The event served as a real-life example of the rail industry proactively coming together to improve cybersecurity continually. The following is a list of the agenda topics and speakers from the event. Be on the lookout for additional rail cybersecurity events in which you can participate.