On May 23^rd and 24^th, 2023, key constituents of the railway industry came together for the 3^rd annual Rail Cybersecurity Conference USA held in Chicago, Illinois. The event was organized by Cyber Senate and jointly sponsored by rail cybersecurity providers, including Cylus and rail integrator Alstom. Over one hundred participants gathered from government, industry associations, rail operators, rail integrators, global system integrators, and cybersecurity vendors.

The event organizers state the conference mission as follows:

“The conference will address the railway’s “Detect, Respond, and Recover” initiatives, highlight the growing dependence on the “Internet of Rail,” our inherent vulnerabilities created in the design of these systems of systems, and how the sector can mitigate risk and respond appropriately.

For Cylus, the conference was filled with buzzing activities, including meeting with existing customers, discussions with existing partners, continued conversations with prospective customers and partners, and social and networking activities with rail sector colleagues. And yes, plenty of coffee and other caffeine was consumed throughout!

The two-day agenda was packed with many formal presentations, followed by informative Q&A after each. But it didn’t stop there; many discussions happened during coffee, lunch, and dinner activities. Below, I have summarized the key discussion topics from my own perspective.

Strong Positive Signs from the Rail Cybersecurity Conference

To start, the very existence of this rail cybersecurity-focused conference with participants from around North America is a good sign for the industry and the desire to protect these critical rail transportation infrastructures. The broad participation clearly illustrates how the sector is coming together to address its cybersecurity challenges and that everyone recognizes the need for additional cybersecurity capabilities in the operational rail technology (Rail Tech) environments.

Below are positive examples demonstrating the rail sector’s progress in protecting Rail Tech operational systems from cyber adversaries.

The Threat Landscape is an Elevated Concern for the Rail Industry

One speaker at the conference said, “We bricked a train,” explaining that in minutes during a penetration test, the tester breached train systems and rendered the train useless. He continued, saying, “And we could have bricked all the trains”! All participants agree and recognize a clear and present danger threatening the rail industry's critical infrastructure. Examples of cyber-attacks on rail infrastructure were discussed, and immediately following the conference, as if on cue, the US Department of Transportation warned on Thursday that China was capable of launching cyber-attacks against critical infrastructure, including oil and gas pipelines and rail systems after Microsoft researchers discovered a Chinese hacking group had been spying on such networks.

Working Together and Fostering Strategic Partnerships‍

On day one of the conference, a cross-industry panel discussed existing strategic partnerships in the industry. A primary topic discussed in the panel was the need to do even more to accelerate the development and deployment of additional rail-specific cybersecurity solutions in both existing Rail Tech environments and for new infrastructure and rolling stock build projects. The panel discussion highlighted the headway that rail operators, rail integrators, and cybersecurity solution providers have made in working together to integrate and align solution capabilities and necessities vertically. Various examples of this collaboration were presented during the conference, including the alignment between the Transportation Security Administration (TSA) and public and private rail operators. Other examples included the joint development of new technologies for newly identified industry use cases, closer alignment between railway operators and cybersecurity providers, sharing key threat intelligence across organizations, joint incident response planning among supply chain participants, and developing new cybersecurity maturity frameworks. One speaker summarized it nicely: "This is why we are all here today at the event.” But the group agreed more is needed.

The Government is Here to Help

The new TSA Security Directives were a key topic of conversation throughout the conference and proved the attention railway cybersecurity is getting in the halls of government and their willingness to work hand-in-hand with the industry to arrive at jointly agreed-upon measures that will further the protection and resiliency of rail industry infrastructure. Additionally, Cybersecurity Infrastructure and Security Administration (CISA) representatives were on hand and presented to assembled rail industry executives the CISA and FBI resources available to help industry organizations prepare, monitor, manage, and respond to cybersecurity in their rail environments. Examples include the CyHy vulnerability scanning service, CSET cybersecurity evaluation tool, CISA alerts, and advisories.

Industry and Cybersecurity Associations Working to Address Challenges

Various industry and cyber associations were present and extremely active in the conference, including a presentation about developing a new rail-specific cybersecurity framework, IEC 63452. Many different associations and their current roles and activities in addressing rail cybersecurity were discussed throughout the second day, including AAR, APTA, ARRSLA, ENISA, IEC, MITRE, NIST, and UITP.

Clear Recognition that Rail Cybersecurity Resilience Still Needs to Improve

There’s always more to do to enhance the industry’s cyber resilience. Below are important examples of this caution that were either directly discussed and presented or were raised in breakout sessions and Q&A.

Need to Protect Rail Operating Crown Jewels‍

Discussions and presentations highlighted the critical need to protect rail operations' critical systems further, and during this particular conference, cybersecurity of onboard rolling stock systems seemed to be the top priority, including the protection of legacy rolling stock systems in particular. Presentations from rail operators, rail integrators, and cybersecurity providers addressed different cybersecurity aspects of rolling stock systems. Other rail operating systems considered ‘crown jewels’ brought up in conversations included signaling, interlocking, and train control systems.

Who is Going to Pay for All of This New Cybersecurity?

‍ Various conversations and questions were, directly and indirectly, asked about funding for new cybersecurity initiatives. One direct question that went unanswered during the conference is what government funding is specifically available for privately held rail and metro organizations to help pay for additional cybersecurity capabilities. One concern that may have prompted this question was highlighted in another presentation that clearly stated many of the nation’s rail systems are currently “facing a fiscal cliff” – most likely because ridership numbers are not back to pre-Covid levels. Further, one rail integrator asked whether rail operators recognize the cost increase associated with additional cybersecurity capabilities built into new infrastructure projects. And the cost of upgrading extensive legacy infrastructure and systems was an underlying thread in many conversations.

Who is Going to Operate New Cybersecurity Capabilities and Solutions?

‍This question surfaces in two different ways. The first concern was that rail operators are having difficulties recruiting and maintaining the resources and staff with the necessary expertise to operate new cybersecurity solutions or do more than their current workloads – most are already stretched thin. Second, cybersecurity service providers who might fill the void are in the nascent stages of developing understandings and skill sets trained in rail operational Rail Tech systems. Either way you look at it, there appears to be a shortage of resources with both cybersecurity and rail operations expertise to meet the need.

A Need to Develop Stronger Cybersecurity Cultures and Recruiting

‍ Culture starts at the top, and developing a cybersecurity culture within rail organizations is no different. Executive staff that has lived through a breach or are getting constantly phished as whales typically understand the need to build cybersecurity awareness throughout an organization. Insurance audits and regulatory requirements also make executives and boards more aware of cybersecurity needs. But it is the responsibility of the internal security team to build executive support for cybersecurity throughout the organization. This is no time to hide real risks and problems from management – complete transparency is called for. Try quantifying risks, benchmarking NIST maturity scores, and bringing in external security vendor executives for your internal executive team. Merge safety and security briefings. Embed security team members into project and operations teams. Build cybersecurity awareness with Legal and make them understand the business risk. Whatever you do, put top-down support for cybersecurity and build a cybersecurity culture.

Final Thoughts

The 3^rd annual Cyber Senate Rail Cybersecurity Conference in the USA was a big success based on feedback from speakers, exhibitors, sponsors, and audience participants. The conference was a real-life example of the rail industry proactively coming together to continually improve cybersecurity, especially in the operational Rail Tech environments. I’ll close with one last statement made in the conference's opening panel – “Rail operators need to demand more! You hold the purse strings.” 

We’ll all be on the lookout for upcoming rail cybersecurity events and conferences that will further conversations and actions on the abovementioned topics.

‍