Nowadays cybersecurity personnel are well aware of the importance of Security Zones. Compliance processes based around the NIS directive and the main cybersecurity standards such as IEC 62443 and the upcoming TS 50701, are constantly there to remind them that it is indispensable to segregate zones according to different security levels. If it’s mandatory, you may think that everyone should know how to do it. Unfortunately, many railway infrastructure managers and operators have been struggling to implement concrete zoning measures, as prescribed by these standards. Why so? Until recently, technology couldn’t separate the asset and network dataflows without affecting the overall network performance. Let’s now understand how railways can become cyber compliant, especially in safety-critical environments.
What’s a security zone?
In railways when we talk about a System under Consideration (SuC), we either refer to a complete network comprising many sub-systems with different security levels, or to any one of these sub-systems with their own assets. To account for this diversity of network complexity, standards have introduced the concepts of zones and conduits.
A Zone is defined as the logical or physical grouping of railway assets (i.e., physical assets, applications, or information) sharing identical security requirements. Each zone has a unique set of characteristics and security requirements with various attributes (e.g., security policies and levels; asset inventory; access requirements and control; threats and vulnerabilities, etc.).
A Conduit can be considered a specific type of zone, which regroups the communication devices (e.g., switches, routers, firewalls, communications gateways, etc.), enabling the dataflow between zones. On top of a zone’s attributes, it also possesses a set of characteristics and security requirements linked to the interconnected zones and communications protocols.
The IEC 62443 standard defines security levels as a qualitative method, serving to compare and manage security for different zones of an organization. Through a risk assessment, Professional Service experts will assess three types of security.
Firstly, they will identify the right security level to operate correctly, which is called the Target Security Level.
Once a system design is established or is already implemented, these experts will measure and rank the Achieved Security Level.
Finally, professionals will determine whether or not this asset or sub-system is capable of reaching the Target Security Level natively, when configured correctly, without any additional countermeasure. The ability of an asset or a sub-system to provide that protection is called the Capability Security Level.
Service Professionals, within their risk and vulnerability assessment, will consider these three level types and assign one of the 5 following Security Levels to any given zone and conduit.
In other words, each asset in the same zone and all conduit dataflows will receive the same Security Level from 0 to 4, established in function of similar cybersecurity requirements, for all three security types.
The complexity of zone and conduit partitioning
Because of their complexity, Railway and Public Transport operations must usually go through yearly detailed risk and vulnerability assessments. Each time, the process requires assets to be checked for the three security types and if needed, reassigned coherently to the right security zone or conduit.
The IEC Standard 62443-3-2 proposes a general set of partitioning guidelines, which the future standard TS 50701 has adapted to railways. Among its recommended zoning criteria, three are especially useful:
Other pertinent criteria for segmentation are the:
All this means that to be cyber compliant, a railway or public transport operator must rely on technology enabling an easy enforcement of rules prohibiting assets to communicate between them unless they share the same requirements, according to most of these criteria.
Why OT and IT Solutions will not solve it?
Firewalls have been around for a time, doing just that: authorizing outgoing and incoming packets to flow between assets, by comparing them with very limited pre-established criteria (e.g., IP addresses, packet type, port number, etc).
Even the Next Generation firewall (NGFW) technologies cannot meet the more sophisticated TS 50701 partitioning criteria, because they only provide security analysis for the TCP/IP based protocols they support. TCP handshake checks and packet inspection on common protocols are great features in IT environments, but no NGFW technology can read and interpret specific OT protocols or Railway Applications, which is the only way to provide zoning compliance in railways.
Furthermore, in safety-critical systems, low latency is an absolute prerequisite. The extra step (hop) involved in checking/blocking/dropping with security gateways when transferring the packets, creates significant slowdown and risk to operation and therefore, prohibits the usage of NGFW within these networks.
Even when considering OT solutions that have the proper support for IoT protocols it is important to remember that these solutions mainly use shallow packet inspection for the purpose of extracting protocol parameters without their context to the entire rail signaling and rolling stock safety applications. Therefore, they won't be able to map the monitored components into their desired zone and conduit.
Compliance made simple with rail focused cybersecurity solutions
On the other hand, some Rail-Focused Monitoring Systems are made for railway OT and safety-critical networks. These purpose-built cybersecurity solutions use machine learning algorithms and deep packet inspection technology in order to address TS50701 requirements. Hence, they can:
Such Continuous Monitoring Systems can automatically map all these assets into zones and conduits, based on best practices and standards. In matters of minutes, all policies and blocking rules are thus established simplifying a process that with Firewall technology is complex and lengthy. Obviously, manual fine-tuning is possible enabling, for instance, zoning per departmental responsibility. In fact, with some Continuous Monitoring System, updating zone partitioning becomes a child’s play. As the system is non-intrusive - so has no impact on latency – railway CISO’s can dispose of an evolutive solution that will never affect the performance of the operations. Railway CISOs can stay in their comfort zone knowing that technology exist to support them meeting 24/7 cybersecurity compliance.