The second annual Hack the Railroad conference took place on October 25th and 26th in Columbia, Maryland, just outside of Washington, D.C. Amtrak, and the U.S. Cyber Command, in collaboration with the Maryland Innovation and Security Institute (MISI) and Cylus, served as the conference organizers. A new addition for this year was an expo featuring cybersecurity sponsors, resulting in attendance that surpassed last year's event by more than 100%. This year's rail cyber training and exercise challenges had over 100 participants.
As for the key theme from the conference, it can be summarized as "the more things change, the more they stay the same."
The Organizations Involved
The Hack the Railroad 2023 conference this year brought together a diverse group of participants, including executives and cybersecurity experts from government agencies, railway operators, railway integrators, cybersecurity vendors, and consulting firms. Some notable attendees included Amtrak, Cylus, MISI, the U.S. Cyber Command, the Maryland state government, RiskSec Group, the Federal Railroad Administration, the Washington Metropolitan Area Transit Authority (WMATA), the Surface Transportation Security Advisory Committee (STSAC), CSX, MITRE, the Metropolitan Transportation Authority (MTA), Hitachi Rail, NCC Group, Forescout, the Office of the Chief Information Security Officer, Michael Baker International Engineering, MetTel, Tenable, Sixgen, Recorded Future, Armis, Claroty, Xona, Risks Group Ltd., and Coalfire.
Summary of Key Topics
Throughout the event, various key topics surfaced. Some were directly addressed and discussed, while others were touched upon in multiple presentations. Below, we summarize key topics and include our interpretation of the day’s events.
1. The Current State of Rail Cybersecurity is a Topic of Debate
Some in the industry will outright tell you that the industry is eight to ten years behind when properly securing operational rail technology (Rail Tech) environments. The reasons include the difficulties of securing 10- to 20- to 30-year-old legacy systems or technical debt and the challenge of securing systems of the future with all the digital transformation happening in the industry.
One presenter pointed out that there are more than 40 technologies and systems required to run a metro trail system and even laughed at the fact that rolling stock has ethernet-connected toilets. The same presenter stated that “the more important the thing, the less cyber secure.”
On the flip side, several others pointed out that the rail industry is doing a great job securing its operational Rail Tech environments and is staying within other critical infrastructure industries. These individuals like to point out that if you consider the number of rail systems, their geographic distribution, and the overall exposure of the attack surface, there are still very few major incidents that impact the operation of rail operators.
2. The Rail Threat Landscape and Expansive Attack Surface Combine to Create Concerns
The expanding threat landscape poses a clear and growing risk to the reputation and safety of rail operations. The primary source of concern remains the potential threats from nation-states. Recent incidents, such as the attacks on rail systems in Belarus and Ukraine over the past few years, have only heightened these concerns. Rail industry insiders are alarmed at how adversaries are demonstrating an improved understanding of targeting railways to generate desired outcomes.
Another threat landscape concern is how to understand threats to the rail systems of the future. One speaker commented that the rail industry needs to think about the risks in rail systems five-ten years out, not just today’s risks, and to do so, they need to continue to focus on understanding an adversary’s possible objectives. Lastly, there is more significant concern about the threat landscape because safety and security are becoming increasingly interrelated.
3. Rail Cybersecurity Regulatory Requirements are also a Concern for Operators
As a result of both the critical infrastructure designation by the U.S. government and the observed increases in threat levels, rail cybersecurity regulatory requirements are increasing. On Monday, October 23rd, the U.S. Transportation Security Administration (TSA) renewed the 2023 versions of their cyber-focused security directives for railroads (SD 1580-21-01B, SD 1580/82-2022-01A, and SD 1582-21-01B).
During the conference, speakers and attendees expressed a variety of different views on the topic of regulatory requirements, including:
- Compliance being difficult because of the large number of rail systems, their geographic distribution, etc.
- The increasing compliance requirements can and will distract cyber operations.
- The belief is that rail cybersecurity regulatory requirements will continue to grow more stringent.
- Industry experts think a significant incident in the future will change everything.
4. The Future of Rail Digitalization and Cybersecurity Requires Visibility & Continuous Monitoring
Digitalization and automation are increasingly changing the face of the rail industry. Whether it’s modern signaling systems that improve safety or automated people movers that increase efficiency, these systems need real-time visibility and continuous monitoring for operational Rail Tech cybersecurity. Presentations and discussions at the conference specifically covered operator efforts to expand monitoring collectors across diverse, geographically dispersed environments. These environments include more than 20,000 route miles, interconnections with several hundred partners, and more than 70 port terminals. Monitoring that can be deployed anywhere is critical for asset management, vulnerability management, and threat detection for rail operational environments.
5. Rail Integrators, Not Just Operators, are Working to Address Challenges
There was a discussion at the Hack the Railroad conference about the role of rail integrators in addressing the challenges of cybersecurity in the rail industry. Throughout the conversations, two things stood out. The first is that rail integrators have rail operator customers with different levels of cybersecurity requirements, and competitive pressures prevent rail integrators from developing rail systems with maximum cybersecurity capabilities (and costs) for all rail operators. The second observation is that it will be a really big change for rail integrators/manufacturers to take long-term responsibility for managing vulnerabilities in systems and providing patches for those systems. After all, when is a rail system (rolling stock or signaling system) considered end-of-sale or end-of-life from a support perspective?
6. Some Rail Cybersecurity Myths Persist
Though, we might call these rail cybersecurity difficulties or misunderstandings instead of myths. Some examples include:
- Operators need to do more assessments. Is this true? Don’t most operators already know enough to understand their top priorities? Will more assessments help their understanding, or do they just need more time and money to solve their existing top priorities?
- Operators need better vulnerability management. This is easier said than done. Are vulnerabilities even well understood for most legacy systems?
- Operators need to do better patching their rail systems. Is this true or not? And if so, are patches even available? What about legacy systems that are no longer supported, end-of-sale, or end-of-life?
- Operators need detailed asset information in their Rail Tech environments. Some believe they will die before the industry can solve this problem. Challenging, yes, but the age-old adage is true – you can’t secure what you can’t see.
Cybersecurity professionals in the rail industry want to see rail cybersecurity get to the same level of maturity and discipline as safety! And the conversations in the second year of Hack the Railroad demonstrate the commitment and expertise of the cybersecurity professionals in the industry.
Further, the second year of the Hack the Railroad conference was a significant success based on feedback from speakers, trainers, trainees, and attendees. The event served as a real-life example of the rail industry continuing to come together to improve cybersecurity proactively.
If you missed Hack the Railroad 2023, make sure to be on the lookout for Hack the Railroad 2024 during October, Cybersecurity Awareness Month.
Hack the Railroad 2023 - Conference Highlights
Cyber Training and Exercise Challenges