Rail Live 2022 was held in Málaga, Spain focused on the transformational era the rail industry is experiencing, from digital innovation to net zero targets and liberalization. 

For Cylus, the event was a busy three days of buzzing activity that included meeting with customers, presentations with partners, social and networking activities with rail sector colleagues, and a few minutes in between for coffee and refreshments to keep the team going throughout the week.

Various cybersecurity topics were discussed during the event, some being covered directly while others were present as underlying themes throughout the conference. Here are the key conference highlights and insights from our own perspective.

Cylus and Thales Present a Joint European Signaling Cybersecurity Case Study

As an example of the rail sector coming together to improve cybersecurity, Amir Levintal, CEO and Co-Founder at Cylus, and Agustín Solís Pila, Business Development Cybersecurity at Thales, presented a joint case study. The two offered a view into the collaborative project the companies are partnering on deploying cybersecurity capabilities for one of Europe's most prominent rail companies to protect its signaling system. The joint presentation was titled: “Cylus and Thales - Bridging the Gap Between Cybersecurity and Rail Operations.”

In their presentation, Amir and Agustín addressed the history of this project, which started a few years ago with an assessment of the risks in the customer’s signaling environment, to a validation of the cybersecurity solution in Thales’ lab in Madrid, and finally to the trial conducted on the customer’s selected signaling infrastructure. The trial was conducted to demonstrate protection in a live operational installed base of rail-specific systems.

The two key drivers for this successful joint project were:

1. Demonstrating compliance with the customer’s cybersecurity requirements, including NIS directives
2. Providing real-time network and asset visibility across a widely distributed rail infrastructure network with thousands of assets and many rail-specific protocols. The project was conducted in a multi-vendor rail network covering the rail signaling network and the operational technology (OT) networks supporting the CCTV and VoIP infrastructure.

The design layout of the project is shown in the image below, which included using non-intrusive virtual network probes to monitor the network continuously for three months for cybersecurity anomalies, including external threat intelligence from Cylus research labs and integration into the customer’s SIEM solution.

The project success criteria for the customer in this project included the following:

1. Real-time asset visibility.
2. Visibility of unknown assets.
3. The creation of network security zones according to TS-50701.
4. Automated virtual segmentation and policy creation.
5. Demonstrated regulatory compliance.
6. Demonstrated real-time security threat detection in a live rail-specific network.

To wrap up their presentation, Amir and Agustín presented the joint project outcomes from the deployed cybersecurity product trail with one of Europe's most prominent rail companies in its signaling system. The results included:

• Successfully demonstrating the simple deployment of a non-intrusive cybersecurity solution in a live, legacy rail network.
• Protecting both the rail safety-critical infrastructure and other OT systems.
• Providing network and asset visibility with deep rail context and intelligence for the identified systems.
• Demonstrating cybersecurity use cases that helped bridge the customer’s security and operations teams.

The Railway Sector Can Collaborate to Strengthen its Cybersecurity

In addition to the Cylus and Thales, joint case study presentation demonstrating rail cybersecurity collaboration, Christian Schlehuber from CENELEC led a panel discussion on “How the railway sector can collaborate to strengthen its cybersecurity: From new standards to ISACs.” The panel consisted of Dimitri van Zantvliet, the CISO of  Nederlandse Spoorwegen (NS), Serge Benoliel from Alstom, who leads the IEC 63452 team, Marta Garcia, who leads cybersecurity at UNIFE, and Thomas Chatelet, ERTMS Project Officer at E.R.A. Collaborations. 

The discussion included the following:

1. Further alignment between regulatory agencies and associations, and rail operators
2. Continued adoption of new rail cybersecurity technologies and practices
3. Continuous training of the broader rail cybersecurity workforce and infusing cybersecurity into rail cultures.

Digitalization in the Rail Industry Raises Cybersecurity Risks

Technological developments have driven the transport sector to make significant changes in the last few years. Some at the conference argue that, compared to other modes of transport, the deployment of digital and enabling technologies in rail is at an earlier stage.

Further, they state that it is vital for the whole sector to maintain its commitment to making digitalization a means to achieving more ambitious and overriding goals. However, that discussion turns to the increase in cybersecurity risks associated with increased digitalization.

Of course, these increased risks are why cybersecurity is such a central theme at the Rail Live conference and is also partially responsible for the NIS Directive identifying transport, including rail transportation, as an ‘’essential service’’, imposing obligations on rail operators and infrastructure managers to implement cybersecurity and risk management practices as well as to report cyber incidents.

The Threat Landscape Continues to be a Major Concern

One might contend that “the hackers are winning” when you consider that hacking is producing the 3^rd largest GDP worldwide behind only the economies of the U.S. and China. In the railway sector specifically, there are elevated concerns due to increased geopolitical tensions partly as a result of the conflict in Ukraine and due to the observance of increases in cyber-attacks. Examples of cyber-attacks and physical attacks on rail infrastructure have been observed and discussed during the event, including the rail attacks in Belarus by hacktivists earlier this year to prevent Russian troops from reaching Ukraine and the physical attacks on the Deutsch Bahn GSM-R communications infrastructure by unknown entities. One conclusion from these discussions was that adversaries demonstrate an improved and detailed understanding of targeting railways to generate desired outcomes.

Great Rail Cybersecurity Comes from Meeting Rail Functional Requirements and Incorporating Deep Rail Operational Intelligence

Presenters at the event discussed the need for cybersecurity solutions and services to incorporate a much greater understanding of railway operational and safety context within rail technology environments to deliver improved cybersecurity outcomes for all. This rail operational context or intelligence, as one called it, is essential as it relates to both automated asset discovery and management and threat detection and response within the train control and signaling networks and as it relates to providing easily actionable insights for both rail operational control center (OCC) personnel and security operations center (SOC) personnel.

To Conclude 

Rail Live 2022 in Málaga, Spain, featured a who’s who of leaders in the railway sector from across Europe and was a great opportunity for the Cylus team to meet evermore rail operators, integrators, and service providers that want to learn more about cybersecurity for rail technology environments. It was also an excellent opportunity to learn from other cybersecurity practitioners across the sector.

If you missed the Rail Live 2022 conference in Málaga, now is the perfect time to plan for next year. We will see you there at the large-scale, three-day Rail Live 2023 conference in Madrid!