Roark Pollock: Hi, I'm Roark Pollock, and this is the second season of the Secure Tracks podcast, where we host rail industry leaders to talk about operational rail technologies in cybersecurity. In this episode, we're going to talk about building a leading rail industry cybersecurity program in India with Colonel Alok Shankar Pandey from the Dedicated Freight Corridor Corporation in India, or DFCCIL, for short. Colonel Alok has been the Chief Information Security Officer at DFCCIL for the last four years. Prior to his current role, Colonel Alok was in the Corps of signals for the Indian Army until 2019. Alok as almost 27 years of experience in the field of communications and information security. He is now based out of New Delhi, and is a thought leader, speaks on topics ranging from cybersecurity, to exploiting emerging telecom technologies for the public good. Colonel Alok welcome to the show, and thank you for joining us today.

‍

Alok Shankar Pandey: Thank you, Roark, it's a pleasure to join you on the first episode of season two, looking forward to a wonderful interaction.

‍

Roark: Awesome. Well, we really appreciate you joining us today. And we're looking forward to the conversation. Colonel Alok one of the things that I like to do is get a little bit personal before we start and understand how you got into cybersecurity and into the space. And you, for instance, you spent quite a bit of time in the military. So how did you get into cybersecurity and industry? And specifically, how did you end up in the rail industry?

‍

Alok: Oh, that's a very interesting question. To start with, and unlike today's world, when people have this option of branching out into the cybersecurity field, at that time, no such field existed about three years back. So when I joined the Indian army, I was fortunate to be commissioned in the Corps of signals. And the Corps of signals actually looks after three important aspects. Firstly, is communication. Second is cybersecurity. And third, is IT - the electronic warfare part I've left out. So what happens even before the commercial world outside was thinking converged technology, Corps of signals, at least in India was talking convergence. The minute you were talking convergence, you're talking of ICT, as the word exists today, about three decades back. Military background, armies across the world are obsessed with security, security, is of paramount importance to them. So given my domain, and security requirements, I was associated with network security, and security. And also, I probably related now that at that point in time, it was probably a case of end-to-end security when you were talking of encryption from end-to-end for certain dignitaries. So it was only natural that whatever I gained over the last 25 years in the Indian Army, when I transitioned, I transition to something similar, where I could contribute meaningfully. Indian army is, again an operational highly operational army, quite sensitive to operations. And which better place to move to then a segment of railways, which is equally important operationally, because the significance of a delay in any fall, how there's repercussions. So that is well, my transition. 

‍

Roark: Yes it does in railway is the operations are a massive aspect of the business. So we're glad to have you on the business and in the industry. I know we have a lot of topics to talk about today. Let's let's dive right into our first topic. So Alok, I heard you say and one of the first times we met that you didn't think cybersecurity is getting sufficient attention. Especially in light of some of the known well-known cyber attacks and the potential threat of business disruption in the rail industry. And so I thought I'd open it up and just say, you know, can you elaborate a little bit more on why you feel that way specifically in rail?

‍

Alok: Businesses are relatively new to cybersecurity. So I may be coming with a bias of my past experience where I've been in this environment of security for almost 25-30 years. But traditionally, businesses have treated both IT and later on cybersecurity as cost centers. My CEO is willing to give me as much money as I want, but he wants to answer return - am I secure now? And the answer is no. So, that is why the return on investment is actually intangible. Because the return of investment is intangible, there have not been adequate past instances. So, people have actually not accorded it as much importance as much they have accorded importance to routine operations. With niche states getting into the business now, there is a more increasing focus on cyber security now. And we have had one of the revealing cases at the All India Institute of Medical Sciences, which where the ransomware attack was there. It also did one thing, and I call it a blessing in disguise for people in the cybersecurity business, because ransomware puts a indicative cost to the cost to not ensuring cybersecurity as also it is the bottom lines. So it hurts people are ready. Right. That's more people ready towards most.

‍

Roark: Yeah, I agree. And you may be the first Chief Information Security Officer we've had on the show, they said your CEO is willing to give you as much money as you ask for. You're in an enviable position, I think, as far as CISOs go in the rail industry. But I would, I would say, I think you have to agree that, you know, industrial companies in general, especially those that are considered critical infrastructure. There's been a shift over the last however many years to focusing you know, from focusing solely on IT security. Now, those teams are more and more looking at OT security and OT security technologies. And so I think that's something that you certainly probably agree with, if I'm not mistaken?

‍

Alok: I do agree with what you're telling Roark. Because I can see a shift. As I said, My CEO is willing to give me money today, only thing that he wants 100% risk aversion against those money, which I'm not able to promise right. But the shift has been slow. Also, it is more obvious in fields that have borne the brunt of it. So for example, power sector, we had recently had a power sector outage, people are working in power sector have realized what it can do for three to four days power outages, if they utilized what power sector outage can have. Fortunately, for us, we do not have that kind of an impact in the railway sector. So therefore, it has been slightly slow. Another reason why it has been slow is the mindset of the people, especially those who are from the operational and signalling and telecom background who have been taught throughout their life, that the technology that they're using is fail-safe, closed loop systems. So that mindset actually brings in a very high sense of assumed security. So you have this issue of challenge of accepting security of the challenge. the ecosystem in itself is promoted by few OEMs. So that also reinforces that idea that will fail safe, it has failed. And a major shift has happened over the last few years. What was traditional analog systems have now become your IT system with isomerization, your routers and switches coming in between so they become yours? So the challenges are increased - the acceptance on the mindset part has been slightly slow.

Roark: Right, right. Yeah, agreed. Yeah, they used to everybody thought that all those systems were air-gapped and least felt that and that's changed. So the reason for the change in focus. So let's get a little more specific. Colonel, Alok, I know you're putting your own cybersecurity and risk management program in place there at DFCCIL. You're well into that project. Maybe without exposing too much of what you're doing. You can walk us through the journey you've had so far. And when where your focus has been, and maybe where it's going to be going forward?

‍

Alok: I think I take the liberty of adding a disclaimer, before I go ahead and answer this question that the thoughts that I express over here are my view. And what I would want to do, and not necessarily what my organization is doing or would like to do. 

‍

Roark:That's fair.

‍

Alok: What has happened is cyber incidents actually not necessarily have to translate into accidents. They can also disrupt business continuity, we have had the recent incident of the Polish Rail where the RF hack actually brought around a standstill in the operations. Rather than tell people about cybersecurity, being able to disrupt and cause accidents, my focus is towards business continuity, and make people aware that business continuity is an important facet, which is actually driving your revenues. And to ensure that I did not necessarily put in a lot of effort rather than my focus is on continuous monitoring of the systems using latest technologies, artificial intelligence machine learning to detect anomalous behaviors, or patterns, which are inconsistent with the regular operations. These can be my red flags, which I can use to at least bring some sense of security into my operations. This is where I'm broadly looking at starting the cybersecurity program in my organization.

Roark: Okay. Perfect. Yeah. And we're seeing that more globally. I know that's becoming a requirement and quite a few industries, in critical infrastructure, and certainly in rail. Let's, let's jump into a different topic here. And maybe you don't have this problem. We talked about this a little bit, but I assume in your current cybersecurity journey, securing your operational rail technology environments, you you're adopting new technologies, new security solutions. That process and managing that process can sometimes be challenging. How do you overcome the the status quo that often comes with adopting new technologies, even if you have all the money from the CEO that you need?

‍

Alok: You certainly have a challenge in addressing the status quo mindset. Because what happens is, there are legacy systems whose lifespans when they were procured and the thought to be 20 years, 30 years, 40 years. Some of them do not just were never designed with cybersecurity in mind. So, you now have to strap on cyber security as an add-on to them. So, whenever you have some kind of add-on, you have these interfaces, where you will have this problem of vulnerabilities still existing. There is also this challenge of the ecosystem being controlled by select few OEMs, unwilling to share the proprietary protocols or the propriety language in this in which the speaking it works both ways. One is not available to public to understand. So attack surface is slightly risky, slightly reduced. On the other side, if someone knows, the kind of catastrophe that can cause is immense. And we have seen PLCs coming up with lots of vulnerabilities authentication bypass everything. So what I am again, focusing over here is, first build a level of awareness that this can happen. Second, get people to accept at least the stakeholders to accept that if this happens, it can have dual impact on my business continuity, and second on my operations, right, still work in progress and lots more to be done.

‍

Roark: Well, I look, you brought up an interesting topic, which is the difference between building in cybersecurity into new Greenfield rail projects, versus having to overlay or incorporate or uplift the cybersecurity capabilities into your existing infrastructure. How are you thinking about the difference between those two do you prioritize one over the other, your stakeholders, your executive stakeholders think of them differently.

‍

Alok: Different stakeholders at least in the rail ecosystem have different priorities. The operations is more concerned with a secure operation all the operation security not is concerned. The signalling and telecom people are concerned with signaling and telecom happening with whichever way electrical people are concerned with that ensuring the quality. But there is a rising awareness, especially when this western grid incident happened in the Indian case that start is vulnerable. So my electrical people are gradually aligning to the need for cybersecurity. The signaling ecosystem is still running with the same mindset of fail-safe as the guards prioritizing and actually saying whatever going forward should have cybersecurity built-in by design. I'm trying to collaborate with the OEMs to share their protocol stacks. And they keep on profile that they have. So that one can at least from the open source intelligence that is available, one can at least establish what kind of vulnerabilities are there and plug them in with their collaboration, because it will not happen without the collaboration. So that is the next big challenge. And one thing that has worked tremendously for me was we were working on a case of operations, aggregation. And I got the opportunity to do penetration testing of the application. And I demonstrated the penetration testing outcomes live to my management. So when you show something live, seeing is believing when people saw that authentication can be bypassed, there are issues. It helped me more in creating awareness and acceptance. So first is creating awareness and acceptance. Second, is cooperating collaborating with the OEMs, and third, ensuring cybersecurity by design going forward. 

‍

Roark: Yeah, it brings up an interesting point, which is, as you think about your your senior executive staff, or your your stakeholders, your key stakeholders in the business. How do they think what do they think of? What do they think the risk posture looks like from an operation standpoint? And what's the what's the risk appetite for the business at this point?

‍

Alok: Indian railways runs about 22,000 trains per day, carrying 24 million people on an average daily, about 200 million tons of freight right. So in terms of volume, it is moving more than few countries put together daily from one place to another risk is very high. And again, fortunately, we have not had those many incidents in the past. So risk appetite is also high, because of lack of awareness, or lack of probably exploitation by people for both want of knowledge of the OT sector, as well as expertise in the field. The problem is increased because of nation-states involvement. They have the appetite, the money, and the war to bring down that bring that kind of an impact event into the country to bring it down to its knees. One can draw parallels with number of things that have happened, but till now we have we are lucky we have not been a direct correlation to cyber event, at least in India. 

‍

Roark: Right. Sounds like that's one of your bigger concerns. All right. Well, let's let's change gears here a little bit as it were. So Colonel, Alok, when you and I first met you said something, maybe this is a bit controversial? I don't know. But I'm going to ask anyway. You said that the global OT community is not doing a good job when it comes to sharing intelligence. And that you thought the rail industry was even worse than the general, OT community. And so I thought I'd ask if you wanted to kind of elaborate on your view there and specifically why you feel that's the case. And and then we can talk about a little bit later, we can talk about where you think we can get better.

‍

Alok: Yeah, that's a opinion that I have shared and I actually formally stand by it at least as on date. When I say cyber offensive, the intent per se in this case is malicious. So it is an open ground for anyone who wants to do something mal intent is malicious, you can't control the other person. When I say cyber defense, and at least in the case of multi sector and railways in particular, you have one or two operators in each country. The number of events per se happening globally are less. They are on the rise, but they are less they can be counted on your fingertips in each country in a year. If certain people have been subjected or experienced cyber attacks, first reaction is to put it under the carpet put into the carpet that there will be loss of reputation. And there will be a penalty which will be enforced, which has to be that the first reaction, those who've gone forward and accepted as something of this kind have happened, have done a root cause analysis, which is not available to be shared in the defense community. So, if an incident happens, the Polish case is a good example where the incident happened, it was shared everyone came to me, but there are multiple incidents which have happened, which have either been a trip you take to cyber incidents cyber attack, or are suspected cyber attacks. If we start sharing the root cause analysis of these incidents, we will be much wiser together first. Second, the entire ecosystem globally is again as I said controlled by a few OEMs. So, if this sharing happens, those 3,4,5, 10 OEMs can be requested or if necessary. used different means to enforce that the products are made safer in light of what is already exposed, because no one is going to tell you that my product is vulnerable OEMs have also come up with a new vertical of cybersecurity in the rail industry, the same same OEM who has got the product online, which is operating on the track. Commission And now comes up with a new products business segment of cybersecurity kick I'm nothing against the business verticals. But I expect at least in this kind of operational technologies, which have an immense impact on nations as well as the public. There has to be again, security by design. And that is why I said neither the OEMs are sharing, neither the countries are collaborating enough, we probably need to have a forum where we collaborate.

‍

Roark: Right. So, you know, I'd like to dive into what you think we can do better, especially in the short term. I know that within certain countries and within certain regions, the CISOs have forums where they share information, perhaps this is not happening on a global scale is something like this happening in your region, and are you basically pushing for and hoping that we can do something in the industry that's more global, not just small regional groups?

‍

Alok: Absolutely, people are doing it within the regional boundaries, probably within the acquaintances within the CISO community in one country or probably two countries. It is not happening. So, my suggestion is one is I hope that it translates to a global CISO level because the rail industry something as I said one or two operators in each country and affects the entire globe. 

‍

Roark:Right

‍

Alok: I hope that it translates into collaboration between people and that will happen only when one CISOs are not statutory compliances you are putting a CISO if you want to meet a statutory compliance, the CISO has to be aware of the risks that the infrastructure brings with it the CISO should be equally competent to be able to do a risk analysis. Once you have this kind of CISOs are technically and procedurally competent. Then, the next level is sharing information among people. In India, first, if I see an example, I've got Indian railways, major stakeholder dedicated freight corridors, and we have about 20 metros. So, it is about 25 or people CISOs if they understand the technology if they understand the vulnerabilities and risk associated with it, we can do a good job inside India itself. And if we expand it further, international alliances come into picture, but we have our organization call it you it looks after the telecom vertical global standards. Are there. Equal work towards standardization people work towards sharing experiences and working towards open source. Maybe you can have a particular ITU or other body global body, which looks after standards, which will open source.

‍

Roark: Yeah, it's right. And I know that you're involved in the standards development and you've talked about developing your own program within DFCCIL. So is there a standard or a set of standards perhaps, that you're using as part of your model? Maybe it's the foundation of your model that you want to develop your own program to, because I know you're interested in developing your program internally, you've talked about and taking it outside, not just for DFCCIL or even not just necessarily for India, but even perhaps exporting your program. So what do you use it as a foundation?

‍

Alok: The foundational standard, if I relate to today's time, is IEC 62443. However, IEC 62443 is too water-tight, far too difficult to be compliant, plus the problem of different regions having different standards. So, there is a case of taking best from all these standards. And we have IC-62453 coming in, which is slightly more liberal, at least in terms of compliance, yet ensuring the right things and the security framework. So maybe start with the operational aspects of 62443. And based your program on based on 62443 compliance, to the extent possible, ensure that 62453 comes in and you match it to that. And when I say pushing it beyond DFCCIL. I am looking at obviously metro, which are there. And again, pushing it beyond India also, wherever I can contribute in this using this standard to promoting safety and railways and making people safe.

Roark: Right. Okay, that makes sense. And I know you're involved in the development of a lot of industry standards and frameworks in a variety of ways. How do you think the rail industry is performing and developing? Maybe a global set of cybersecurity standards, I know that you mentioned 62443, kind of tied to that is TS 50701. And now the IEC organization is starting to work on IEC 63452. As a bit of a global standard, I'm not sure everybody's participating in that. But I do think the industry is doing and is it moving in the right direction? Is it moving fast enough?  

‍

Alok: The industry is moving in the right direction. Fast enough. I have my doubts, there's a lot that needs to be done. Specifically keeping in mind that this infrastructure which comes up especially the foundational infrastructure of the signaling and telecom signaling piece, at least, the telecom now has a reduced life of seven to 10 years with the routers and switches coming in. But the signaling infrastructure is almost three to four decades is what people are looking at. The sooner we address this problem. And I said move towards maybe open source again both sides, but it kills the OEM ecosystem of proprietary protocols. And you get bound by the same OEM throughout your network. Open source lets more people come in more interplay and parties wherever there has been participation, we have seen the growth of IT industry where standards are open-source and globally, everyone is required to talk to each other. The growth of the sector has happened immensely. So the OTS in the IoT sector in railways has to grow, grow that way. Maybe we need to propel it with more energy and focus towards more open source and get the OEMs to participate.

‍

Roark: Okay, got it. We talked about the frameworks. Rail is such a critical piece of critical infrastructure within individual countries. And we're seeing different countries, almost all the different countries developing their own regulatory requirements. You've got examples in almost all of the major industrialized countries, what specifically is happening from a regulatory standpoint in India? What's in place today already? Maybe you can tell the audience and then what do you expect to see coming perhaps from the government very soon.

‍

Alok: So India, fortunately, was a slight, I'll say had a slight edge in terms of what was happening was fast to recognize the problem of cybersecurity, possibly because the adversary that we have, which we're actively targeting us in various sectors. So, we came up with our National Cybersecurity policy as early as 2013. So it's almost a decade old now, the cybersecurity policy is under revision, and we should be getting our next version and the this year or the coming year or early in the coming year. This cybersecurity policy is focused towards Critical Information Infrastructure. Because if the Critical Information Infrastructure is addressed, a lot of the threats associated with the nation-state actors coming in is taken away, IT security more or less has become saturated, again, because of both people working on both side advantages of open source, both on the defensive and offensive side. The next big threat that is coming is towards OT security. But the earlier people accept it. So the cybersecurity policy as it is there. We have a national Critical Information Infrastructure Protection Committee, they're coming up with guidelines that at least the critical infrastructure segment, or critical infrastructure sectors must adhere to. And that is another step in the right direction. So next one year is going to be eventful in India, at least.

Roark: All right, perfect. One last topic. Colonel, I look, I know this is something that's near and dear to your heart. Let's talk about cybersecurity skills development. I know I know India is a very strong from a technology community standpoint, there's lots of skilled technology resources within the country. Probably not quite as many that are focused on OT cybersecurity or know that business well, and certainly even less, that understand the rail technology environment and cybersecurity and rail technologies. How have you gone about starting to build your own team's expertise as you're developing your own cybersecurity program?

‍

Alok: Skill development in OT, is a challenge, as you've already said, and it remains a challenge globally. However, this challenge is magnified, or probably amplified because of absence of the equipment to test. These are costly equipment. So people do not have access to this equipment to test itself test it or to play around with it. Where I'm working is you have certain we have had certain incidents, at least in the SCADA part of it. Use the exports were investigated to deliver talks to our people, increase their awareness, I'm also working on a Cyber Range, which simulates this environment. So if I can simulate an OT environment, on a cyber range, that is open play field for people to play, right? They can play test, what are the implications of action. And then, when it has matured over a particular period of time, you can probably start doing it with live equipment or have or probably do the roleplay first on the Cyber Range, and then go in test the live equipment. That is what the way I'm adopting, I'm also trying to break the mindset that OT is different from it. OT is not different from IT. This is a fundamental mindset that people have gotten that what is different, what is not different from the PLC is at the end of at the end of the day a computer which is restricted compute and restricted memory and predefined usage. You have electromechanical equipment being connected to this PLC, so at the end of the day, it is it with a scaled-down capability and its own set of vulnerabilities. If people if I'm able to bring this mindset, maybe more and more people will come towards OT and IT. 

‍

Roark: I agree with you in that standpoint. You just can't mess around with it like you can in the IT world. I think if you get your own rail operation sever range there'd be a lot of people that would be interested in being involved in that exercise. So you need to you need to publicize what you've gotten there. Most certainly. Well Conolel Alok, let's let's wrap things up a little bit here as somebody that's going through the journey right now of building your own cybersecurity and risk management program there DFCCIL trying to protect your own operational real technology systems as we call it. What advice would you want to leave other rail operator or CISOS with

‍

Alok: My advice to other rail operators CISOs and I would go ahead and the CEOs also don't have the ISOs for statutory compliance first, that is for the CEOs for the CIA. So let's break this mental barrier, that OT is different from IT. OT and IT are 99%. Same, except for the last mile where Modbus communications can come in, and 99 percents same. And most importantly, both the CISO and the CEO, is that what is safe is not secure. So therefore, you need to look at the security aspects. And the threats of cyber world are not something that will happen only to the other person, as you experience guessing today, they'll catch up with you very soon. You need to be ready for it.

‍

Roark: Agreed and agreed. All right. Well, I look if somebody wanted to contact you, or their social media platforms that you're active on are what's what's the best way to reach you. If somebody wanted to have a dialogue?

‍

Alok: The best way to reach me is on LinkedIn. I'm available on LinkedIn it’s Alok Shankar Pandey. And the other alternative is email. So I'm also available by email. My email is there on my company website. 

‍

Roark: All right, perfect. Well, I'm sure we'll have some folks wanting to talk. Well, Colonel Alok, thank you very much for joining us today. It's been a pleasure talking to you. And for our Secure Tracks audience, thank you for listening. That's the end of today's show. Until next time, keep those tracks secure.