Roark Pollock: Hi, I'm Roark Pollock, and this is the second season of the Secure Tracks podcast, where we host rail industry leaders to talk about operational rail technologies and cybersecurity. In this episode, we're speaking with Manvendra Singh from the National Capital Region Transport Corporation, or NCRTC for short, in New Delhi. Manvendra Singh has been a Group General Manager within CRTC for the last year and a half. He is also now the Chief Executive Officer of NCRTC Express Transit Limited, or NETRA in India. Prior to his current role, Mr. Singh served in a variety of roles, including chief engineer for signaling and telecommunications for the last 13 years with Indian railways. From a cybersecurity perspective, Mr. Singh is focused on implementing strategies to protect critical transportation infrastructure from evolving cybersecurity threats. Manvendra, welcome to the show. And thank you for joining us today.

‍

Manvendra Singh: Thank you, Roark, for giving me the opportunity to have the conversation, especially with the Secure Tracks. Thank you so much.

‍

Roark: Absolutely, we're glad you're here; look forward to the conversation. So Manvendra, I like to start on a personal note actually, I like to hear from people about how they got into cybersecurity and how they got into rail. So, why don't you tell us your story a little bit about how you got into the security industry in the rail industry in particular?

‍

Manvendra: Okay. So, if we start from the journey of the rail industry, basically, I belong to the technical part - I've done engineering and Electronics and Communications. From there, we started I started the journey toward the rail industry as a railway engineer and chief engineer as you rightly mentioned in the earlier conversation also then, like railway industry is always evolving in the technology part. So, in the operational domain like signaling and SCADA and traction and powers, everything you see is evolving to a level where digitization of the railway will be considered digitalization of the railways is in the forefront of any transport sector. So, what is happening everything is now pushing towards automation. We are moving from that horse riding cars to that rails and then to the train. So, the integration comes into the picture that whenever you want to have a committed perspective integrated into that operational technology part of the railways. So, here comes IT and OT sector I being an Electronics and Communication engineer fine found that how I can contribute to the technology part to the global technology sector for railways. From there, the an NCRTC administration thought “Okay, now we are going for a computer perspective orientation of the organization.” So have integration of this IT and OT there comes a challenge of securing the IT/OT integration with cyber perspective. And that challenge I proceed as an electronics engineer or communication telecommunication, you will find that must be addressed technically and how strategically we can point it out or address to them so that down the line five years-10 years, we can have a sustainable system. So far the security as a concern is the operational features. And so this is in a nutshell how I see towards the cybersecurity domain. 

‍

Roark: Got it. You love a challenge I take it. Awesome, Manvendra, for our audience, and especially for some of those who are outside of India. Can you tell us a little bit about NCRTC and specifically the scope of your role there and maybe some of the key challenges you're working to address

‍

Manvendra: Okay. So, I will start from here the NCRTC stands for National Capital Region Transport Corporation. So we have a capital our nation's capital in Delhi, New Delhi and then the surrounding area in around, say 110 kilometers around it, we can make a peripheral of 100 meters. So right now what is there any capital? It's being so there with all the industry and all the technical companies are put in there. So, the persons which are being employed from let's say nearby 100 kilometer of failure, they are being forced to stay In Delhi itself, so, it is certainly becoming more and more congested. So, we were mandated by the government that let's have a common transportation such that the person can travel in the 100-kilometer vicinity let's say within less than an hour. So, what will happen everything will be decongestant to a periphery of this 100 and 120 kilometer and the person will be able to commute daily and how they work in Delhi and then go back to their places in NCR region. For that we need a transport which has to be a high-speed sort of transportation. A safe secure and with a high speed. So, Nation Capital Region Transport Corporation was formed, we are paving a company as a transport sector in RRTs - rail region transport sector. This is a train service which we run around 160 kilometers per hour is the highest now as per we consider as to be an Indian scenario of rail transport. We are also sort of an economic transport transformer for that sector in the NCR region. Parcel region is that when we are moving all the industry from our let's say decongestion from the center of Delhi to outside of a 100-kilometer area, so, these pockets will emerge and economic sector which can be a prime mover for those areas in the financial sector segment. Another thing I will add that, because we are now reducing this carbon footprint and everybody knows to travel with diesel cars and all to the center of Dehli. So, safe pollute-free, and faster commuters than all this carbon leak all so, this sector, we can say that NCRTC is an organization which is responsible for that movement of transport sector from let's say lesser speed to NCR region we can have 160 kilometer an hour and less than an hour travel for every commuter person. As far as my role is concerned, you rightly mentioned that in the initial stages so that I are the regional manager for operations and signalling telecommunication. Another part is the CEO of a subsidiary of NCRTC, primarily being responsible for the operations management and strategic planning for computer perspective areas. In the operations and signaling telecommunication domain, I look after all the things which is needed for the implementation of new and technologies for the safe run of the system. Operation management and CEO perspective, it's sort of a management of comprehensively how things have been moving in operations on the commercial domain. Okay. Now we'll come to the challenges what we find the challenge is primary two types of challenges. Because earlier rail technologies were sort of in working in silos where it was not connected to information technology, and we say that all industry technology related to operational technology. Right now the challenge is how this information is generated in the operational domain can be transferred to commuters or let's say OEMs. Simultaneously maintaining the security of that information, which is traveling from one this OT into IT. Right now, I find this has to be a major challenge in railway sector. Whenever we are moving towards a comprehensive integration of these two, IT or cloud and all data applications and to, let's say, information to customer college computer and then maintaining the same set of safety standards with OT, in spite of having all the integration so so for an IT this is a major challenge.

‍

Roark: Yeah. That's what we're all here to talk about this challenge across the industry. Perfect. Well, what we wanted to talk about today was the difference in taking a layered approach to cybersecurity in your rail operations and I know rail operators across the across the world are dealing with this challenge. So I know for you, you're looking at a variety of different layers of different technologies to secure your operational rail technology environments. You mentioned that the integration of OT and IT is the biggest issue creating a much larger attack surface for the rail tech environments. What do you think of or how are you addressing you know, what is your first layer like defense as you Think about the different layers of cybersecurity, you're implementing at NCRTC.

‍

Manvendra: Okay. That's a very permanent question to ask when we are moving to integration. The layer we say that like - okay, I have framed like this, the complete network of NCRTC we have segmented into three layers. Let's say first layer is that whenever we go for any cybersecurity, integration or let's say, process of the standards following, we will put is IEC2443 or let's say TS50701. So, according to any of these standards, there should be a three domain of cybersecurity which should be maintained. In a nutshell, I can say that first you have to segment the network. So pilferage of anything which is happening in a smaller domain does not go to the other domain, and we cannot control in that smaller domain also. Second is access authentication and authorization and data security and data recovery. These are all parts of that system. What we strategized is a complete network we formulated in the sense that let's have hardware-based security. Authorization, then see whichever whoever is authorized, whether they are doing the same work, which is being authorized for them, and then monitoring the complete network traffic through some sort of a SOC Center where in the real-time sense, we can monitor it. So, now I will go to the first site where we are segmented this you mentioned rightly that this is the first layer of security. So when we say that okay, OT is integrated to IT. So OT is purely hardware-based solution having software inbuilt there. So from there if the data need to travel to IT sector, less any cloud, so in between IT and OT we have deployed unidirectional gateways, gateways as a very specific property of their not being software control. They are primarily based on data diode, or let's say, optical fiber-based technology. So even if somebody or someone has an access to the device itself, but as the data or let's say, electrons to a very small terms, they if they tend to travel in one direction, no one can make them to travel in either direction. It's a simple property of diode or optical fiber, this technology leverage to the fact that we are now isolating at the hardware level from OT to IT. This is our first layer of defense, we have isolated and segmented the small sub-systems network, like SCADA signaling and telecommunications, CCTV, display unit available, and rollingstock. these four-five terms were mainly related to the operational security of the system. So this is the first layer we have definitely. Yeah.

‍

Roark: So starting with segmentation, one of the things that you mentioned when we talked earlier was the idea of vulnerability management, especially for rail tech assets, and the challenge that presents especially given the large number of assets in the rail tech environment and the different OEM systems or the different OEMs that are represented there. How are you dealing with that challenge in your rail tech technology environments? 

‍

Manvendra: Okay. So this is, again, very, very, very related question, because when we go for implementation of any cybersecurity systems or strategy, the first challenge which railway people encounters is simply the large number of OEM that different protocols are being working on, and how any single system or let's say any single solution can work out with these all simple different protocols. I'll give you an example like CCTV, we are working with whenever we want to access that protocol. Platform screen door which is very essential for safety operation, they are working on Modbus. LTE system is working on SNMP/NMP protocol. And then signaling is entirely different protocol is SCADA again, or Modbus protocol. Now if I implement a single solution to that, or let's say I want to have some vulnerability assessment of these all simple systems, so no OEM will agree that okay, you put in a certain system, and then we will change our protocol, because unless until you know you're fetching the data, or you are, let's say monitoring the data without even fetching the data, you at least should know the protocol and your device should work in that domain. So, protocol conversion was a major first challenge. Then second challenge is that when we implemented device no OEMs should want that you access to their switches. So, everyone thinks that okay, if someone some accesses switches to my layer then my system will go into the correct mode or whatever we can see. So, how we address that like I earlier said, first of all, we segmented complete network into volatile or let's say, safety-critical item and secondary which is not directly related to train operation nonsecure maintenance system. Now, the excessive system is directly through loss. Let's see, I will give an example signalling system there is a DMS we call it is a data management center system. This data management system is primarily logging all the information which is available inside the signaling and operation. So, what we thought it locate from DMS or subsystem server will push all information to a simple server and this server and IT server which is let’s say cloud communicating with cloud, will put into union gateway in between them and Gateway itself act as a protocol converter. So that I have a simple protocol as a gateway and any Modbus or SNMP or wherever it is, they will only push the data when we say that OEM is only pushing the data no OEM has problems. If I want to have pull the data from OEM system, then they will have some objection. So this is the strategy earlier the gateway need has need to have some push and pull both now, we have changed the design and we have said that okay, only push of the data from OEM side will be there and then from the IT side, it can pull the data from that server which is protected by the user gateway. So, this challenge we have addressed through changing the mechanism that we are not pulling put we are not pushing the data towards OEM, we are only OEM is pushing the data towards the gate and other things like OEMs acceptability of any solution. So, we thought that why not put all OEMs on a single board on board with the initial gateway and let's discuss how the technology can be leveraged so that we can present a solution not only applicable to our NCRTC region but itself it can be scalable to any rail sector. Then only we can say that okay, the technology we have applied in the sense that it can be beneficial to everyone, like in the cybersecurity threat is same in Europe or Australia or Asia Pacific or you can say US or Canada anything. So, what we thought to pull all the OEM single ports and then decide what solution we can implement. So, this push-pull technology solution, we were able to find out through that OEM suggestions itself right. So these are adopted. 

‍

Roark: More of a passive versus an active approach to gathering the data. Where do you are, or Hhow are you gathering intelligence on known vulnerabilities in the different systems that you have today? Is it coming from the OEMs? Are you using third party solutions for that? What's the approach?

‍

Manvendra: Okay. So, I will answer this in two terms first of all, how do we reach a conclusion that okay, there is some vulnerability some threat perception available to the network pursuing the points? So what we did initially we put in cyber security audit for the IT sector because we have an integration of it and OT so we initially OT vendors and OEM as you rightly said, we're not on the board that okay, I will not allow any third party to put into my system. So what we thought that okay, let's first call IT sector. So we had a certain audit of cybersecurity audit for the IT sector itself and when complete audit was performed they made a certain reports and we had a points. These points we discussed with all OEMs from the OT side, and then they came up with a solution that okay, let's put our threat perception to your table also that okay from OEM sides, these may be the points but OEM will not decide I'm not blaming them, but I will say that they will not look they will not tell us that what is going inside their system, what they will tell it okay whenever you are integrating my system to anyone and this link of this integration is only the problem and how it can happen. But as far as our experience and through log analysis of each OEM and the network is study conducted by our own technical team plus the team, which is providing the cybersecurity solution like denudation gateway, so, we both of us study where could be the vulnerable point and then we discussed with them with the experience of cybersecurity or the audit of IT and the points generated, we made a comprehensive statement that these may be the accessibility threat may be perceptible to the system itself, this was the approach we adopted.

‍

Roark: Got it, got it. All right. Well, another layer of cybersecurity that people are concerned about Manvendra is the threat of insiders, and I know, you know, from talking to a variety of different rails CISOs, that kind of breaks down into maybe two camps, one being the access that the OEM vendors have to your systems, and then the other is the insider access that your own people NCRTC have to this system, how are you thinking about this challenge and taking steps to address it? 

‍

Manvendra: Okay, so, continuing with the earlier description I provided. A second one is that how the insider threats are being managed this is I can see from all my experience the most difficult task, any cybersecurity officer or official or management can address to how we are addressing it, because this can not be that you cannot provide access to these guys, they are available because you have to provide them access, because these are the OEM people, but nobody can say that anyone cannot become hostile at any point of time, maybe XYZ reasons may be available. So, what we do, we have provided kiosk before access to each system. So, these kiosks are basically the scanner of the devices which we are going to put into the system. So, this scan pendrive any memory stick or the your laptops or access terminal whichever you want to access to the system, but this can protect only certain limits that you do viruses or being in your system nothing is sort of a which can harm unintentionally the OT system, but if you want to have any intention over it that okay I want to damage this because I have the software available how you can address to this. So, what is still we haven't deployed this, but yes, from we design point of view we have made it a system that we will have certain checkpoints in the network available these checkpoints will decide that okay, these are the devices authorized to access plus what this device can do and then will real-time monitor that okay, this device has been put in because it was unauthorized device, unauthorized in the sense that it was not intended to do what they are doing right now. So, this will generate a flag or red alarm, which will pull out the device itself and block the network access. Now, how we are going to do it? We have a complete discussion with two or three global service provider for this type of solution Cylus, Cervello, Waterfall and at this stage I can say that three stages I have made a strategy first one was that hardware based solution first layer second is kiosk and scanning system. Third, this real-time integration and real-time monitoring of which device is doing what and whether it was authorized to do or not and then blocking it right away in the real-time. This I can say that our design is free frozen and I have put in a timeline of the next three to four months to put the system into this OT network once I finish this gateway work and all access again assessments of how it is functioning, but it is on my cards that okay this is my third stage of processing where I will put the solution offered by Cylus or Cervello and then find out what is happening in there. So this is my strategy to find out which device was using the real-time information are put into the network but it was authorized to do it and then we pull it pull out pull it out this device itself. Yeah.

‍

Roark: I guess the question I have next is, this is causing the challenges with the OEMs when you're looking to implement continuous monitoring or access restrictions on their teams?

‍

Manvendra: Yes, rightly said, this is another challenge when we say that we are going to have continuous monitoring or putting our devices into your system. So, the solution or design we have discussed and finalized is simple that will go for a non-intelligent switch in the network. So, first of all non-intelligent switches in the network, then one fear of the system that it may hamper the routing itself or the data transmission it, can be ruled out because we are then in the passive system passive listener of the system. Second is that you cannot talk to the system only listen to the system. So, when we say to the OEM that we are not talking to the system, what we are doing, let's say it's a 24 port switching available in the network, that's a non-intelligence with yourself, we just listen to the switch what is happening, because we are the receiver we cannot transmit any data this in any case we can do. So, OEMs are being given such confidence, and we had a demo itself with all these subsystems OEM. And then we threw through a challenge to them, okay, I put in my devices there, you just prove that I can at any time transmit the data and harm you, then to our own satisfaction and to the satisfaction of OEM itself to some systems provider, I requested to have that system challenge accepted, not named OEM, but yes, I can assure you that with this listening or let's say passive approach of listening to the system, you're not talking to the system, we could able to demonstrate that nothing is going to happen. But as a CISO, I will say that whenever we want to deploy a technology or deploy a cybersecurity solution, we must be making comfortable or have confidence in OEM itself. Otherwise, this strategy won't work. Because if any one of us is pulling out from that network and not supporting the implementation, it will be difficult. 27:40

‍

Roark: Well, everything else to go through operations. And he looked at it through an operational lens, certainly. All right. Well, I'm curious as you're implementing looking to implement continuous monitoring, usually, the next step for organizations when they've done that is to implement a regular cybersecurity operations center or a C-SOC or a SOC depending on your terminology. Are you have you already implemented that step? Are you looking into that now that you're doing continuous monitoring within the organization or the rail tech environment?

‍

Manvendra: I will say to like this, the implementation of SOC has three steps, what we have strategized it, first step is that SOC won't work unless until you provide a complete segmentation of the network, implement hardware-based systems, and then a scanning of the network and insider threat management. First, you complete these two steps, then you design a system, where you can put in this listener or we say passive listeners through SOC, where you will deploy this I will say a sensor in the network or we can terminate launch it with any other thing you can provide. So once the fastest step and secondary step are completed. The third step of designing the system and putting the sensor will be listening to the network this is also being done. I'm just waiting that all the two steps are late which steps are the results of these, again, we'll have some sort of assessment. Since sort of throwing the challenge in factor service provider for that initial gateway, we have thrown a challenge itself, that will be intentionally trying to penetrate the network and distill that directional gateway shouldn't allow this after this test, let's say I have put in a timeline and within these two three months, we will start implementing this SOC. Our target we have fixed as to be after March and we should be able to have SOC implemented, and then we will able to share the complete outcomes or let's say, learning of these three steps to the global audience that okay, these were our strategy and these has worked as if not.

‍

Roark: Alright, since I would, I would say be careful if you're doing any kind of penetration testing. I've heard horror stories in that regard. Well, Manvendra I guess the last layer or the last topic you mentioned earlier, when you went through the different layers was talking about backup and recovery. In case the main primary systems are breached or shut down. I know one of the big conversations in the rail industry that people are tackling is this question of doing things in the cloud versus on-premise. And it's certainly a question as you talk about backup and recovery systems. How are you thinking about backup and recovery in general? And how are you just addressing, more broadly, the question of moving to the cloud versus doing things on-prem?

‍

Manvendra: Okay, so, we'll go like this in any cybersecurity strategy or let's say comprehensive solution, this data recovery and okay, everything has lost and then how you're moving towards again, to the serviceable level which we're adapting, before that attack has happened. Our strategy is very simple, we will have a hybrid approach, we will have our memory management or, let's say data management at cloud. Plus on prem server both as of now, the technology is available and the ecosystem which is available for railway signaling and SCADA and rollingstock it's all on-prem. And when we say that okay, we have it, it traditionally it has been isolated from any sort of IT network, and then we have provided this gateway and itself, these hardware-based solutions are having a dual sense of memory or data backup in itself, there is a data backup. So, on-prem server and then data backup of this on-prem server, we are isolated to the outside world to this gateway. So, at one layer, we have introduced that Okay, now, from on-prem server-side data loss, we can have a complete recovery if anything is lost, because then the passive server, which is not in the active mode, you can put it into the active system now comes towards the IT side. So, IT we have gone for complete cloud management, we are not having any sort of on-prem server for any IT application. So, inherently, whenever we are going for cloud, we always have a data backup available there. And this data backup not only to the cloud but of course, we are managing the data, which is critical data needed for making the system boot up and again to a certain level of service level before the attack; we also have a data center or data cube type of thing where all the data which is critically needed for making it system up is also being stored in our on-prem system also. So for running the system,cloud plus on-prem server, both as a hybrid approach we are adopting for any data recovery or, let's say, after the attack to me making the service to a level which before the attack. 

‍

Roark: Got it makes sense. All right. So Manvendra, as we kind of wrap things up here, as somebody who's going through this journey presently at building a cybersecurity and risk management program for your operational rail technology systems. What most important bit of advice would you like to leave with other rail operator CISOs?

‍

Manvendra: Have you specifically address because I have worked railways and a CISO as a railway. So, I will say that we have very little knowledge of the cyber security domain railway sector. This we have to first admit ourselves that whatever we say we are putting in a very challenging environment where we have to learn a lot of things I will say a lot of things. First of all, whenever I interacted with any railway personnel, their first prime excuse was that okay railway systems or OT technologies are isolated from the outside world, so nothing will happen to us. Then I showed them the history where in the last, let's say, five and six years approximately 17 to 18 attacks have materialized which are resulted into either a DDOS type of a thing or a completely unsafe situation, references to the availability of the service and not say that unsafe of like train operation but of course and availability of the service. But this is another part of the responsibility to make system run. So, what I will say that first of all, let us come out of that myth that operational technologies are isolated to the IT technology about they are being an integrated part because without digitalization of IT/OT integration you cannot run the system right now. So, whenever coming out of the system, first you have created you have crossed the barrier, I will say crossed a barrier, then generate the awareness in the system because railway engineers are more or less very less aware about this technology or cybersecurity threat. So, what we as an NCRTC do, we have requested every expert being available in the cybersecurity domain to have sharing the experience. And I will say that, at this juncture, I want to Cylus, Cervello, Waterfall, Terafence - all these four-five service global provider, which came forward and say that, okay, if you are open to listen to us, then we are more than offer open to offer the solution itself. So what I will suggest that please engage for five good global players in this to come out of the myth that okay, nothing is going to happen to the review of patient technology and implement these three steps, what I from my experience, can share hardware based their solution for joining the network, then threat perception being mitigated of the person which are being hostile to the environment. And the third one is the SOC Because in isolation or in silos, if you implement one or two solution, then you are almost as vulnerable as earlier you would have been without application of these follow two steps, you had to have all the three steps being implemented this, I can share my experience.

‍

Roark: Yeah. And I hear you saying it's critical to reach out to the operational teams that you're working with and have the teams, the cyber teams and the operations teams working together and doing the same thing with the vendor community. I hear those themes pretty commonly. So not surprising. Great advice for our audience. All right. Lastly, Manvendra. If someone wanted to get in contact with you, they wanted to have a chat. What's the easiest way for somebody to reach you?

‍

Manvendra: I am available, I know LinkedIn and WhatsApp and I'll share the numbers anytime. I will be more than happy to contribute to this community of the cybersecurity in personal rail domain because I feel this is most living in that myth of nothing will happen to railway sector. So I want to open that anything can happen. And we have to be very prepared for this. So LinkedIn and WhatsApp and I've shared a number. 

‍

Roark: All right, perfect. Well, we certainly appreciate it. We are a big believer in evangelizing the challenge, and the ways of addressing the challenges as well. So we appreciate you taking the time. So, thank you very much for joining us today. For our Secure Tracks audience, thank you for listening. That's the end of our show today. Until next time, keep those tracks secure.

‍

Manvendra: Thank you. Thank you so much. Thank you.

‍