Roark Pollock: This is the Secure Tracks podcast, where we host rail industry leaders to talk about operational rail technologies and cybersecurity. In this episode, we're going to talk about a couple of topics related to the recent attacks targeting the Polish rail network. Our guest today is Yaniv Mallet, lead cybersecurity architect at Cylus, Prior to his role with Cylus, Yaniv served for 24 plus years in the military in the Israeli military intelligence units Yaniv, welcome to the show. Well, Yaniv before we jump right into today's topics, I like for the guests to talk a little bit about their backgrounds. So for example, you spent a lot of time in the military, I want to tell us how you got into rail cybersecurity in your current role with Cylus?

‍

Yaniv Mallet: And yeah, so my academic background is a software engineer, of course, as you just said, I did a lot of time in the military. Most of my time was in R&D units. What happened to be, let's say, cyber units, the Israeli military units, I guess they're pretty famous today. And I did they're all these years long. Of course, obviously a lot more, let's say red team, rather than blur teams, but I did also from the second part. A lot of developments, there will be management, a lot of operations, most of the time or operations. And I was around the cybersecurity and the cyber, for those last years, always was around it always was interested. And at some point, when I got out from the army, I got too tired. I was looking for something in my field of expertise, maybe, but something that's on purpose, for human beings, like stop being on the red side. And I met some companies and I met Amir, the Cylus CEO and Miki and I think two things were very appealing here. Nevermind the order. But first thing was I found the the goal of the company and something interesting. It was meeting my goals like what is the motto of the company secure tracks. So securing your tracks. I think it was getting to something about cybersecurity, that is meaning to protect people also in the physical world. And I found that very interesting and it was like some kind of something exotic in the on in the background here everything is that. Let's have another EDR let's have another cloud security, maybe data security. And it was interesting. And the second thing was like, even before I start working here, you can feel the spirit of the company, okay, it's it's a small company. It's family-oriented company, people are intimate. And I think the vibe here are very, very nice for me. So I'm here since almost 2 years. 

‍

Roark: We all get into the industry in one way or another. So Yaniv, today what I want to talk we're going to talk about a couple of topics that recently came to light as part of the story surrounding the attacks that stopped some of the Polish state railway trains. And while I don't want to rehash the actual incident, I really wanted to focus on two related topics that are industry-wide issues. But before we do that, for our audience, you could summarize a few of the relevant details around the actual Polish rail incident.

‍

Yaniv: Okay, summarizes is the key word here. I will try to get to the facts that are publicly known, okay and we are pretty sure about them. So the event was that underground, some trains around 20 trains was reported stopped what we call an emergent system. We are not really sure how long it took for the rail operator which is PKP we are not really sure how long it took for resume operations. Some reports out a few minutes some are some more. That's what happened. And from the reports that continue to be output on the internet, and also the official position of PKP, we understand that someone, abused an emergency function, which is based on one of the legacy or maybe not that legacy much a radio frequency systems, this system has a specific function for emergency stop that can be used by the operator, of course, to send a on the frequency of the system. Okay, it's around VHF. I think 150 megahertz, something like this. And if you are transmitting what we call subtones, like three specific tones on a specific sequence, that will tell the system onboard to initiate an emergency stop. We understand that that's what happened. And we now understand that it also happened another time on the second day. But that's it. And we also understand that the authorities apprehended some people for this for this event.

‍

Roark: Yeah. Two polish men, and I believe it was that apprehended by authorities. So you need to let me see if I understand. So they broadcast the VHS, VHS transmission? Just was it a single broadcast of that transmission that then was able to stop multiple trains across the entire Polish network? Or did they have to broadcast once to stop one train, broadcast again to stop another train? How does that work?

‍

Yaniv: Let's start to explain a bit the setup that probably had. Okay, so transmitting today VHF signal, it's not very complicated. We have a lot of people are refactors, we have a radio a passionate we have a lot of people that are doing that in their free time. For fun, you know, I'm sure you heard about people that are trying to listen to ATC to plane communications or transmission to know what is the plane that is currently in this size and such. So it's the same. And today you can buy some really easy equipment online, what we call SDR software-defined radios. Okay, you can buy a module without knowing what SDR is that will help you with the relevant SDK on your computer to prepare a signal and transmit it on the right frequency on the right, polarization on the right. specification of this signal. The thing is here, that the details of the system of the radio system that we use by PKP. It was public, there was a reason for that. Okay. You wont here from me that it's a good reason. But there is a reason the European Union has been trying create interoperability between the countries for the last two decades. And that's great. I mean, today, you can take a train from Spain, and go to Paris, without changing trains, train or the same between all of the countries and the European European Union is trying to do that. So people have the freedom to move freely in trains, not changing train station and not sitting train our borders, anything sure to do that you need to ensure that the technical systems, beyond the borders on both side of each border, will be able to communicate together. And part of that was to publish the different systems or specific or legacy system that each one of the countries still operates in his network. So, I guess that what the attackers did, you can go on do research on Google and find the specification, the technical specification with the frequency, the right sequence, okay? And what did we do? So, yes, that what happened. There had to be somewhere, not far from the network. Okay, but the same signal can stop each one of their onboard systems.

‍

Roark: So if I’m in one place, and the train comes past it receives a signal, it stops that train. Does it stop multiple trains across the system from that one broadcast?

‍

Yaniv: From what we understand, this specific system is supposed to be not a centralized one. So each one of the two In is around, and that is on the transmitter's coverage. Okay, will be able to receive this transmission, and we'll have to stop because of its logic. So that means the two attackers will have to add some equipment. Okay. I not not familiar with the geography of this specific place, maybe you know, it's a big interchange place. So you have a lot of trains together a lot of trucks? I don't know. But yes, you need to transmit strong enough. So trains wouldn't be able to hear that.

‍

Roark: Okay, so let's talk about why we have trained radios on trains at all right, maybe you can help me out here a little bit, with all the sophisticated systems we have today. Operational kinds of rail technology systems in use in rail today. Why do we still have VHF radios being used to stop trains?

‍

13:06 Yaniv: I think the answer is going to, to two parts. The first part is that I learned that for the time and Cylus, changing things in this industry, because this industry is so safety-oriented. Okay, it's takes time. Right? Okay. So when you have a legacy system from the 80s, 70s, 90s, I don't know when you started it, if you need to change something, and it can be to change the old system, but only change one of the functions in the system. It takes time. So even we know that BKB, the Polish operator, they're on the world to upgrade all of their lines to ERTMS, which is the European standard, for signaling. It's got features that are much improved than this old VHF system. They're on the way to do that. But it takes time. The transition between that and it also takes time, so you must keep this kind of system. So that's maybe the first excuse, okay, it's, it's there, you cannot take that out a lot of the of the considerations. The second thing is that we need a radio, and we need a wireless channels to operate trains today. Okay, I think one of the biggest pushers of the train modernization is the fact that you can communicate in real-time with a train. So this specific example is not a good example of real-time data connection. Okay. But you need sometimes to have a connection to have an override, maybe on the driver. Yeah. Okay, something can happen to the driver. So I guess that the reason it was invented in this way, was also for safety issues. What happens if the driver got heart attack during a ride. 

‍

Roark: It provides a backup system. 

‍

Yaniv: Of course, it was for safety. 

‍

RoarkL At the beginning, okay, got it. So what about other real technologies that rely on wireless communications? You mentioned ERTMS, we have CBTC systems in the US, and you have PTC systems. All of these technologies rely on some sort of wireless communication. Do they not? And is there similar type of attack vectors that are of concern with those types of rail systems that are using other wireless technologies?

‍

Yaniv: First thing, wireless communication. Wireless channels, they got some glitch from a security point of view. I mean, you're taking your data, and you're sending that in the open. Because it's not in a regular network. When you are controlling both sides. You don't know who is in the middle. Right? Okay, so that's from 200 years. That's a fact you don't know who is listening. And you don't know sometimes we're talking like in this event. So that's something that you need to be able to understand when you use wireless channels. But having said that, we want wireless channels to communicate with trains. The number of application is very interesting, you have smart signaling, which allows you to bring more trains onto the track to have a higher speed of the trains. Okay, so it's a better service for the passenger. You have online real-time data collection to do maintenance or preventive maintenance. So to understand this train must go to the depot after this, we need to change it for his next trip because we need to change some parts online. You want to send updates to the passenger information system onboard. So maybe the passenger before they reach their destination, you will know that there is a problem on the underground system. Okay. And maybe it will change its course. Okay, I’ll take the bus after I'm getting down to the station. So the number of application is very high, and it's getting higher and higher all the time, just for another example, freight, freight trains. Okay, one of the of the things that interests people who are using this kind of transportation mode is the locatio.  Where is my cargo? Online, we want to know if that is there, okay. You can bring that as one channel for all the trains. And we have those applications. So all of the technologies that you just mentioned, the ERTMS is using GSM-R communication, GSM-R is the beloved protocol for GSM dot dash R for railways with small changes. Okay, it's supposed to be replaced in a few years. But it's a public wireless protocol. Okay, it's something that you can understand. It's something that was researched and also hacked. CBTC on most of the applications, I won’t say it’s all of them, use Wi-Fi. The regular, loved, Wi-Fi that we all use on a day-to-day basis. Okay, PTC in the US, sometimes is using satellite links, sometimes using UHF VHF links, dedicated radio links. Still, all of them are not using dedicated technology for the railway or railroad. If you were in the military, maybe you would develop a new technology because you want your communication to be bulletproof. If you are in the industry, or the civilian industry, you won't do that you will reuse technology. So we need to be aware of the fact that all of the technologies are just mentioned GSM, Wi-Fi, satellite links, and of course, regular radio links. They have some weaknesses, okay. They have some weaknesses, I am sure that you heard about a lot of Wi-Fi masquerade attacks, or rogue Wi-Fi access points. There are a lot of attacks that people are developing for other uses, not really for the railways. But when you are using this technology, you need to be aware that they can have a pitch. Sure. So now we have a trade-off. We want them. We want all trains to use wireless channels. But we need to be able to control what can happen if someone tries to attack us. 18:26

‍

Roark: Yeah. One of the questions that came up in reading a lot of the commentary on this particular incident is is the misuse of these wireless channels, considered a cyber attack? You know, there was some people that looked at the etymology and denotative meaning of the word cyber and tried to say, of course, it's a broad definition. Everything's Included under cyber, others will say no, this is a signals-based attack, not cyber. This is a transmission that's analog, not digital. S, if you look at those statements, doesn't that basically support the argument that this is not a cyber attack?

‍

Yaniv: You want a theory of cyber and SIGINT and electronic warfare, we can do that. I mean, for me, the bottom line is that it's not an it's not the issue. I don't care if you call it a cyber attack, you want to call it something else. 19:35 This is a threat to train operations, to train safety, even maybe, that we need to deal with, Okay, we at Cylus, in the business of security for trains cybersecurity, for trains, the operators around the world are in the business of protect the operations and the passengers. Someone needs to deal with it. I want to ask you a question. Let's say that on a LRT in some city, let's say Tel Aviv, okay, because we have a new LRT. Hurray! Let's say that one of the intersections there was a collision between the train and a car. Is it important to call it a car or train accident? Someone does that this is an issue, a safety issue that needs to be dealt with so we will avoid it the next time it happens. So I can do a long session with you Roark, about the history of electronic warfare, I can talk to you about why DTMF tones in phone digital transmission analogs, but we will call an abuse of them a cyber attack. I can do a lot with you about that because I did a lot of that. I want to tell you that most of the institutions that is dealing with signal attacks or electronic warfare attacks, most of the time, we are talking about the military and governments, and most of them, and I'm telling you that from my personal experience, most of the country in the world, they merge for the last years, what we call electronic warfare and cyberspace cyber warfare, okay. Because when you're looking at that, from from, from above, it's all around the same issue. Can you manipulate the other side's system? So we'll do something that you didn't want to do? That's it. 

‍

Roark: Understood. Basically, you're arguing that theoretically, it doesn't matter if we consider these a cyber attack. The position is, this is still a risk that whoever's in charge of cyber within the rail operator needs to be concerned about, it needs to be addressing.

‍

Yaniv: Totally, I mean, I met some operators, we had someone in a position of managing the, the radio equipment and communication, okay, if this operator wants to put this risk and this risk management, management under someone who is chief of radio, that's fine for me right at the end, okay. Most of the time, we will find the CISO or the chief of operation that must manage risks. And this is always someone needs to manage it. You want to call it not cyber, call it not cyber.

‍

Roark: Right. Okay. Understood. Let's hit our second point here is that the rail industry looks at these attacks as a safety incident. There's they're seen as an issue all it happens really, in this case, is the train stop, doesn't create a safety incident per se. Do you agree? That's the viewpoint today with these.

‍

Yaniv: I agree. This is where most of the industry lives. Now, I'm not sure about all of the industry because I'm meeting a lot of people who are very more mature toward security and cybersecurity. I want to tell you that emergency stuff as a passenger is not always something “not safety related.” Let's say that you are on a metro and there is an emergency stop in the tunnel, everybody is not sitting but standing. And you know, you can be thrown up on someone else on the door on one of the poles. It's not nice. Okay, first thing. Second thing is I'm going on to cybersecurity education. And one of the pillars of cybersecurity is also the availability of your system. Not only confidentiality, integrity, we talked a lot of time about the availability, this kind of attack a can create a chaos. Okay, think about New York City. Okay, 8 o'clock in the morning rush hour in the mass transit systems, and someone is setting each morning at eight o'clock, an emergency stop on all the underground on the subway. Right? Okay. You cannot tell me it won't be a chaos. Okay, so if you were to train operators, you can say not safe to let them maybe I think that can be generated because having someone breaking his neck because an event of an emergency stop can be a problem.

‍

Roark: But purely if it's not a seen as a safety incident, you still look at it as a disruption to the system. And that's a concern.

‍

Yaniv: you cannot be a cybersecurity professional and not tell that there is an issue. Right. Okay. You are stopping trends you are messing with the ability of the of the business function, which is called train is running on the tracks.

‍

Roark: Right, right. I think some people look at it and say, you know, after all, why should these be seen as an issue, you know, this misuse of this system, it's not going to change the train routes, it's not going to derail the train or create a serious safety incident. It's just a simple misuse of a failsafe system. You know, do you think the industry should be more concerned about these types of issues or these types of attacks?

‍

Yaniv: I think the industry should be concerned about these types of attacks because at some point you will find a business that you need to run okay. I want to tell you an example from some countries, specifically in Israel, also, the regulator, most of the points will be the Minister of Transportation or something. There are a given KPIs to the public transport operators, one of the KPIs will be how many times you add a train late, how many time, you didn't have the train that was supposed to be at this hour, or how many times and when you have an emergency stop, okay. Again, I'm not familiar with the PKP network, but I think about Paris subway or New York City Subway, when you have one emergency stop, it impacts all of the the lines, on this kind of system of networks. So at some point, you can get fined from the regulator because your trains are not running on time or not running at all. I think you should also be concerned if people start to be afraid of taking the train. Because they don't know if the train will get to its destination on time. So maybe they will take the bus? Or maybe they will be afraid at all. I don't want to be in the train that will be I don't know, today its the emergency system. But you know, the psychological dimension of cybersecurity is very high. So tomorrow, it will be a change. Of course, we both know that in this case. It's not it's possible, but the passengers don't know.

‍

Roark: So even if you consider it an issue, you are making the argument that absolutely rail operators need to be concerned about this particular risk. Is it possible to mitigate those risks in any way? And if not, why consider it at all?

‍

Yaniv: That's a very important question. We had an example. That is it's it's really out of the ordinary, okay, because I haven't seen never, in my life, and I did a lot of intelligence, someone who is publishing publicly how to stop my system. So, the first fall here and I know what may be the reason for the European Union, is that we as the railway industry, okay, and the government's and the regulators, we need to take that seriously, we cannot say that, okay, that's fine, I will just publish everything about the system, and people will find out and they can stop…

‍

Roark: Ignoring that PKP situation, any other radio system or wireless system, if somebody were able to manipulate it, or to reverse engineer and figure out how to misuse the system? Is it possible to mitigate those kinds of attacks?

‍

Yaniv: It is possible, there is a cost and there is a complexity, maybe not all of them. I mean, if we are taking a small operator in the country, and we are taking one of the biggest countries, army with our electronic warfare capabilities, maybe won't be able to stop it. But as with everything in cybersecurity, we need to take back to the beginning, which is risk management, right? We need to be first and when I say we, it's the vendors, the regulators and it's the operators But mainly the operators because they are the ones who take the blame in the end. Okay, what can happen? Let's map what the problem I have CBTC. Okay, what are the known Wi-Fi attacks? What someone can do with Wi-Fi attack? Can he impact the train goes, can you stop the train? Can you maybe send the wrong speed? Authority? Mitigation authority, the train right now, can you do something? What damage can you do? When we understand that we know that we have some technical mitigation that can be in place. Okay, here I'm looking more at the vendors and us as companies that are working cybersecurity in the industry. What can we do? For example, if you are using an RF radio system, okay. And by the way, we won't find this kind of system in a lot of operators in the world. But almost all the train operators got regular two-way radios or maybe a much more complex system before the dispatch, because they want to talk to you want the Commanding Room or the OCC to talk with the drivers and want the drivers to be able to talk with the maintenance team and perhaps maybe first responders you want them to connect together. And today we have a modern RF system I can give you an example a P-25, which is much known in the US as the first responder's technology. All of those are modern, okay, they use a digital modulation of the signals. They can propose authentication methods, they can propose encryption. So there is always, you know, there is always a debate in the train, rail industry about a should we include encryption on something that can impact the safety. We can open this discussion, it's okay. But authentication is a must.31:03 Okay, you must know that if someone is sending a signal on your system, you must know that it was someone who is authorized to do that. Okay, so this can be the mitigation again, it takes time. Yeah, we play someone some operator system, it takes time. And for the lesson, the biggest bigger technology like Wi-Fi, likely GSM-R, or there are mitigations. I'm not sure it's worth it. To use all of them all of the technical mitigation for the train operator, because maybe the bar is very high because we are talking about capabilities that harm is and intelligence organization are using, but we need to know, where is the threshold of what we're afraid of. Right? And what we're not afraid. 

‍

Roark: So the question was basically, if there are mitigations, there’s risk that needs to be considered. 

‍

Yaniv: Totally.

‍

Roark: So if I summarize your key points from today’s conversations. One, wireless communications are a part of every operational rail network, period. They need to be considered a risk, whether that's a cyber risk or not is irrelevant, and that risk needs to be managed by the CISO or whoever is in that particular role, regardless of their title. And then third, is even if the misuse of those systems is not considered a safety incident, it still needs to be looked at as a concern by the rail operations themselves.

‍

Yaniv: Yeah, I agree, I concur. I think, I don't know if it's, I feel that this is another example of what's happening to people from cyber security, okay, when they are getting to the train industry.

The train industry is pretty complex, let's say, we are dealing with a lot of technologies. When I'm, I can tell you about project I'm working on with vendors, when you are touching a lot of different technologies, technical fields, engineering fields, and the dedication of most of the CISOs, okay, and I was there also, I did some courses, okay, is always coming from the IT, okay, origins. And if you are a new CISO operator, you will start with the things that is more, that are more easy for you. Okay, let's look at the network. Where are the firewalls? What is the antivirus here? What is the EDR? And when you're coming to look at the train network, meaning not the computer, but the world systems, okay, I think cyber professional in this industry needs to drill down more, because there is a lot of width, okay, you need to deal with power supply. You need to deal with onboard system, safety system, okay, communication system, and the regular IT. So it's not that easy. Okay, but it's easy to miss what are the important things because the IT part of a train operation is not the most important.

‍

Roark: Our audience knows we've had lots of conversations on this show in the past about the need for the IT or the cyber professionals to work hand in hand with the operations and the maintenance organizations to understand. 

‍

Yaniv: I think a cyber security engineer inside a train operator should consider himself as a system engineer, because he needs to understand what are the functions that an attacker can touch and say, okay, I will do some damage. Okay, because the IT and the regular things, they are there. I mean, an attacker will find them. We had one of our CISOs on the show from a major rail operator, say, he embeds a lot of his cyber people in with the engineering teams as part of their job. So that's an example of the teams working together.

‍

Roark: So let's wrap things up. Any bit of advice you'd want to leave some rail operators, rail operator CISOs out there with today?

‍

Yaniv: The last one I gave you, I think that's the most important. I think I'm not sure that if you are coming on board today in the cyber team of one operator, I'm not sure you even have access or you understand that there is maybe a legacy system that can stop the trains. So you need to do, you know, to take your foot on the ground, start talking with each one of the engineering teams in your organization and start mapping the risks. Understand what is there, what is not there, what you can help. Someone at some point will need to be accountable to understand what can happen if I press some buttons and do something to your trains.

‍

Roark: Great, great, great conversation. So you need, if somebody wants to get in contact with you, are there social media platforms that you're active on or do you, you know, email? What's the best way to contact you?

‍

Yaniv: I think LinkedIn. That's the only platform that I'm like, openly you need to be there. I'm on Twitter, I'm very active on Twitter, but I have a secret user there. So I'm very active there because there is a lot of professionals chatting there, but more if you are more than happy to meet new people on LinkedIn.

‍

Roark: All right, so you've got it. Yaniv Mallet, you can reach out to him if you have more conversation or questions you want to ask him. Yaniv, thank you very much for joining us today. Appreciate the conversation. And for our Secure Tracks audience, thank you for listening. That's the end of our show today. Until next time, keep those tracks secure.

‍