The folks over at SCADA Strangelove turned me on to this article from the International Railway Journal that presents the findings of an analysis of the security of industrial control and SCADA systems used to manage railway networks. The conclusion: railways are rife with “faults and vulnerabilities (that will) allow cyber criminals to not only degrade key reliability parameters and bypass safety mechanisms (and) carry out attacks which directly affect rail traffic safety.”
The study was conducted by Valentin Gapanovic, the senior vice president of Russian Railways, Efim Rozenberg, the first deputy director general at the Moscow based research firm NIIAS JSC and Kaspersky Lab Deputy Chief Technology Officer Sergey Gordeychik.
At issue is not just the systems that are used to manage railway networks, including the movements of trains and critical switching systems that configure tracks. Rather: it is the culture of safety and security in the rail sector which, the study concludes, is still silo’d between physical safety and information security.
From the article:
The use of computer-based control systems (CBCS) requires the use of digital wire and radio communication systems supporting the TCP/IP protocol on a large-scale. However, since they are based on standard systems, application software and network protocols, and make extensive use of remote management tools, wireless networks and internet technologies, they inherit the security problems of the underlying standard components. This means that new requirements for communications infrastructure need to be put in place in order to guarantee its safety.
The study’s authors found that research and development within the rail industry has been mostly focused on “achieving sufficient CBCS (computer based control system) reliability and functional safety.” Human threats were imagined to be physical in nature – erroneous or malicious acts performed by train operators or auxiliary personnel. The possibility of remote attacks against computer devices using distributed communication systems and wireless technologies have not been considered, the study concluded.
That means railways have misunderstood their risks, and have been operating mostly with a false sense of security. From the article:
Most industry and international security standards aim to ensure reliability and reduce the number of random dangerous failures. Although these objectives clearly overlap with those of cyber security, the fact that the threat models underlying these standards do not account for cyber threats means that these standards cannot be used as exhaustive guidelines.
ICS/SCADA security requirements are based on the familiar concept of ensuring the integrity, availability and confidentiality of information, while the goal of protecting railway CBCS is safety.
The study recommends a change in definition for cyber security to one that embraces the goal of “ensuring the operation of signalling computer based control systems “in which dangerous failures and inadmissible damage are ruled out, and a given level of economic efficiency, functional safety and reliability is provided in the event of an IT attack directed at signalling CBCS components.”
[Read more Security Ledger coverage of critical infrastructure.]