Source: Oleg Zaslavsky via Alamy Stock Photo
Railway networks are suffering an increase in cyberattacks, most notably the August 2023 incident in which hackers infiltrated the radio frequency communications of Poland's railway network and temporarily disrupted train traffic.
This has led to nations and rail operators scrambling to protect their networks, such as Saudi Arabia recently announcing a partnership to improve the security of its service.
Another operator enhancing the protection of its networks is Tel Aviv's Purple Line light rail transport (LRT), a line currently under construction and due to be open and running by the end of this decade.
Dark Reading spoke with Eran Ner Gaon, CISO of Tel Aviv Purple Line LRT, and Shaked Kafzan, co-founder and CTO of rail operational technology (OT) security provider Cervello, about dealing with increased attacks on OT networks.
Eran Ner Gaon, CISO of the Tel Aviv Purple Line
Shaked Kafzan, Co-Founder and CTO of Cervello
Dark Reading: What steps have you taken to protect your networks from cyberattacks?
Eran Ner Gaon: In order to identify OT threats, we developed a comprehensive OT security strategy that includes measures such as threat intelligence, technological measures, incident response plans, and training of employees related to the regulation of the INCD [Israel National Cyber Directorate].
From a human point of view, the treatment of OT threats requires extended specialization not only from cybersecurity but a deep familiarity with the worlds of OT and their communication protocols. For this purpose, we require skilled manpower who sits in the control centers with eyes and hands right on the keyboard upon receiving a suspicion of an incident. From a technological point of view, we provide protection at all network layers: physical separation between networks, work environments and microsegmentation; identity management with advanced tools using PAM; [and] establishing a laboratory that simulates the operational activity and adjusting the changes on the system before downloading for execution.
DR: Can cyberattacks against OT be thoroughly defended against?
Shaked Kafzan: From the perspective of a cybersecurity company, the surge in attacks against OT systems is worrying but expected. What's more worrying is how poorly prepared the critical infrastructure sector is against attacks with potentially fatal or incredibly costly consequences. When the stakes are so high, when the costs are so severe, there is no room for risk. Cybersecurity must be implemented as a means to prevent, not to "fix."
DR: What is different about rail security from a protection perspective?
Kafzan: Cybersecurity for rail and OT must be proactive and continuous. To do this, organizations must implement network segmentation on real network traffic, have strict authentication and access controls, ensure continuous monitoring and detection of vulnerabilities and misconfigurations, and stay updated on what is going on in the space, including keeping up with cybersecurity compliance standards.
DR: Of course, a reliable patching process and vulnerability management best practices are key to a security strategy. But for an OT organization, what are the issues with patching while keeping systems online?
Kafzan: Patching a cybersecurity vulnerability within a rail network is like changing the wheels of a car while it's moving: It's not simple, and, many times, it's not doable. Though we are a cybersecurity provider, our security strategy has to bear in mind the interests of our rail customers, which are high availability and physical safety.
This means we must rely on passive yet deeply informative and rail operational contextual solutions that will mitigate a cybersecurity incident and fortify the organization's cybersecurity posture without any interference in its existing infrastructure and systems.
DR: Each system comes with its own challenges, so what steps do you take when patching?
Goan: Since business continuity is must, we examine any implementation or change in general — meaning that first we consider whether the systems support live or hot patching, then we will verify if downtime is required, and what is it [the downtime]? And finally ... we will consider the risk of the repair versus leaving the weak point.
In the background of these things, we strengthen our operating concept through a strong and updated laboratory environment for the operational environment that supports many tests of the changes that we want to implement alongside a robust system of backups and procedures that allow us to go back to any point in time before the change was made.
DR: As a possible protection option, we've seen AI cited as a key trend for cybersecurity in 2024, in particular in the field of industrial automation. Does this change the way you work, and OT can be better secured?
Goan: Along with the many threats that AI poses to us, we receive inherent advantages in the technological tools we have chosen that combine AI capabilities in a fast, efficient, and automatic manner.
As we move forward, I predict that the AI capabilities will be able to perform a large number of high-quality and good actions for our systems, but we must remember that in the end there will be hands on the keyboard and a high-quality human response that will be able to prioritize the events.
DR: From your position providing security for rail operators, how does AI fit into what you provide?
Kafzan: Behind the scenes, AI is more than just a trend, it is an exciting opportunity to more effectively enhance the security of rail systems. It allows us to analyze vast amounts of data while staying continuously updated with the global cybersecurity community's knowledge, in order to quickly identify, respond, and remediate threats in real-time.
AI will allow us to predict potential security breaches before they happen, based on patterns it has learned. An immediate benefit of the technologies is its ability to improve operational efficiency, optimize schedules and routes, and enhance passenger experience by providing real-time insights. It can help minimize downtime and extend the lifespan of the existing infrastructure by offering predictions of when parts of the train systems or track are likely to fail or need servicing.