Written By Joshua Cruse, Senior Cyber Threat Analyst at Shift5

In September, five of the seven largest American railroads attended a classified briefing given by the federal government on cyber threats targeting their industry. The White House described the briefing as discussing how the government sees China or Russia potentially disrupting railroads in the country and how a cyberattack could compromise hazardous materials railroads transport.  

In fact, threats to critical infrastructure such as railroads are increasing. In February, the U.S. Intelligence Community issued its annual threat assessment which detailed China, Russia, Iran, and North Korea’s ability to target critical infrastructure. The report strongly suggested that nation-state adversaries are studying vulnerabilities within those systems, and assessed China was “almost certainly capable of launching cyber attacks that would disrupt critical infrastructure…including…rail systems.”  

Other Threat Actors Targeting Rail

Digital threats facing rail come not only from nation-state cyber actors, but a variety of threat actors with different motivations.  

For example, cyber criminals continue their targeting of the rail industry, today deploying ransomware. March 2021, Class I operator CSX was targeted by the Clop ransomware group. Subsequently, the Clop ransomware group leaked CSX’s internal and technical documentation on the dark web, which is still publicly available today.  

One in seven ransomware incidents expose sensitive Operational Technology (OT) documentation that could be used to engineer cyber physical attacks. The impact of rail information leaks like CSX has not yet been fully measured, but the leaked internal documentation does include OT related information such as documentation on multiple Positive Train Control (PTC) systems, PTC packet captures between locomotives and the back office, operating manuals, and administrative passwords for communication devices.  

“An understanding of the vulnerabilities and threats to railroad OT systems is essential in securing these systems, and Shift5 believes working with the community and industry to understand not only the threats but the systems themselves is critical to the security of all.”

Next Steps for Defenders

These assessments and examples highlight just a few of the many threats facing the railroads. With threats to rail on the rise, and the risk of adversaries gaining access to rail OT systems, rail defenders must ask critical questions:

  • What would a cyber attack against rail OT look like?

  • How would a rail company know what to look for?

  • How could it identify an attack on their OT systems?

  • What actions could it take to get ahead of the risk?

Shift5’s Approach

Shift5 helps rail defenders understand cybersecurity for rail OT. We determine the level risks rail OT systems have by understanding what cyber vulnerabilities are present, and if a cyber attack against rail OT is possible. So, we strive to first deeply understand the systems at risk, then to see the issues from both a customer and a malicious attacker’s perspective.

The National Institute of Standards and Technology (NIST) recommends these tactics in its Framework for Improving Critical Infrastructure Cybersecurity. NIST recommends critical infrastructure operators, such as rail operators, first identify and understand what systems an organization has, including OT assets, and the risks carried by these systems. This understanding enables the identification of the key OT systems and components to be protected and where best to place an intrusion detection system (IDS) to efficiently but effectively monitor these systems. It can also be used to develop IDS signatures that enhance the identification of malicious activity on the platform.

“The realm of possibility is limitless when dealing with an adversary who is determined to attack an organization’s systems and does not play by the rules.”

As the U.S. government likely highlighted to the railroads in its classified briefing, the realm of possibility is limitless when dealing with an adversary who is determined to attack an organization’s systems and does not play by the rules. An understanding of the vulnerabilities and threats to onboard OT in rail systems is essential in securing these systems, and Shift5 believes working with the community and industry to understand not only the threats but the systems themselves is critical to the security of all.

About Shift5

Shift5 is the onboard data company. Created by officers who stood up U.S. Army Cyber Command and pioneered modern weapon system cyber assessments, Shift5 defends commercial transportation systems and military platforms against operational failures and OT cybersecurity risks. Household name aviation companies, U.S. railroads, and fleets within the U.S. military rely on Shift5 to maintain the readiness and availability of today’s fleets and tomorrow’s next-generation vehicles