By Chase Snyder, Sr. Product Marketing Manager
Freight and passenger railroad carriers are an appealing target for cyberattackers. The enormous impact that a railroad disruption can cause makes them a juicy target for ransomware attacks, while the potential for supply chain disruption and even loss of life makes railroads a target for nation-state campaigns and hacktivists.
In 2022 alone, cyberattacks impacted railroad systems and associated industrial organizations in Israel, Belarus, Denmark, and other countries globally. By looking at the tactics, motives, and impact of recent cyberattacks against railroads, cybersecurity teams can glean insights about how to secure their industrial control systems (ICS), operational technology (OT), and overall IT infrastructure.
Hacktivists Disrupt Trains in Belarus
In January, 2022, a group of hacktivists calling themselves Cyber Partisans executed what appeared to be a ransomware attack against Belarusian railways. The Washington Post reported that the attack was intended to “‘disrupt’ the movement of Russian troops into the country.” Rather than demanding the traditional ransom payment in the form of cryptocurrency, the Cyber Partisans demanded the release of political prisoners. While details of the attack remain murky, most reports indicated that the ransomware primarily impacted IT assets such as databases, rather than directly infecting operational technology (OT) such as railway switches with actual malware. As reported by The Guardian, the hacking group implied that they could “paralyze trains by downing the signaling and emergency control systems.”
This attack has a noteworthy similarity to the attack on Colonial Pipeline in 2021. While the cyberattackers did not directly impact the pipeline OT systems, the business still experienced significant, costly downtime. Colonial Pipeline proactively shut down IT and OT systems to limit the spread of the malware. This downtime could have been reduced or eliminated if the pipeline OT systems were already cyber-hardened and secured against attacks moving laterally from the IT network.
The Cybersecurity Lesson: IT and OT Convergence Creates Risk
Even without confirmation that the hacking group had directly compromised any operational technology within the Belarusian railway, the Cyber Partisans hacking group caused significant disruption to railway operations. Without true zero trust-based preventive cyber capabilities deployed across the IT and OT systems, no railway operator can be certain that their OT network is safe from even basic ransomware attacks. Attackers are intentionally targeting businesses with OT systems because they are both important and undersecured. Cyber-hardening OT systems will help critical infrastructure businesses eliminate downtime caused by attacks against both IT and OT networks. Strict access control & privilege enforcement and true adherence to zero trust policies at the asset level are the best way to reduce or eliminate the risk of operational shutdowns when ransomware hits a critical infrastructure site.
Israeli Light Rail Construction Company Hit with Denial of Service Attack
In July, 2022, Times of Israel reported that an Israeli company building a new passenger light rail for Tel Aviv experienced a Denial of Service attack against their website. This was not an attack on an operating train company, but on a company participating in the construction of a politically controversial passenger rail project. The attack was tentatively attributed to Iranian hackers motivated by political and cultural animus between Iran and Israel. The light rail company reportedly regained control of their website quickly, but the fear and hostility generated by the event led to numerous news articles and increased awareness of the social impact that cyberattacks against critical infrastructure can have.
The Cybersecurity Lesson: Attacks on Critical Infrastructure Don’t Have to Be Sophisticated To Have Impact
This attack illustrates the outsized social and emotional impact that even basic cyberattacks on train systems can have on a population. Cyberattackers, political activists, and nation states all recognize the impact that an attack on railway companies can have. Denial of service (DOS) attacks are easy and cheap to launch, but can still stoke fear and inflict damage against vulnerable, unprotected targets.
On top of that, while this attack did not impact actual train operations, it offers important lessons for railroad operators: the interconnected technology suffused throughout critical infrastructure organizations means that any cyberattack, even just against the public-facing website, is a potential source of operational disruption. Assuring separation of IT and OT networks has become more difficult as rail operators adopt new connected technologies to spur innovation. But maintaining the security of any network connections to OT is more important than ever when the safe operation of passenger trains is at risk. The more success that cyberattackers have in attacking IT infrastructure to cause downtime and hold OT infrastructure hostage, the more commonly we will see this emerging attack pattern.
Trains in Denmark Impacted by Cyberattack on Third Party Provider
In November, 2022, train service in Denmark came to a halt due to a cyberattack on a third-party service provider that had to shut down its servers. Reuters reported that locomotive drivers were unable to operate trains for several hours due to the attack. While it appeared to be a traditional, economically motivated cyberattack, the impact on Denmark’s rail system highlights the vulnerability of critical infrastructure to cyberattacks, no matter the reason or the method.
The Cybersecurity Lesson: There’s Risk In Your Software Supply Chain
Denmark’s train system was not attacked directly, but because it relied on a third party provider for critical functions, it experienced operational shutdown due to a cyberattack. This should serve as a wakeup call for all operators of critical infrastructure. The increasing adoption of networked, interconnected technologies and third-party services in critical infrastructure is introducing new, often unseen risk and attack surfaces.
Zero Trust Is The Path Forward for Critical Infrastructure
As the digital transformation of railroads and the transit industry overall accelerates, so must the adoption of increasingly rigorous cybersecurity tools and zero-trust policies. Multi-factor authentication, granular access control & privilege enforcement, and identity-based segmentation policies offer a path forward to reduce the risk of operational shutdown.
In each of the cyberattacks listed above, interconnected technologies impacted real world railroad operations and mass transportation. The disruptive power of these attacks will only encourage attackers to invest further in attacks against critical infrastructure, and to use more sophisticated tactics that will impact operational technology more directly. Cyber adversaries clearly see railroads and mass rail transit, such as regional metro systems, as vulnerable targets, both for economically motivated ransomware attacks, and for politically motivated campaigns.
How To Improve Railway Cybersecurity
The U.S. Transportation Security Administration (TSA) has recently issued updated cybersecurity guidance for specific freight and passenger rail operators, as well as for oil and gas pipeline operators and other aspects of critical infrastructure.
While the TSA only has authority over U.S. based organizations, the new security guidance has broad relevance to freight and passenger rail companies globally. As cyberattacks on rail operators increase worldwide, we expect to see increasingly sophisticated tactics aimed at causing operational disruption, whether purely for financial gain, or aiming to stoke fear and economic disruption. Cybersecurity for all critical infrastructure providers will have to evolve rapidly.
For more information on the TSA Directive for railroad operators, and how to build real zero trust security into these systems, read our Top Ten Checklist for Railroad Operators to Comply with TSA Cybersecurity Directives.