Cybersecurity has become a real trendy world in everybody’s live either used as a fancy term, to generate confidence associated to high technology topics, or to create panic and generate that sense of fear and urge for protection. We can find this uncomfortable feeling in our closest environment, when we use our Smartphone, tablet, or laptop, as well as when we look over a wider scale of uses applied in any industry at any level.
Railways are probably one of the sectors where security is paramount and therefore obliged to invest a considerable number of resources to protect its complex network ecosystem, and therefore maintain safety of its assets and people, both workers and passengers. The evolution of the Railways network has inevitably moved from systems isolated from IT, that run on proprietary operating systems and protocols, over specialized hardware, into their integration within the corporate networks that use standard protocols running over mainstream operating systems. Furthermore, moving from a wired copper to a wireless connectivity system represents a big paradigm shift with undoubtable advantages. However, this has also opened the pandora box with all the myriad of vulnerabilities and cyber threat inherent from the new technology.
The level of complexity and exposure increases when we look at different level of communication systems that the TNC (Train Communication Network) networks shall mange, from the critical ETCS (European Train Control System) for the supervision of train movement, TCMS (Train Control and Management System) to centralize all the information gathered from all the operational peripherals (the so called “Intelligent” equipment) mounted on the train, and of course all the communications that are broadcasted to the passengers either for their entertainment or to receive information from the train Passenger Information System. For each and every one of these systems there are different kinds of actions for disrupting the network that provoke, in turn, different reactions. In a simplistic way, the Cyber Security Pyramid of Pain model summarizes very well what a “victim” can expect and which level of protection IT shall be equipped with. The Pyramid ranks, in ascending order, relating the kind of attach that can be received with the pain caused to fight back the attacker. From bottom up, the pyramid counts with attacks to “harsh values”, “IP addresses” and “domain names” that are classified as trivial, easy, and simple attacks to fight back at. A NGFW (New Generation Fire Wall) can be used in this case. When we move up to the next levels, the effort and difficulty becomes harder. These attacks involve “networks artefacts”, “tools” and “TTPs” (tactics, techniques and procedure) that can be really “annoying”, “challenging” and “difficult” to react to. Therefore, the closer to the top we get, the harder it is to reveal and react causing an increasing level of “pain”.
A strong security program definitely consists in detecting and converting information into something actionable. The “Cyber Kill Chain” model is a tool that can aid cybersecurity organizations to understand events involved in an external attack and react accordingly. Without entering into deeper detail of the model, the characterization of any phase of the chain shall consider, and correlate, who are the adversary and the victim, as well as the infrastructure under attack and its capabilities to react. Only once this information has been identified, the correct strategies and technologies can be put in place and block the attack before it moves to the next phase.
This process is not trivial and even less immediate. It takes time to implement the process and, when it arrives, trigger the first defensive action. Time is therefore so critical. Furthermore, what has been described so far, are actions taken once the attack has been launched. In all those industries where the safety is essential, it becomes evident that preventive actions are even more important than defensive actions, but their implementation is not trivial either.
In the Railway industry, preventive actions are taken to a such high level that, to some extent they considerably slow down the capability to react in a second stage. The overall security, both IT and non-IT, applied with technical standards and norms, national and international directives, regulations, laws, etc. are mandatory for the safety of materials, assets, and foremost, the people. The dilemma is evident, all those security norms insert a high complexity along all the IT chain that, if from one side it becomes harder to receive external attacks, it also become slower to react to them once they occur, extending the vulnerability windows of the system.
Flip the coin between prevention and detention is not the wisest thing a Cyber team can do for a critical environment. To facilitate actions and reactions in either case when an attack happens, there are state-of-the-art security products that help to analyse what is going on within the entire corporate network, as well to prevent the sneakiest intrusions from external hackers. Network Traffic Analysis (NTA) tools are passive elements that enter into the network and listen as well as memorizes what users are doing, which action they take, which protocols they use, on which machine, and more. NTA’s enter in the “Cyber Kill Chain” to break down the chain itself and detect where and what is going wrong enabling a faster corrective intervention. Also on the other side, certain cybersecurity products are the active elements that prevent, and therefore protect, the corporate network intercepting the malicious traffic by using configurable policies, traffic inspections, SSL decryption, just to name few methods.
Teldat is the right cybersecurity partner to support both goals with be.Analyzer and be.SAFE to provide the Railway sector the level of flexibility and readiness that the industry requires within a strong and solid security umbrella.