Why Generic OT Cyber Security Fails Rolling Stock
Managing security and risk in the Operational Technology (OT) environment is not as simple as transferring over IT security practices onto OT systems. Understanding each OT system’s specific requirements and challenges is key to preparing an effective OT cyber security strategy. A successful strategy in rail requires a collaborative approach that blends expertise in both OT security and railway engineering to address the unique needs and complexities of onboard systems.
The ever-increasing connectivity of railway infrastructure and rolling stock creates a significant expansion of their attack surface. This applies to all connected devices - on board or on the ground - used for maintenance, control commands, as well as passenger amenities. While increased connectivity offers enhanced performance, monitoring and updates, it also means there is an increased need for manufacturers, equipment providers and operators to implement robust cyber security measures.
Market Gaps and the Need for Specialised Solutions
Many generic OT cyber security providers only offer detection-focused solutions. Their broad coverage OT systems across different industry sectors typically require generic anomaly detection capabilities that are not sensitive enough for the unique characteristics of train networks. They may offer a basic level of security, but lack the precision and depth required to truly safeguard the critical systems on board a train. This means that train builders and operators face a multitude of challenges due to the complexities involved in securing rolling stock, including:
Increased Use of Standardised Technologies:
Modern trains rely on standardised IT systems like Internet Protocol (IP) communications, which provide interoperability and support throughout their assets’ life cycles. While this allows easier connectivity, it also introduces vulnerabilities that require careful consideration and management throughout the operational life of the train.
Connectivity vs. Vulnerability:
Implementing new technologies allows easier connectivity and access to cyber security solutions, but also increases the attack surface.
Secure Digital Maintenance:
Maintenance staff and remote operations can introduce vulnerabilities through connected devices, data access, and the use of specialist service laptops and USB sticks, increasing the attack surface.
Long Lifespans:
One key challenge in protecting rail assets is their long service life. Over time, they undergo reconfigurations and are equipped with systems not considered at the design stage. This creates a situation where the assets are vulnerable to ever-evolving threats. Consequently, security solutions must be designed to remain effective throughout the entire lifespan of the asset once deployed.
Networked Complexity:
Modern trains are not single networks, but rather collections of interconnected systems (control, comfort and passenger interfaces). A breach in one system can easily jump to another due to these interconnections, creating a domino effect. Generic OT security solutions may not be equipped to handle this level of network complexity or provide the necessary protection to prevent an exploit from spreading to critical systems.
Legacy Systems:
Modernising security for new trains is vital, but retrofitting existing fleets presents a unique set of challenges. Older trains were often designed with assumptions about the isolation of critical systems and may have simple networks lacking the security zoning found in newer designs. This "flat" architecture makes them vulnerable to attacks that exploit one system to compromise others.
The Solution: A Holistic Approach
To tackle the cyber security demands of a continuously evolving threat landscape requires a solution that goes beyond mere detection. RazorSecure, the industry leader in rolling stock cyber security, offers a holistic approach that safeguards critical train systems throughout their lifecycle. Unlike generic IT/OT vendors who provide broad monitoring solutions across various industries, RazorSecure is dedicated to the unique security needs of the rail sector. We recognise detection alone is insufficient, and our solutions go beyond simply identifying threats and anomalies. They encompass a suite of security products designed specifically for the harsh environments and specialised protocols of rolling stock.
RazorSecure Security Gateway: Network Protection, Built for Rail
The cornerstone of our holistic approach is the Security Gateway, a customised gateway specifically designed for the unique needs of railway equipment. EN 50155 certified, it ensures compatibility with stringent railway safety standards, and is meticulously designed for the space, power and connectivity constraints inherent in rolling stock environments.
Functionally, the Security Gateway enforces secure separation of critical networks to prevent attackers from gaining uncontrolled access to safety critical systems. When coupled with RazorSecure Delta Intrustion Detection System, this holistic approach goes beyond generic security, offering a specialised solution for rolling stock environments. By using anomaly-based threat detection with a unique baseline for each asset, rather than a reliance on threat signatures, Delta shortens the time to detect threats from unknown sources, mitigating the risk of cyber-attacks.
RazorSecure Digital Maintenance Gateway: Secure Updates & Access Control
As digitalisation advances, traditional maintenance practices become increasingly vulnerable. The Digital Maintenance Gateway addresses this challenge by providing a secure platform to control and monitor software updates, and manage configuration throughout the asset's lifespan.
This secure platform ensures only authorised and authenticated personnel have access to critical systems, mitigating the risk of anonymous access, unauthorised modifications or malware introduction. The Digital Maintenance Gateway addresses this challenge by providing a secure platform to control and monitor software updates, and manage configuration throughout the asset's lifespan.
Designed for Rail, by Rail Experts
RazorSecure goes beyond simply identifying threats. Our core differentiator lies in our deep understanding of the railway industry. Here's what sets us apart:
Certified Hardware and Flexibility:
Our Security Gateway is EN 50155 certified, ensuring compatibility with rail environments. Alternatively, our software can run on existing train builder infrastructure components, offering maximum flexibility.
Real-Time Decisions at the Edge:
RazorSecure prioritises on-train analytics and processing, enabling fully autonomous decision-making without relying on intermittent bandwidth-constrained cloud connections. This ensures real-time response directly on the train, eliminating delays associated with sending data to centralised data centres.
Protocol Expertise:
We support industry-specific protocols like TRDP, ensuring seamless integration with your existing infrastructure.
In-House Rail Engineering:
Our dedicated engineering team has a proven track record, having worked extensively with rail operators, train builders, and subsystem developers. This diverse experience ensures they can design, implement, and deploy solutions specifically tailored for the rolling stock environment.
RazorSecure will be returning to the Middle East on April 30th – May 1st, for the Middle East Rail & Saudi Rail 2024 event at the Abu Dhabi National Exhibition Centre. We will be exhibiting as part of the UK Pavilion, joining insightful discussions around the evolving rail landscape.
Join us at the conference where you will find us at stand number F40-A. Please contact Marju Giralucci to set up a meeting at the event marju@razorsecure.com. In the meantime, you can learn more about RazorSecure solutions on our website.