Commentary: Cybersecurity and the railroads

Unsplash

Imagine waking up one morning and learning from your preferred news source that agents from an adversarial nation-state were fanned out across the country, stealing information and documents from private corporations and government agencies.

This horrific news would occupy headlines of every news outlet in the country, and Americans would naturally be stunned and scared.

While we haven’t had headlines such as these, we might as well have. The information and investigative cyberattacks the nation has been dealing with for years, and malware placement in U.S. systems by bad actors, have the same impact as physical invasion or attack. While not as dramatic or receiving the same amount of news coverage, our computer networks’ vulnerability is shocking.

Why, for example, after suffering through cyberattacks for more than a decade, does the U.S. find itself vulnerable to the recent massive cyberattacks allegedly conducted by Russian actors? Each day we learn that the intrusion’s depth was more significant than we thought, accompanied by statements that officials don’t know how far the attack went and, and it will likely take years before we can unravel it all. Some news outlets referred to these recent attacks as an early warning or wake-up call to what we may face in the future. I’m sorry, but given the length of time we’ve been subject to these threats and have suffered significant losses from them, that train left the station years ago.

We often hear top officials testifying before Congress and speaking at conferences to share the message that our systems are safe and secure, only to have the rug pulled out from under their remarks by an unforeseen “unprecedented” cyberattack that no one saw coming.

There seems to be a feeling among many that cyberattacks are not as damaging or dangerous as physical attacks. The average person can’t see what’s going on and often concludes that doing something nefarious on a computer cannot be all that bad. Americans, particularly those in positions of leadership, have a civic duty to learn more about cyberattacks, cyberwarefare, and the threat they pose to our country’s functioning. One of the best sources of information on this topic is a book titled The Perfect Weapon — War, Sabotage, and Fear in the Cyber Age by New York Times national security correspondent David E. Sanger (Broadway Books, paperback, 387 pages, 2018-2019). In my opinion, this is a riveting and grave account of cyberwarfare that we ignore at our peril.

What does this have to do with railroads? Plenty. Railroad technology, specifically computer technology, has advanced significantly over the past 20 years. Just about everything a railroad does including dispatching, routing, customer shipment monitoring, financial transactions, and recordkeeping are entirely dependent on computer technology. That includes critical infrastructure like Positive Train Control. All this technology connects through networks, with most of them running on internet connections.

The railroads have robust cybersecurity tools in place, and they take cybersecurity seriously. The Association of American Railroads addresses cybersecurity in documents located on its website. A good overview is provided by “Railroads & Cybersecurity” at www.aar.org/wp-content/uploads/2020/09/AAR-Cybersecurity-Fact-Sheet.pdf. Another, which is more specific to technology procurement, can be found at www.aar.org/wp-content/uploads/2018/10/Rail-Sector-Effective-IT-Procurement-Practices-Final-April-2018.pdf.

The “Railroads and Cybersecurity” document discusses the key elements of the industry’s cybersecurity program:

• A highly trained workforce [is needed to help] protect the network;
• Railroads address cybersecurity threats head-on;
• Railroads and their security partners are committed to preparedness and continuous improvement.

The industry has formed what it calls the Rail Information Security Committee, which the AAR says “is the focal point of the industry’s unified, cooperative efforts for cybersecurity.” The committee was formed in 1999 by the Class 1 railroads and Amtrak. The committee is responsible for maintaining continuous awareness of the latest cybersecurity threats both outside and within the industry and ensures that it is protected. The committee also has open communication lines with the U.S. Government agencies that work on cybersecurity, such as the Department of Homeland Security, the Federal Bureau of Investigation, and others.

Railroads also have one or two members of their cyber teams with secret security clearance from the U.S. and Canadian governments so that the may participate in classified briefings on cybersecurity issues. Participation in these briefings ensures that the carriers have current intelligence and can better protect the railroad’s technology networks.

By and large, corporations and government agencies, including railroads, are reasonably well aware of cybersecurity threats and take action to thwart them. However, the recent spate of attacks on private and government organizations shows that no matter how well prepared they are, there is always something that can catch leaders and managers off guard. Often, the general tendency of organizations is to be reactive rather than proactive.

Private and public agencies need to emphasize detailed proactive planning and threat mitigation. It’s challenging, though, because these efforts are costly. Unless there is a new, immediate threat, organizations may be hesitant to spend lots of money preparing for something that “may” happen. However, failure to be as proactive as possible in protecting our systems can lead to serious, even catastrophic, problems down the road.

This article recently appeared in Railfan & Railroad Magazine, and is reprinted here with permission.