Railway systems are becoming more digitized and interconnected, but with this progress comes significant cybersecurity risks that threaten safety, reliability, and operations. In this episode of Redefining Cybersecurity, Sean Martin and Fahad Mughal explore real-world cyber incidents, vulnerabilities in railway OT systems, and the critical security measures needed to protect this vital infrastructure—tune in to understand why it’s not a matter of if but when railway cyber threats will strike.
Guest: Fahad Mughal, Senior Cyber Solutions Architect - Security
On LinkedIn | https://www.linkedin.com/in/fahadmughal/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
Modern railway systems are increasingly digital, integrating operational technology (OT) to enhance efficiency, reliability, and safety. However, as railways adopt automated and interconnected systems, they also become more vulnerable to cyber threats. In this episode of Redefining Cybersecurity on ITSP Magazine, host Sean Martin speaks with Fahad Ali Mughal, a cybersecurity professional with extensive experience in OT security architecture, about the challenges and priorities of securing railway infrastructure.
The Growing Role of Cybersecurity in Railways
Railway systems have evolved from steam-powered locomotives to autonomous, driverless trains that rely on sophisticated digital controls. OT now plays a crucial role in managing train operations, signaling, interlocking, and trackside equipment. These advancements improve efficiency but also expose railway networks to cyber threats that can disrupt service, compromise safety, and even impact national security.
Unlike traditional IT environments, where the focus is on confidentiality, integrity, and availability (CIA), OT in railways prioritizes reliability, availability, and public safety. Ensuring the safe movement of trains requires a cybersecurity strategy tailored to the unique needs of railway infrastructure.
Critical OT Systems in Railways
Mughal highlights key OT components in railways that require cybersecurity protection:
• Signaling Systems: These function like traffic lights for trains, ensuring safe distances between locomotives. Modern communication-based train control (CBTC) and European Rail Traffic Management Systems (ERTMS) are vulnerable to cyber intrusions.
• Interlocking Systems: These systems prevent conflicting train movements, ensuring safe operations. As they become digitized, cyber risks increase.
• Onboard OT Systems: Automatic Train Control (ATC) regulates speed and ensures compliance with signaling instructions. A cyberattack could manipulate these controls.
• SCADA Systems: Supervisory Control and Data Acquisition (SCADA) systems oversee infrastructure operations. Any compromise here can impact an entire railway network.
• Safety-Critical Systems: Fail-safe mechanisms like automatic braking and failover controls are vital in preventing catastrophic accidents.
The increasing digitization and interconnection of these systems expand the attack surface, making cybersecurity a top priority for railway operators.
Real-World Cyber Threats in Railways
Mughal discusses several significant cyber incidents that highlight vulnerabilities in railway cybersecurity:
• 2023 Poland Attack: Nation-state actors exploited vulnerabilities in railway radio communication systems to send unauthorized emergency stop commands, halting trains across the country. The attack exposed weaknesses in authentication and encryption within OT communication protocols.
• 2021 Iran Railway Incident: Hackers breached Iran’s railway scheduling and digital message board systems, displaying fake messages and causing widespread confusion. While safety-critical OT systems remained unaffected, the attack disrupted operations and damaged public trust.
• 2016 San Francisco Muni Ransomware Attack: A ransomware attack crippled the fare and scheduling system, leading to free rides for passengers and operational delays. Though IT systems were the primary target, the impact on OT operations was evident.
These incidents underscore the urgent need for stronger authentication, encryption, and IT-OT segmentation to protect railway infrastructure.
Cybersecurity Standards and Best Practices for Railways (links to resources below)
To build resilient railway cybersecurity, Mughal emphasizes the importance of international standards:
• IEC 62443: A globally recognized framework for securing industrial control systems, widely applied to OT environments, including railways. It introduces concepts such as network segmentation, risk assessment, and security levels.
• TS 50701: A European standard specifically designed for railway cybersecurity, expanding on IEC 62443 with guidance for securing signaling, interlocking, and control systems.
• EN 50126 (RAMS Standard): A safety-focused standard that integrates reliability, availability, maintainability, and safety (RAMS) into railway operations.
Adopting these standards helps railway operators establish secure-by-design architectures that mitigate cyber risks.
Looking Ahead: Strengthening Railway Cybersecurity
As railway systems become more automated and interconnected with smart cities, vehicle transportation, and supply chain networks, cyber threats will continue to grow. Mughal stresses the need for industry collaboration between railway engineers and cybersecurity professionals to ensure that security is integrated into every stage of railway system design.
He also emphasizes the importance of real-time OT threat monitoring, anomaly detection, and Security Operations Centers (SOCs) that understand railway-specific cyber risks. The industry must stay ahead of adversaries by adopting proactive security measures before a large-scale cyber incident disrupts critical transportation networks.
The conversation makes it clear: cybersecurity is now a fundamental part of railway safety and reliability. As Mughal warns, it’s not a question of if railway cyber incidents will happen, but when.
To hear the full discussion, including insights into OT vulnerabilities, real-world case studies, and cybersecurity best practices, listen to this episode of Redefining Cybersecurity on ITSP Magazine.
___________________________
Sponsors
Imperva: https://itspm.ag/imperva277117988
LevelBlue: https://itspm.ag/attcybersecurity-3jdk3
ThreatLocker: https://itspm.ag/threatlocker-r974
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
The LinkedIn Post that inspired this conversation: https://www.linkedin.com/feed/update/urn:li:activity:7264434413965328384/
IEC 62443: https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards
CENELEC TS 50701: https://www.en-standard.eu/clc/ts-50701-2021-railway-applications-cybersecurity/
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Sean Martin: [00:00:00] And hello everybody, you're very welcome to a new episode of Redefining Cybersecurity here on ITSP Magazine. This is the host, uh, Sean Martin, where I get to talk to, as you know, all kinds of cool people about cool things. And this, uh, this conversation is with, uh, Fahad Magal. Fahad, thanks for joining me.
Fahad Mughal: Sean. Thank you for having me on the podcast.
Sean Martin: Uh, this is gonna be good. We, we connected, I don't know, a couple months back maybe, something like that. I, I saw you're in the rail, the rail space and, uh, looking at OT and security, I'm like We, we gotta have a chat, my friend. Let's, let's have a chat. So, I'm, I'm happy, I'm thrilled that you, uh, accepted my invitation.
And, uh, I'm happy to have this conversation with you today.
Fahad Mughal: great. Uh, thank you again for having me on the podcast, Sean. Uh, it's truly a pleasure to be here today. Let me start by saying that, uh, I am a regular viewer of your podcasts and the work you guys are doing to raise awareness about [00:01:00] cyber security is commendable. So, uh, I guess let me share a bit about myself.
Uh,
Sean Martin: Yeah, that's a good place to start.
Fahad Mughal: yeah, so, um, see I began my cyber security journey In the banking and financial sector, working with some of the well known institutions in the industry. As your viewers and listeners might know, the financial sector is one of the most heavily regulated industries, with a strong emphasis on cyber security.
So, during my time there, I had the opportunity to work on and implement some cutting edge security technologies, focusing on areas like security architecture, design, conducting risk assessments. Um, there was a phase in my career where I was deeply immersed in offensive security as well, engaging in penetration testing and red teaming exercises.
Uh, This financial industry [00:02:00] experience gave me a holistic understanding of both the offensive and the defensive sides of cybersecurity. Uh, I believe this dual perspective is an essential hallmark for a security architect. Uh, it's, it's critical to think like an adversary when, you know, designing systems to protect them.
So, uh, Fast forward to the past seven years, uh, I've been working with various critical infrastructure sectors like water utility and transportation industries that rely heavily on operational technology or OT and industrial automation and control systems or IACS as we commonly call it in our line of work.
Now, this is where my My journey into the OT cyber security space truly began with emphasis on OT security architecture. Um, I got opportunities to work [00:03:00] on, uh, OT cyber uplift programs of work, uh, involving design and implementation of OT threat monitoring solutions. architecting OT network segmentation schemes, uh, leading the design of SOC environments, which are the Security Operations Center, with focus on, uh, uh, security threat intelligence, monitoring and response, developing, uh, roadmaps for threat detection use cases using the MITRE Enterprise and ICS ATT& CK framework.
So, one thing I quickly realized while working with and learning from engineers and relevant stakeholders in this specific industry is the distinct challenges and priorities of OT environments. Unlike traditional IT environments where the focus is primarily on the CIA triad, which we call, you know, the confidentiality, integrity, and availability.
In [00:04:00] OT environments, uh, the The priorities shift dramatically, right? The focus here is on reliability, availability, public safety. As these OT systems control the technologies that influence and manipulate physical processes in the real world, right? So, it was during this time that I gained an understanding and, uh, discovered my passion for railway cybersecurity.
Sean Martin: Straight to the, straight to the whale, rails from water. I, I wanna, cause an interesting transition, and I, I've not done much with OT. I've, I've done a lot in, in traditional IT. And my, my sense is, while, There are certainly different business operations, every business has different objectives, and therefore you select technologies to help you achieve them.
Um, [00:05:00] the general infrastructure of I. T. is fairly common, whether you're at a bank, or retail, or, or, uh, I don't know, a doctor's office in healthcare. Now you start to, when you, when you, Obviously, moving to healthcare, you start to look at, you have connections in OT, you have manufacturing connections in OT, but there's still an IT, an IT role in each of those businesses as well.
So my question to you, because I'm curious, is what are some of the differences in terms of how the technology is architected, um, how it's managed? IT versus OT, and when we start to dig into the vulnerabilities and the threats that look to expose them or, yeah, compromise them, exploit them I should say, um, how are those teams and that, kind of that whole environment and process and ecosystem and culture, how do they compare, uh, based on your previous experience at IT?
Long winded
Fahad Mughal: [00:06:00] Sure. Yeah. So, uh, yeah. Interesting. As you mentioned, basically, you know, uh, if you consider just the railway industry, right? Uh, uh, the specific sector, just like any other critical infrastructure sector, you will have the IT side of the world and you will have the OT side of the world. World as well, right?
And, uh, so if you take a step back and look at how the railway industry has evolved over the years, right? From steam powered locomotives in the 19th century to the electric and diesel powered trains. of the 20th century. Uh, railways have been at the cornerstone of technological innovation. So today we are witnessing the next big leap with the rise of autonomous and unmanned railways, right?
We call [00:07:00] it driverless railways as well. These modern rail systems use state of the art technologies to improve efficiency, reduce human error, and enhance passenger experience. Now, here's the flip side to it, right? As railways become more advanced, they also become more dependent on digital systems. Right?
And, and this is where the operational technology or OT plays a critical role. Now, OT systems in railways are the technologies that manage and control physical railway operations, ensuring everything runs smoothly and safely. So, back, back to your question now, you know, you, you might ask, okay, what does OT encompass in, in a railway system?
So let's, let's try to break it down right now. [00:08:00] Uh, first and foremost, you have the signaling systems. Now, signaling systems are like the traffic lights of the railway world. They ensure that trains don't collide by managing the track occupancy, guiding trains, and maintaining safe distances between them.
In autonomous railways, signaling systems are heavily digitized and integrated with control centers to provide real time data feeds, basically. So,
Sean Martin: And can I, can I ask you something here? Cause as you, as you said, the signaling loop is kind of like the traffic lights. Um, the, the other thing I was saying, kind of the, the FFA FFA FAA, is there an entity that oversees all of the signals or is it by, I don't know, shipping signals versus or cargo. Versus transportation.
I don't know. Can you kind of paint that [00:09:00] picture? Who has access to what data? Who's generating the data?
Fahad Mughal: Yeah, so, so normally what you'll What you'll see in the, uh, railway environments is the railway entity actually controls those specific signals, right? So, uh, so those data feeds are basically going back to the control centers, basically, or operational centers, uh, that are controlled by the railway entity itself.
So it would be, you know, the railway operator or the maintainer itself, right?
Sean Martin: is the physical rails on the ground, regardless, regardless of what kind of vehicle is sitting on top of it. Okay. Got
Fahad Mughal: Thank you. And, and, and again, you know, this is where, you know, the signaling systems basically that are implemented in that railway infrastructure that, uh, those signaling systems play a key role here. Now, uh, examples of signaling systems would include CBTC, which are [00:10:00] communication based train control systems, which are designed for urban rail systems like metros and light rails.
Basically, and you know, the other example would be ERTMS, which is an European rail train management system, which is designed predominantly for long distance and regional trains. So, you know, it's sort of, you know, the backbone of the entire railway infrastructure itself. Uh, then, you know, you have. Uh, the interlocking systems.
Uh, these interlocking systems, think of them as the gatekeepers, right? They control the switches and signals, ensuring that the trains move only when it's safe to do so. Right? So with modern railways, these systems are no longer mechanical. They are now digitized and connected, making them faster. And, uh, more efficient, uh, [00:11:00] then you have these onboard OT systems itself, uh, on, on, uh, on the, uh, uh, uh, uh, the systems basically, uh, which include technologies like automatic train control system, which governs the speed and ensures compliance with the signaling instructions.
In autonomous railways, now these systems go a step further, managing the train's operations with minimal human intervention. Right? So, uh, uh, then you have the trackside equipments. Now, these include sensors, switches, actuators that gather data from the physical environment and communicate it back to the control system.
So, for example, you'll have axle controllers on the trackside, right? Now, these axle controllers basically help determine the track occupancy for the trains, basically, right? And then you have point machines. Uh, now these equipments [00:12:00] would ensure that, uh, you know, they manage the track switches itself, right?
Um, then, uh, you have SCADA systems in play as well. You know, SCADA, which stands for Supervisory Control and Data Acquisition Systems. They monitor and control the entire railway infrastructure. They, they gather the data from the field like temperature, speed, equipment status. and provide operators with the information they need to make decisions in real time.
Uh, and then, uh, you have these safety critical systems as well. Now, these are sort of the backbone of the railway operations. They're designed to prevent catastrophic failures and ensure passenger safety. These include automatic train protection, train braking systems, fail safe signaling mechanisms. Now, these [00:13:00] systems are engineered with redundancy and strict compliance to safety standards, right?
Uh, ensuring that even in the event of a fault, the system defaults. to a safe state. So these would be, you know, the main categories of, uh, you know, uh, operational technology systems that are, uh, prevalent in, you know, railway infrastructures. And with the advent of autonomous and unmanned railways, OT systems have become even more interconnected and data driven.
Train communicates with the, uh, uh, with the control centers. They communicate with track site equipments, they communicate with other trains in, you know, in some parts of the world, the trains communicating with the other trains to optimize the schedules and ensure safety. Um,
Sean Martin: was [00:14:00] an airline situation here. I think it was in I can't remember where it was in the States, but, uh, Chicago, perhaps? I don't remember. But, uh, anyway, two, two planes came very close to each other, and as the story goes, the two, the two planes knew, one plane knew, well, each plane knew of the other one, that they were in, in, in imminent danger, and one was automatically guided up, the other was guided down, and, and maybe away from each other, but, so the, the story goes, the planes detected.
the, the peril and adjusted their flight path automatically to avoid collision, which is pretty cool. Sounds like some of that same type of analysis and capabilities there for the safety. Maybe, can you, using that and maybe other examples, kind of provide a view of what some of the objectives are for the railway environment.
Um, I think you mentioned speed and efficiency and [00:15:00] things like that. What, what are railway companies trying to do? I don't know, and how does the railway system, do they have, do they support those objectives? Do they have their own that compete against? against the carriers and transporters.
Fahad Mughal: yeah, so, uh, the, see, from, from, from cyber perspective, right, the, the main objectives of, of the railway systems would be to ensure, uh, the reliability. You know, of the operations itself, uh, availability, uh, you know, of, uh, the, the environment maintainability and safety. Now, these are some of the, you know, major components, basically, that, uh, Make off, uh, you know, the, uh, uh, the the main objectives basically of the entire railway operations itself.
Right? Uh, you know, [00:16:00] uh, as you said, you know, these, uh, integrations and sensors, basically, you know, they bring. incredible efficiency, you know, when, you know, when you see the railway operations work, but, uh, it also significant.
Sean Martin: curious, I'm curious, are they, are they trying to push the trains to go faster while maintaining safety? Are they trying to put more, more trains on the tracks and trying to manage the schedules in order to deliver more people and goods? I don't know what, some of those things and, and because when we start talking about the, the threats, right, if, if that gets really complex because they're pushing the envelope on what they're trying to achieve and pushing the envelope of the technologies that enable them to do that, those are prime target points, in my opinion, for, for the, the availability and, and reliability things that we're trying to
Fahad Mughal: that, that is very true. And I guess, you know, [00:17:00] it will depend on which part of the world you are in, I guess. Right. Because, you know, in some parts of the world, you know, they're, uh, they would like to increase, you know, how many people travel on the transportation systems, you know, each day and they would try to increase the capacity.
Uh, uh, but then, you know, there are some parts of the world that are competing to have. Uh, you know, fast metro lines, basically, you know, high speed rails, basically, you know, uh, going from one point to another. So, uh, uh, yeah, I guess, uh, it, it depends on, you know, what, what part of the world you are in basically.
And, uh, you know, depending on that, you would see basically, you know, the priorities would change, I guess.
Sean Martin: Yeah, absolutely. It's always interesting when you throw that depends thing in there. Because then you have different scenarios and situations you have to be prepared [00:18:00] for. Which means tuning the technology and looking for different threats. Maybe we can talk a bit about, um, I don't know, do we, do we cover enough of what's in it and what they're trying to accomplish?
Are there any, any other points you want to make in terms of what it looks like to kind of help frame where the weak points might exist from a cyber perspective?
Fahad Mughal: Yeah. So, uh, I guess, you know, as I was saying, you know, uh, when, when we look at these specific technologies, you know, and the integration that they bring about, right. And, uh, with the, with these specific integrations, you know, they, they, they bring about incredible efficiency as well, but, uh, it, it also then significantly increases the attack surface for cyber threats.
Right. As you do more integration, you make it more digitized, you know, more IT OT integration, you know, the attack surface, [00:19:00] uh, definitely sort of, you know, then it increases, that increases the cyber threats. Now, if we look in the past decade, for example, right, and if we look at some of the significant, uh, uh, incidents, cyber incidents that have occurred in the railway industry, right, they, they highlight unique challenges.
that railways face when it comes to cyber security. So for instance, you know, in, in 2023, uh, Poland, uh, had, uh, had an incident. Now it was attributed to a nation state actor, you know, uh, I guess all of us can understand basically with the geopolitical situation in that part of the world. Uh, but in, uh, 2023, uh, adversaries exploited vulnerabilities in the radio communication system that was used by Polish railways [00:20:00] to issue unauthorized stop commands, triggering emergency brakes on multiple trains.
So, uh, the adversaries in this instance used a simple and encrypted radio frequency to send commands to trains onboard systems, exploiting the lack of security in the communication protocol. Right.
Sean Martin: Sounds, sounds like an authentication issue.
Fahad Mughal: That's true. Yes. Yes. Uh, so the, the, the impact of this particular incident was that the, the trains across Poland came to a halt, leading to operational chaos, freight services were disrupted. impacting supply chains, uh, while passengers were stranded and, you know, they faced, you know, enormous delays, basically.
Now, this attack, uh, [00:21:00] revealed a critical gap in the, you know, the cyber security of, uh, using legacy communication, uh, systems in the OT environments that rely on outdated protocols. And as you said, basically, one, one of the lessons learned From this particular incident was, you know, the, the, the, the use of encryption and authentication.
Right. That must be implemented across, you know, all communication systems, including the radio protocols itself. Uh, so now this is sort of one, one, one sort of incident, which, you know, directly affected the communication system leading to, you know, trains halting. Right. The. The other incident, which happened in 2021, which happened, uh, to Iran, uh, Iran's railway network, basically.
And, [00:22:00] uh, in this particular instance, adversaries targeted Iran's, uh, railway infrastructure, breaching scheduling systems and the digital message board systems that you see, you know, normally at the train stations. Now, uh, the modus operandi of in this case was that the adversary compromised the scheduling system It sort of lies in the IT side of the railway infrastructure, right?
Uh, but it, it does interact with the OT environment because, you know, you get the information out from the OT environment into the IT and the scheduling system sort of work, you know, from there. Now, in this specific case, you know, while the, the safety critical OT systems were not directly affected, but the, the, The attack exploited indirect vulnerabilities in the IT to OT interface.
Uh, the impact in this particular [00:23:00] instance was that passengers were misinformed, leading to widespread confusion, digital boards displayed prank messages. It, it tarnished the public trust in the railway authority there basically, right? Uh, the incident, uh, you know, highlighted the risk of poorly segmented IT and OT environments in this case.
And one, one of the lessons learned from this particular incident was that even indirect attacks on IT systems can cripple the OT operations. For disruption of, you know, the public facing or planning system that are used in the railways. Uh, the, the, the third, uh, case study that we can look at was, uh, in San Francisco, actually.
Uh, it happened to the San Francisco Municipal [00:24:00] Transportation Agency, uh, in 2016.
Sean Martin: at the, it was Bart, I think it was the, the ransomware case, right?
Fahad Mughal: Yes, yes. So, so, as you might already be aware, you know, the San Francisco Municipal Transportation Agency, it, uh, it's responsible for both the trains and the bus networks, basically, right? Now, it, it suffered a major ransomware attack that, uh, disrupted the ticketing and the scheduling systems back in 2016.
Now the ransomware infiltrated the backend systems responsible for coordinating the train operations and, you know, public, uh, information. Uh, the impact in this case was the, that the fare systems were rendered inoperable and, uh, leading to, uh, free rides for passengers during the weekend. And there were operational delays which disrupted, you know, the train scheduling and coordination.
Although In this case [00:25:00] as well, there was no safety critical OT systems that were compromised, but the incident showcased, you know, how the breaches on the IT side can indirectly affect the OT operations, right? So when we look at these, you know, particular case studies, right? There are other numerous incidents, but I just took, you know, these three, uh, for the past decade because these three sort of, you know, showcase different sort of modus operandi and how they can sort of affect the, you know, the railway operations, right?
Uh, now, while these, you, these case studies highlight the vulnerabilities that can be exploited in railway systems, you know, leading from IT cascading into, you know, the crippling of the OT operations, it's worth noting that till date, Uh, the industry has been relatively fortunate, uh, in [00:26:00] avoiding any large scale O.
T. consequences, you know, from cyber threats leading to any safety compromise, right? Uh, in, in my humble opinion, this is due to several factors that make direct attacks on the railway OT systems less frequent. Uh, the, the first factor is the use of legacy systems. Now, many railway OT systems, still today, still rely on proprietary or air gap technologies like relay based interlocking systems, uh, that were not originally designed for connectivity.
making them harder to target remotely, right?
Sean Martin: All, all the SCADA stuff.
Fahad Mughal: Yeah. So, uh, although SCADA is, you know, becoming, becoming very interconnected and stuff, but there are, you know, some technologies that are still, you know, uh, [00:27:00] utilized within the railway environments. that you can't sort of, you know, target remotely basically, right?
Um,
Sean Martin: Now is it, is that a lot of, because I'm picturing railway systems that have been around for a hundred, maybe hundreds of years, right? That are, they're, they're, they're there in their physical state and now you're trying to tack, tack on, uh, and connect digital systems and sensors and, and controllers on that stuff, right?
Fahad Mughal: Because yes, because that's provided that sort of provides the pathways, right? The remote connectivity pathways basically, uh, you know from the operator stations to centralized control systems to the particular PLCs basically Right as you become more connected basically, you know, it provides pathways to adversaries as well Right.
To issue commands. Uh, but, but when you're, when you're using, you know, those legacy [00:28:00] systems, basically those pathways don't necessarily exist, basically. So, so that's,
Sean Martin: you something about, about, about response and I'm, I'm, if I'm not derailing, pun intended, derailing you too much here, but because that example of the, the signal being sent to, or the, the, the encrypted command being sent to stop a bunch of trains and, and trigger their brakes to, to activate.
Um, I don't, who's looking after that? Um, to, I mean, cause that, to me that's an anomaly, right? If multiple trains all have a signal, let's say stop your, halt your brakes, that's an anomaly in the communications environment. So, you mentioned the SOC earlier, the Security Operations Center. Is there a railway SOC?
Does each train operator have their own SOC looking at this stuff as well? Cause I'm trying to figure out who's responsible, who's looking, what are they looking for? Does everybody have this use [00:29:00] case in their, in their playbook now? For detection and response? Um, can you kind of paint that picture?
Fahad Mughal: yes, I'm sure after that, yes, uh, many of the SOCs, uh, would have implemented such scenarios. Uh, in, in, in the specific case of the Poland railway attack, that was more of a backup pathway, basically. That was actually, so that's not,
Sean Martin: So subverted, traditional, or the core
Fahad Mughal: so that, that, that's not the, uh, you know, the, the primary pathway to issue commands, but it's sort of used, you know, when you want to, uh, pursue a backup pathway to, uh, to, to issue, you know, emergency breaks.
And that was something that the adversaries sort of exploited. Right. Uh, and, and, and, and much of the knowledge you know of, of this, we can. It's sort of, you know, I consider, you know, uh, it, it, it requires a lot of research to understand basically, you know, how the railway systems work, you know, how you would issue [00:30:00] such commands.
And of course, you know, when we look at the nation state actors these days, basically. Those are the actors basically that will have the enough capability and understanding of how these systems operate and how you can issue, you know, such commands, uh, primarily, uh, you know, uh, the, the railway operators.
would be the ones basically, you know, looking at, you know, these functionalities, depending on how mature your SOC is, and how, how much your SOC is actually integrated with, you know, the, the, uh, the day to day railway operations, and how much they understand the railway operations. These threat detection use cases, you know, uh, would only be developed when you have the understanding.
of how, you know, these, uh, systems sort of, you know, uh, uh, function together. So I guess, you know, that might answer your question there.
Sean Martin: Now it's
Fahad Mughal: on [00:31:00] the maturity of the SOC, I guess.
Sean Martin: yeah, well it's a super important point in my, in my view that, uh, you can, you can identify weaknesses all day and all night, um, and yes you might be able to hypothesize how they might be exploited to do something, but to your point, if you, if you have an understanding of how the system works, you can use one or more legitimate actions.
With maybe one, one illegitimate,
Fahad Mughal: That
Sean Martin: action in there. And if you're not expecting that nefarious one in there, um, you might not catch it.
Fahad Mughal: that is true. And, and, uh, you guys, uh, you know, from that perspective, it's important to always sort of look at the baseline. You know, there are OT threat monitoring solutions, uh, uh, you know, that I, Sort of ingrained in the environment these days and and some of the solutions that I have seen, [00:32:00] you know Understand the signaling protocols as well because they're not like the normal, you know network protocols that we used Uh that if we use, you know, uh in our data centers Uh now these threat monitoring solutions, basically, you know, understand the signaling protocols, how they work, they can look for anomalies, you know, and, and these sort of solutions act as one of the primary input into the SOC environments, so that you develop a baseline, basically, understand basically, okay, uh, What normal looks like.
And then basically, you know, if any anomaly occurs, then that should alert, uh, you know, uh, the, the SOC operators or the rail operators itself. Um,
Sean Martin: So on that point, how important is it that a human, I mean, obviously the trend is moving to autonomous vehicles, if you will, right? The trains would be autonomous. But from an operational perspective, how, how important, and maybe even on the train still, how [00:33:00] important is it that there's a human involved?
Fahad Mughal: uh, see the human involvement, uh, is always there at the backend. Right. Although, you know, the, the, the, the newer, uh, driverless trains basically are the autonomous trains. Uh, you know, the, the sort of, you know, function in an automated manner, uh, with all the controls, basically, uh, you know, from the automatic train control systems, you know, connecting back to the control centers, basically, and, you know, uh, Uh, and, and all these mechanisms, uh, around the safety protocols, uh, you know, that reside there.
Now, one thing to understand here is that railways have stringent safety engineering mechanisms in play as well. So, so we need to sort of acknowledge that, right? Now, these systems are designed to prevent catastrophic failures. For example, uh, if you look at the interlocking [00:34:00] systems, they have multiple layers of safeguards.
Right? And, uh, uh, components like signaling networks are designed with built in redundancies as well, such as duplicated controllers, you know, parallel communication channels to ensure continuous operations. Now, railway systems do prioritize fail safe principles. Where systems default to the safest state, for example, stopping the trains in case of failures or anomalies.
So, so safety, you know, plays a key role there and all these systems are engineered in such a way basically, you know, that the safety does take priority when, you know, an event or a failure occurs. But, you know, having said that, As railways do continue to digitize and integrate IT with OT, the attack surface is [00:35:00] rapidly expanding.
You know, this opens the door for more sophisticated threat actors, including nation state groups, to target railway systems as part of geopolitical conflict, as I mentioned earlier, right? Now, for example, you know, disrupting a country's railways could cripple supply chains. passenger transit, creating both economic and political chaos.
So, uh, you know, while still till date, we may not have yet seen any widespread direct OT consequences or direct attack on the OT systems in the railway sector, but the, the risks are growing with, you know, the changing threat landscape, right? So it's, it's only a matter of time, you know, as I say, uh, that the right combination of opportunity.
Motive and capability brings these threats to the forefront, right? Uh, [00:36:00] so yeah, so this is where I see, you know, the current state, uh, of cybersecurity, you know, uh, where it's at, you know, within the context of the railways.
Sean Martin: One, one of the things I'm, I'm hoping to talk quite a bit about this year on, on the show is the supply chain and interconnectivity. Um, Look at, look at, uh, New York subway. It's pretty much an isolated system, right? But if you go to Sydney, where you are, or San Francisco, the rails cross, uh, car and truck vehicle, uh, systems.
So, there's coordination between rail, signaling, and automobile, and pedestrian signaling as well, right? In some cases, pedestrians get to go first. Um, So that just opens my mind to, I mean, rail, the rail systems aren't the only places that, that innovation is taking place. [00:37:00] There's, in the, in the autonomous cars, right?
But then also smart, smart cities, um, the bigger picture there. So I'm just wondering, everything, not just everything in rail, but everything is connecting. And then there, you have all these parts. So, it's another big question, but your, your view on How supply chain is viewed within rail within itself and then also from a connected perspective to other systems.
Not just IT for the rail operator, but like cities and cars and things like that.
Fahad Mughal: Yeah. So, uh, see, from the perspective of supply chain, it is, you know, one of the hot topics, you know, within the, uh, you know, the, the risk management framework of enterprises, basically. Right. Uh, and, uh, in, in this specific case as well, you know, uh, when, when you look at, uh, any standard, For [00:38:00] instance, you know, any international standard, you know, it, it will call about, you know, uh, supply chain security as well.
And, and similarly, you know, this is also, uh, a very prevalent, uh, threat in the, uh, uh, real industry sector as well, basically. Right. Uh, now You know, organizations, uh, as I see are, you know, ensuring that they have the right sort of risk management frameworks, right sort of policies basically in place, uh, to, to address this specific, you know, threat of the supply chain because you need to, uh, have a good vetting problem.
Right. Of the vendors, basically that you are taking, uh, you know, your components from, you know, uh, this, this sort of, you know, [00:39:00] requires, uh, you know, mature risk management practices, you know, within the enterprise and how they sort of, you know, uh, use it at, I guess, you know, in this instance as well. Uh, you know, every organization is sort of different, you know, from maturity level where they are at, you know, how stringent their risk management practices are, uh, you know, with, with regards to supply chain, uh, having said that, you know, when, when we look at, you know, uh, Any, uh, international standard, basically, that's being globally used for real industry as well.
You know, one of the primary component is the supply chain security there. Uh, you know, that's, that, that is being called out, basically.
Sean Martin: I think you, you touched, early on you touched on some of the standards, I think they're operating standards. Are there also [00:40:00] specific cyber standards for railway? That you're seeing? And are there, do you want to list any that are of interest?
Fahad Mughal: Yeah, so, see, there are several internationally recognized standards and frameworks, between, you know, normally used in the IT side of the world, like NIST CSF, for instance. That serves as a foundation for building resilient, you know, infrastructures or ISO 27001, which again, you know, which helps develops the ISMS for the IT side.
of the railway infrastructure, for example, to secure IT systems like ticketing, passenger information, and operational data centers, right? Uh, but then they, they, there are certain standards that are applicable to the railway's OT environment. Um, so first and foremost, basically there is IEC 62443. Now, this This particular standard, it's, it's a [00:41:00] globally recognized standard for securing industrial automation and control systems.
It's not specific to railways, but you know, it's designed to address cybersecurity across a variety of industrial sectors that use operational technology or industrial automation and control systems, including the OTP. You know, systems in railway, so it's applicable to, uh, you know, railway systems as well.
It, it, it provides, uh, a comprehensive vendor, neutral set of practices applicable to the entire lifecycle of OT systems, right? Uh, you know, uh, ensuring cybersecurity is in place from system design to procurement deployment, uh, you know, operations. To maintain and send decommissioning, basically, you know, and this is where, you know, as you're mentioning around the supply chain, uh, factor as well, you know, it comes into play in the entire life cycle, you know, when you're sort of purchasing, uh, any new components, [00:42:00] uh, now this specific standard, it sort of introduces concepts of segmenting systems into zones.
based on criticality of the systems and defining conduits between these zones to securely manage the communication pathways basically between these zones. Uh, it also introduces some concepts of security levels based on the threats faced to a particular zone, uh, the, the, the protections that are required for a particular zone and the criticality of the systems that are, you know, residing in a particular zone.
Uh, it, it provides a structured approach for Identifying, assessing, and mitigating risks. Uh, this includes, you know, security policies, vulnerability assessments, and, you know, incident response planning. Now, it is applicable. Now, this standard, you know, as I mentioned, it's, it's a globally [00:43:00] renowned framework and standard, uh, that's used across multiple critical infrastructure industries.
In, in context of railways, it's applicable to OT systems like signaling, SCADA, interlocking, you know, ensuring, you know, they are resilient to cyber threats. So, so this, this one is particularly, you know, uh, uh, a global standard. Now, the second standard, uh, which is sort of customized towards railway. Uh, industry is the TS50701.
It's an European standard. It's, it's basically a technical specification, uh, specifically designed for cyber security in railway applications. It provides a detailed framework tailored to address the unique challenges and complexities of securing operational technology systems in railways. This TS 50701 builds on the principles of [00:44:00] 62443, the standard that I mentioned earlier, right?
So they're very intertwined basically, but The 50701 standard is customized for railway specific needs, right? It, it, it sort of introduces the same concepts of zones, conduits, uh, you know, uh, security levels, but it looks at them at, uh, in the context of railway systems. Basically, again, how you can actually segment the different railway components into different zones.
Uh, so for instance, you know, protecting the highly critical systems like signaling or interlocking and isolating them from less critical or more exposed systems like the passenger information systems. So it. This particular standard, it provides, you know, very actionable guidelines for railway operators, maintainers, manufacturers, even, you know, the vendors that [00:45:00] build components for the, uh, you know, uh, railway systems itself.
Uh, now, uh, TS 50701 is often used in Europe to guide the design of secure signaling systems and interlocking systems. Um, the, the third particular standard that are, you know, touch upon is, um, a RAMS standard. You know, it stands for reliability, availability, maintainability, and safety. It's EN 50126. Now, this one is not a particular cyber standard, but it's sort of a safety standard, which is, you know, highly used, uh, in this particular industry.
It's, it's, again, it's an European standard that establishes a framework basically for a safety in railway systems. It defines. Uh, a very structured life cycle process to ensure safe and dependable [00:46:00] operation of railway assets while addressing the unique challenges of safety critical systems. Uh, it introduces, you know, concepts of, uh, you know, uh, methodologies, uh, for analyzing potential failures and their impacts on operational safety and performance.
Uh, it introduces concepts of safety integrity levels. to quantify the risk reduction required for safety critical functions. Uh, so, as I mentioned earlier, it's not a particular cyber standard, but it does acknowledge the increasing overlap between functional safety, which looks at preventing physical harm, and cyber security, which looks at protecting against malicious actions, basically.
Right, so, uh, It's this is this particular standard is widely used for developing You know safety critical systems like uh, automatic train [00:47:00] protection systems. So yeah, so, uh, These would be I guess, you know The main standards that are sort of used globally. There might be other standards, you know out there as well But you know i've seen these standards being used, you know and referenced, you know, uh Globally, a lot.
I would say.
Sean Martin: That's a fantastic overview of those. Yeah, so I think we can point people to them and they can explore them. And of course, if anybody is listening or watching, they want to comment on others they see that are helpful, I would encourage that. Um, I don't want to stop, but we're approaching 50 minutes. So, I have a gazillion questions still.
So maybe, I don't know, maybe we can have another chat down the line and dig into some more
Fahad Mughal: Sure. Anytime.
Sean Martin: I want to leave My audience, a lot of security leaders, CISOs, managers, uh, listen to my show. [00:48:00] Um, maybe, maybe a final thought from you with them in mind. Something they, they can take away. Something they may not have thought of or should be paying attention to because of what's coming.
Um, yeah, final thought from you for, for that group.
Fahad Mughal: Yeah, I guess, uh, you know, when we talk about the railway industry itself, you know, it sort of stands at the crossroads of technological innovation at one hand and the rising cybersecurity challenges, right? As we move towards more smarter, connected and autonomous railways, which are being adopted globally now, the.
The need for robust cyber security, I guess, has never been greater, right? Uh, uh, particular industry standards, like I just mentioned, around TS 50701 and IEC 62443, they serve as [00:49:00] good foundations for building secure systems in railways. While collaboration, industry collaboration, you know, Interdisciplinary collaboration and innovation will drive resilience, right?
I guess, you know, that, that is a very important aspect basically, uh, that a lot of organizations miss because, you know, what we see today is, you know, we, we have these. engineers that understand, you know, the intricate details of the systems itself, right? The dependencies of the systems. But on the other hand, you have these cybersecurity experts, right?
We need them to be talking more basically so that we can design, you know, and protect these systems because the engineers. understand the system dependencies and the cybersecurity experts understand how adversaries infiltrate, uh, or could potentially infiltrate, [00:50:00] you know, these systems itself. So, so there's a lot of collaboration needed basically, you know, in, in, in that space.
Um, and, uh, you know, coming back to what I was saying around the OT consequences, basically that we haven't seen it yet. The, the, the question isn't. If railways will fade cyber threats without sequences, the question it's when, basically, you know, it's going to occur at some point in time. And I guess, you know, we sort of need to be ready, you know, when, when that occurs.
So yeah, I guess that's my final thoughts on, uh, you know, on this subject.
Sean Martin: we've seen the signals for what can happen. And, uh Yeah, I think the, I'm hopeful because it, from an enterprise perspective, there's a lot of momentum from, uh, from the resilience perspective. Business resilience, IT resilience, I'm hopeful that we'll see a lot of that push into, or IT, [00:51:00] OT, ask for help with that for OT resilience as well.
But the other thing that I always, Any conversation that, that involves OT, whether it be in water and power or rail or, or transportation or manufacturing, safety is always a big thing. And I think when we, when we talk about cybersecurity and we try to connect it to people, we end up landing in, in healthcare, which of course has some OT in there as well.
Um, And then we talk about ICS differently, separately, which has OT, and I think we forget that just the operations of this, the safety of the people operating it, and then the safety of the people enjoying the spoils of whatever that service is offering, being, getting from A to B, or clean water, or power, or gas, or whatever it is, the people around it.
Need, need safety as well. So safety is always another big thing. So I, I'm glad we had a chance to talk [00:52:00] about that as well. And, and, um, yeah, I'm super, super happy we had a chance to, to, uh, talk about this too, Fahad, the overall railway security. Great overview, great conversation. I hope you'll join me again.
Um,
Fahad Mughal: Yes, definitely.
Sean Martin: to dig into.
Fahad Mughal: Thanks for having me here. Thanks a lot, Sean. Really
Sean Martin: you. And, uh, everybody listening and watching, thanks for, uh, for joining us for this chat. And, uh, we'll include some links to some of the standards and frameworks and things that, uh, Fahad mentioned. And, uh, of course, please do share with your friends and enemies, and stay tuned for more here on Redefining Cybersecurity on ITSP Magazine.
Thanks, everybody.
Fahad Mughal: Thanks all.