The convergence of connected devices, the Internet of Things (IoT), and the convergence of IT and OT in rail operations are increasing the potential cyber threats.
In this Help Net Security interview, Dimitri van Zantvliet, Director of Cybersecurity/CISO at Dutch Railways and co-chair of the Dutch and European Railways ISAC, discusses cyber attacks against railway systems, building a practical cybersecurity approach. , and cyber attacks. legislation.
The railway industry is facing a major turning point. Each additional connected device gives attackers new opportunities to exploit it. How has your job evolved as digital transformation has progressed?
At Dutch Railways (although this is true across our sector), in the face of increasing digital transformation, the threat landscape and cyber laws, our cyber jobs have evolved to focus more on cyber security. Now put. The convergence of connected devices, the convergence of IoT and IT-OT, has greatly expanded the attack surface of potential cyber threats.
As such, our primary responsibilities include implementing and maintaining robust security measures to protect our systems and networks from cyberattacks. This includes regular risk assessment and mitigation, implementation of security protocols and controls, and ensuring compliance with rail sector regulations.
In addition, our IT and operations teams work closely with our strategy and GRC teams to integrate security into the design and deployment of new technologies, as well as an incident response team to address security breaches that may occur. Develop a plan. In summary, the increasing digital transformation in the rail industry highlights the need for a top-level, proactive and comprehensive approach to cybersecurity to protect company assets, customer and employee data. Cybersecurity is now ChefSache!
Safety incidents and service interruptions can wreak havoc on rail systems. Are cyber attacks on the rise? What are the most common types of attacks? Do you have any interesting techniques to share?
Yes, 100%. Together with the (European) Railway ISAC, the local NCSC and ENISA, we track all incidents occurring in this sector. As mentioned earlier, cyberattacks on the railway industry have increased in recent years, making this important sector increasingly dependent on digital systems and connected devices. The types of attacks that have been observed are:
- Phishing and Social Engineering: These attacks involve tricking employees into giving away sensitive information or installing malware on their computers.
- Ransomware: Hackers encrypting RU/IM files and demanding a ransom to restore access to files.
- DDoS attack: This type of attack involves flooding the network with traffic and interfering with its normal functioning.
- Supply chain attacks: Supplier software vulnerabilities and hacks.
- Insider Threats: Espionage, sabotage, and data breaches are risks we perceive.
- With the ongoing war in Ukraine, there has been an increase in attacks on rail infrastructure in the region where new tools, techniques and procedures (TTPs) are being developed and deployed. We are closely monitoring OT malware developments and wiperware attacks for potential spillover effects on Western companies.
Educate and train employees on the importance of cyber security and the above methods. This includes regular security awareness training and simulated phishing campaigns to test employees’ susceptibility to social engineering attacks. Finally, implement and continue a multi-layered Zero Trust security approach that includes both traditional IT security controls such as firewalls and intrusion detection systems, security controls specific to OT control systems, and newer approaches such as continuous cyber policies. are working on it. Execution.
What advice would you give to a newly appointed CISO looking to build a practical cybersecurity approach for rail systems? Where to start?
There are some important steps you can take in your first 100 days.
- Start building your (internal) network and map your stakeholders. You are a trusted advisor to your organization, but your organization needs to know where to find you. Conduct interviews and hear what is brewing at your organization. Understand how you can contribute to business drivers.
- Conduct a risk assessment: Start by conducting a thorough risk assessment of your organization’s assets and systems to identify potential vulnerabilities and threats. This allows you to prioritize your efforts and focus on the areas that matter most to your organization.
- Develop Security Strategy: Based on the results of the risk assessment, develop a comprehensive security strategy including an Information Security Management System (ISMS), policies, procedures and controls to protect against identified threats. This should include both traditional IT security measures and security controls specific to OT control systems.
- Oversee the implementation of these security controls: Once you have developed your strategy, implement the security controls necessary to protect your systems and networks.
- Employee Training: Cybersecurity is a shared responsibility and it is imperative that all employees understand the importance of cybersecurity and know how to spot and respond to potential threats.
- Monitoring and maintenance: Continuous monitoring and maintenance is essential to maintaining the effectiveness of security controls and identifying and responding to new threats in a timely manner.
Instead of limiting yourself and your team to these bullet points, also address compliance, incident response, and supply chain collaboration. Don’t be afraid to ask your colleague her CISO for advice. I would be happy to provide guidance as well.
How do you handle legacy assets for which patches and upgrades are not available?
Yes, these systems may still be in use, but this is always a challenge as they are no longer supported by the vendor. Some assets (such as trains) have a lifecycle of 30 years. A bit dependent on the Purdue level this asset is running in, but here are some ways to deal with this issue:
- Network segmentation: logically separate from the rest of the network so that even if an attacker compromises the system, they cannot move laterally to other parts of the network.
- Air gap: Another option is to physically separate the legacy system from the rest of the network. This can be done by completely disconnecting the legacy system or placing it on a separate, isolated network.
- Restrict access: Limit the number of people who can access legacy systems and implement strong authentication and authorization controls to control access.
- Of course, more control is possible, but ultimately. Seriously consider replacing your legacy system with a newer, more secure alternative.
The Critical Infrastructure Cyber Incident Reporting Act of 2022 (CIRCIA) targets institutions, groups, and businesses whose economy or public safety may be threatened by service interruptions. what do you think about this?
We are keeping a close eye on what our friends across the pond are developing. Your president seems to be embracing cyber security and I recently had the opportunity to meet with his director of cyber security his security Chris his Inglis. Critical infrastructure becomes a particular target for attacks, so having legislation to accelerate resilience is perfect in my opinion. Our strength is as much as the weakest supply his chain link. In Europe as well he is working on the implementation of NIS directives and recently the European Commission issued his NIS2 and Critical Entities Resilience (CER) directives. We applaud these initiatives.
In general, requiring cyber incident reporting by institutions, groups, and companies whose service disruptions could threaten the economy or public safety is a positive step toward improving the security of critical infrastructure. I believe. Mandatory incident reporting allows organizations to share information on threats, vulnerabilities, and best practices, helping improve the overall security of the sector.
We also believe that the new cyber law is an important step in the right direction, but it is only one piece of the puzzle. Organizations must take a holistic and proactive approach to cybersecurity to effectively protect critical infrastructure from cyberthreats. I am confident that with the right commitment to do this, the rail sector will become more resilient every day!