Enhancing the Cyber Resilience of Critical Rail Infrastructure
National Academy of Sciences (NAS) has defined “resilience” as “the ability to prepare and plan for,
absorb, recover from, and more successfully adapt to adverse events.”  “Cyber resiliency” describes the attributes of
an electronic system that assures the system continues to perform its
mission-essential functions even when under cyber-attack. As a critical strategic infrastructure, cyber
resiliency of the rail system is essential to the resilience of most of the
other transportation sectors since there are significant national security
implications if these sectors were disrupted.
Resilient systems can withstand a cyber-attack, and can continue to
operate even in a degraded or debilitated state, further carrying out
mission-essential function. Such
mission-essential systems should be prioritized when developing cyber
resilience, as these systems would be favored targets in a coordinated
cyber-attack on the United States. 
An example of
the cyber-physical threat against critical infrastructure is the recent attack
on the Ukraine power grid that took place on December 23, 2015 when a phishing
email installed malware on the command systems of the Prykarpattyaoblenergo power
control center in the western Ivano- Frankivsk region. This malware was used to
take control of circuit breakers at 30 substations across the region and to
switch the substations offline, causing a power blackout that affected more
than 230,000 residents. The attackers took this a step further by disabling the
backup power supplies to two of the three distribution centers to prolong the
outage while also preventing the operators from effectively responding.
outage only lasted 1-6 hours, the control centers were still not fully
operational two months later. This difficulty in recovery was due to the effort
taken by the adversaries to damage control systems by overwriting the firmware
on devices at 16 of the substations, leaving them unresponsive to any remote
commands from the operators. Customers who
were attempting to call the Ukrainian power companies were also hindered by an
ingenious use of telephone denial-of-service attack during which thousands of
bogus calls appearing to come from Moscow area codes were used to overwhelm and
confuse the customer service call centers. The final phase of the attacker’s
sabotage included running a malware called KillDisk to erase files and software
from the operator’s workstations rendering them useless.
attack in December of 2016 employed a more evolved version of malware named
“Crash Override,” the second known case, after Stuxnet, of purpose-built
malicious code designed to disrupt physical systems after Stuxnet. Instead of gaining access to the Ukraine
power utilitiy networks and manually switching off power substations like in
2015, this time malware was used to fully automate the attack. This software
could “speak” directly to the grid equipment, sending commands in the obscure
protocols employed by control systems to switch power on and off. This is
scalable attack software that can run without any feedback from the attackers,
meaning that once installed, it can target secure networks that are
disconnected from the internet. As soon as a system is infected, the malware
automatically maps out control systems and locates critical targeted
equipment. Additionally, it records
network logs and sends that information back to the attackers, thereby allowing
them to learn how the power control systems functioned over time. The malware’s
swappable component design means it could be easily adapted to protocols used
in the U.S or elsewhere, downloading new modules whenever the malware can
connect to the internet. The malware also has a built in ability to destroy all
files on a system, effectively covering its tracks and destroying any evidence
of its own presence. 
industry has increasingly deployed communications based TCP/IP based
technologies to obtain business efficiencies as well as to respond to statutory
requirements , potentially increasing the vulnerability of this critical
infrastructure. When coupled with the
immense geographical dispersion of the rail system, the large number of the
industry stakeholders, the limited
resources available, and the interconnectivity of the system, successful
perimeter defense of the rail infrastructure from all attacks is unlikely,
making the need for cyber resiliency essential to ensure system survivability
National Institute of Science and Technology
(NIST) has developed a handbook  for achieving cyber resiliency
outcomes based on a system engineering perspective on system life cycle
processes. It allows the experience and
expertise of the organization to determine what is correct for its
purpose. Organizations can select,
adapt, and use some (or all) of the cyber resiliency constructs (i.e., goals,
objectives, techniques, approaches, and design principles.) Organizations can
apply those constructs to the technical, operational, and threat environments
for which systems need to be engineered at any stage of their system
key point that differentiates cyber resiliency from cyber security is that
cyber resilient systems continue to function even after the adversary has penetrated
the security perimeter of a network and has compromised its cyber assets. Even at the later stages of the cyber kill
chain, cyber resiliency can help to prevent the adversary gathering
intelligence on, exfiltrating data from, or taking control of mission-essential
systems. The tailorable nature of the NIST
approach ensures that systems resulting from application of the cyber
resiliency design principles have the ability to protect stakeholders from
suffering unacceptable losses of their key assets, and from the associated damaging
economic and national security consequences.
proposed research would develop a customized systems engineering approach based
on the NIST handbook for enhancing the cyber resiliency of critical rail
infrastructure systems. The objective would NOT be to impose any significant
additional cost burdens on railroads, but to maximize the leverage of
investments that railroads have already made. The first phase of the proposed
Identify and characterize functional interactions among critical rail infrastructure components  with a focus on key physical, social and behavioral dependencies;
Link existing rail infrastructure architectural models to understand the effects of interdependencies across service, security and resilience;
Identify potential vulnerabilities based on open source evaluation of threat 
Create predictive models of physical consequences of cyber attacks against the infrastructure based on both designed and emergent interdependencies;
- Support collection, classification, validation and integration of existing and synthetic data related to infrastructure interdependencies; and
- Develop guidance in collaboration on the collection, generation, validation and publication of existing and synthetic data on critical infrastructure design and operation for more effective and efficient resource allocation.
The proposed research will provide a
fundamental basis for development of critical cyber based rail infrastructure
that can detect, and cost-effectively handle environmental changes while
meeting safety, security, and dependability needs. Mission-critical rail applications require
the underlying systems to be dependable despite disruptions in the
infrastructure that cause failures in sensing, communications, and computation.
Dependability constitutes a variety of nonfunctional requirements including
availability, reliability, maintainability, safety, and integrity. Several key aspects of dependability must be
considered to enable resilience.
- First, dependability is an end-to-end system property—disruptions at any level of the system (hardware, OS, network, software) can hinder application needs.*
- Second, the underlying system is inherently dynamic—to support dependability, a structured approach to realizing adaptability is essential, especially when the system is long-lived and must operate under unpredictable situations.
- Third, designing for both adaptability and dependability requires the ability to reason about system evolution and determine whether adaptations performed meet the dependability needs. One of the key issues today is a lack of understanding of the resilience properties of these systems.
- Fourth, the environment contains heterogeneous sensing components that generate torrents of multimodal data delivered over heterogeneous networks (wired, wireless). Also, resource limitations exist at multiple levels, making it difficult to capture, deliver, and process information on-the-fly.
Significant work has been performed on
the topic of resilience of cyber -physical systems used in other critical
infrastructure systems (primarily automotive, aviation, electrical
infrastructure, communications infrastructure,) and general resilience . However little work has been done that directly
addressed the applicability of these approaches to critical rail infrastructure. There existed an overwhelming body of general
knowledge in the Cyber Security area, but very little specific guidance of its
relevance and applicability to the rail environment exists. This results in
decision makers (management, technical staff, and regulators) facing
Information overload; allows some private vendors to “sell” railroads on
specific solutions without understanding how those solutions may fit within the
overall Cyber Security and Resilience framework, potentially leading to a false
sense of overconfidence; and inhibits decision makers’ abilities to optimally deploy
their limited Cyber Security resources to provide the best possible protections.
ABR-10, one of the sponsoring committees, is working with a draft of a new ”resilience roadmap” based on an analysis of potential research projects that has been vetted by multiple stakeholders. The proposed research overlaps with several projects in the roadmap, including multi-modal resilience, using the NIST cyber framework, and cyber resilience at the organizational level.
Review and customize the NIST Risk Management Framework
(RMF) approach  specifically for the
rail environment in order to provides a disciplined and structured process that
integrates information security and risk management activities into the
critical rail system development life cycle.
Review and customize the U.S Department of
Homeland Security Cyber Resiliency Review (CRR) Resources Guides Guide  specifically
for the railroad operational and business environment.
Develop a crosswalk between the modified rail
specific RMF and the modified rail specific CRR.
Review and Customize the NIST Technical
Guidance for Cyber Resilience  for critical rail infrastructure.
Develop specific technical guidance  for implementing
and achieving cyber resilience at the system, subsystem, and component level
for use by railroad technical staff that may not be cyber specialists that systematically
enables feasibility and trade-off analysis of resilience characteristics that
support the most promising approaches, and, eventually, lead to definition of
key features and requirements for that component or subsystem. Because it is
unlikely that quantitative data will be available or can be measured in these
early stages, this method looks at the system from multiple perspectives
(undesirable effects, potential adversary actions, and system impact), that,
while not exhaustive, is comprehensive enough to identify all feasible
resilience characteristics for analysis.
This research is anticipated to be
completed within 12 months, with a final report customizing the NIST process
for the rail industry detailing the ConOps, data collection, risk reduction and
cost benefit results. The estimated funding requirement for the requested
research is approximately $225,000.
KEYWORDS: Rail, safety, security,
risk, positive train control, cyber security, NIST, resilience of cyber
It is anticipated that this research will define new and affordable options for leveraging the investments that railroads have already made for extending safety and security improvements. Subsequent efforts could include direct support to individual railroads in assessing preparedness, identifying vulnernailities, and defining system and process enhancments that improve system cyber security and resilience.
|Sponsoring Committee:||AR030, Railroad Operating Technologies
|Research Period:||6 - 12 months|
|RNS Developer:||Edwin R "Chip" Kraft, CRC AR030 in cooperatation with Dr. Mark Hartong of Johns Hopkins APL|
|Source Info:|| National Research Council. 2012. Disaster Resilience: A National Imperative. Washington, DC: The National Academies Press. https://doi.org/10.17226/13457|
 DHS/I&A. (U) Russian Targeted Cyber Operations Against US Critical Infrastructure. 14 May 2018.
 Greenberg, A. (2017, June 12th). 'Crash Override': The Malware That Took Down A Power Grid. Retrieved from wired.com: https://www.wired.com/story/crash-override-malware/
 In the Rail Safety Improvement Act of 2008, as amended by the Positive Train Control Enforcement and Implementation Act of 2015 (PTCEI Act), Congress requires Class I railroads and entities providing regularly scheduled intercity or commuter rail passenger transportation to implement PTC systems on certain main line routes by 31 December 2018
 Cyber Resiliency Considerations for the Engineering of Trustworthy Secure System, NIST SP 800-160 Volume 1 and 2,
 For the purpose of this analysis, critical rail infrastructure refers to those rail systems that provide for safety, command control and communication of the rail network. See Congressional Research Service Report “Critical Infrastructure and Key Assets: Definition and Identification’” October 1, 2004 for a further discussion of associated issues. Although experts haven’t agreed on a unanimously accepted definition, critical infrastructures generally refers to those products and services that are vital for the normal functioning of society, their protection should be perceived as being one of the pillars which support national security, the governing capacity or economic stability, all in all our way of living. It is a shared responsibility for defining critical infrastictre between the government, the business sector and non-profit organisations, seeing as critical infrastructures are owned, operated and supported mainly by the private sector, whose defining features are diversity, interconnectivity and, to a certain extent, non-uniformity.
 See for example “THREAT MODELING: A SUMMARY OF AVAILABLE METHODS,” Carnegie Mellon University Software Engineering Institute, Report July 2018 https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_524597.pdf accessed 30 April 2019
 See for example the following representative books:
• Bringiner, Vurgin & Warren. “Critical Infrastructure System Security and Resiliency,”, CRC Press, 2013.
• Flammini, “Resilience of Cyber-Physical Systems: From Risk Modelling to Threat Counteraction”, Springer, 2019
• Linkov & Palma-Oliveria,”Resilience and Risk: Methods and Applications in environment, cyber, and social domains”, Springer 2017
• Gritzalis, Theochardiou, and Stergiopulous “Critical Infrastructure Security and Resilience: Theories, Methods, Tools and Technologies, Springer 2019
• Colbert and Knot. “ Cyber-security of SCADA and Other Industrial Control Systems”, Springer, 2016
• Gheorge, Tatar, and Gocke, “Strategic Cyber Defense: A Multidisciplinary Perspective” IOS Press 2017
• Cronin and Marion, “Critical Infrastructure Protection, Risk Management, and Resilience-A Policy Perspective:”, CRC Press, 2016
• Niglia, “Critical Infrastructure Protection Against Hybrid Warfare Security Related Challenges”, IOS Press, 2016
• Panayiotou, Ellinas, Kyriaakides, and Polycarpou. “Critical Information Infrastructures Security”, Springer 2016
• Luiijf and Paske, “Cyber Security of Industrial Control Systems”, TNO, 2016
• Ganguly, Bhatia, and Flynn , “Critical Infrastructures Resilience-Policy and Engineering Principles”. Taylor Francis, 2018
• Staggsa and Shenoi, “Critical Infrastructure Protection XII”, Springer, 2018
• Kott & Linkov, “Cyber Resilience of Systems and Networks”, Springer 2019
A Google scholar search on the key words “cyber resilience” and “critical infrastructure” resulted in identification of over 2000 different papers have been published on cyber-physical systems cyber reliance in 2019 alone.
 See “Carías, Juan Francisco et al. “Defining a Cyber Resilience Investment Strategy in an Industrial Internet of Things Context.” Sensors (Basel, Switzerland) vol. 19,1 138. 3 Jan. 2019”
 See Report of the Cyber Resilience and Response 2018 Public-Private Analytic Exchange Program , Office of the Director of National Intellegence, https://www.dni.gov/files/PE/Documents/2018_Cyber-Resilience.pdf accessed 29 April 2019
 Bell, Shane. Cybersecurity is not just a 'big business' issue. Governance Directions, Vol. 69, No. 9, Oct 2017
 NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", and NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations".
 The CRR Resource Guides in the series are:
• Asset Management -The Asset Management guide focuses on the processes used to identify, document, and manage the organization’s assets.
• Controls Management- The Controls Management guide focuses on the processes used to define, analyze, assess, and manage the organization’s controls.
• Configuration and Change Management- The Configuration and Change Management Guide focuses on the processes used to ensure the integrity of an organization’s assets.
• Vulnerability Management- The Vulnerability Management Guide focuses on the processes used to identify, analyze, and manage vulnerabilities within the organization’s operating environment.
• Incident Management- : The Incident Management Guide focuses on the processes used to identify and analyze events, declare incidents, determine a response and improve an organization’s incident management capability.
• Service Continuity Management-: The Service Continuity Management Guide focuses on processes used to ensure the continuity of an organization’s essential services.
• Risk Management- The Risk Management Guide focuses on process used to identify, analyze, and manage risks to an organization’s critical services.
• External Dependencies Management- The External Dependencies Management Guide focuses on processes used to establish an appropriate level of controls to manage the risks that are related to the critical service’s dependence on the actions of external entities.
• Training and Awareness : The Training and Awareness Guide focuses on processes used to develop skills and promote awareness for people with roles that support the critical service.
• Situational Awareness: The Situational Awareness Guide focuses on processes used to discover and analyze information related to the immediate operational stability of the organization’s critical services and to coordinate such information across the enterprise.
 NIST Special Publication 800-160 Volume 1, “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems”, NIST Special Publication 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems. And as available NIST Special Publication 800-160, Volume 3 “Systems Security Engineering Software Assurance Considerations for the Engineering of Trustworthy Secure Systems” planned for release in December 2019, and NIST Special Publication 800-160, Volume 4 “Systems Security Engineering Hardware Assurance Considerations for the Engineering of Trustworthy Secure Systems” planned for release in December 2020.
 This could include, but is not limited to, Industry Standards based on railroad cyber security best practices, Best practices guidebook for railway cyber security resiliency, and Railroad risk assessment framework to be used by individual railroad or classes of railroads ( i.e. Class 1, Class 2, Class 3, Passenger/Intercity, Passenger/Commuter) for benchmarking.
|Index Terms:||Computer security, Railroads, Rail transit, Infrastructure, Disaster resilience, |
|Cosponsoring Committees:||AMR10, Critical Transportation Infrastructure Protection|
Data and Information Technology
Safety and Human Factors
Security and Emergencies