RNS
Browse Projects > Detailed View

Enhancing the Cyber Resilience of Critical Rail Infrastructure

Description:

The National Academy of Sciences (NAS) has defined “resilience” as “the ability to prepare and plan for, absorb, recover from, and more successfully adapt to adverse events.” [1] “Cyber resiliency” describes the attributes of an electronic system that assures the system continues to perform its mission-essential functions even when under cyber-attack. As a critical strategic infrastructure, cyber resiliency of the rail system is essential to the resilience of most of the other transportation sectors since there are significant national security implications if these sectors were disrupted. Resilient systems can withstand a cyber-attack, and can continue to operate even in a degraded or debilitated state, further carrying out mission-essential function. Such mission-essential systems should be prioritized when developing cyber resilience, as these systems would be favored targets in a coordinated cyber-attack on the United States. [2]

An example of the cyber-physical threat against critical infrastructure is the recent attack on the Ukraine power grid that took place on December 23, 2015 when a phishing email installed malware on the command systems of the Prykarpattyaoblenergo power control center in the western Ivano- Frankivsk region. This malware was used to take control of circuit breakers at 30 substations across the region and to switch the substations offline, causing a power blackout that affected more than 230,000 residents. The attackers took this a step further by disabling the backup power supplies to two of the three distribution centers to prolong the outage while also preventing the operators from effectively responding.

While the outage only lasted 1-6 hours, the control centers were still not fully operational two months later. This difficulty in recovery was due to the effort taken by the adversaries to damage control systems by overwriting the firmware on devices at 16 of the substations, leaving them unresponsive to any remote commands from the operators. Customers who were attempting to call the Ukrainian power companies were also hindered by an ingenious use of telephone denial-of-service attack during which thousands of bogus calls appearing to come from Moscow area codes were used to overwhelm and confuse the customer service call centers. The final phase of the attacker’s sabotage included running a malware called KillDisk to erase files and software from the operator’s workstations rendering them useless.

A second attack in December of 2016 employed a more evolved version of malware named “Crash Override,” the second known case, after Stuxnet, of purpose-built malicious code designed to disrupt physical systems after Stuxnet. Instead of gaining access to the Ukraine power utilitiy networks and manually switching off power substations like in 2015, this time malware was used to fully automate the attack. This software could “speak” directly to the grid equipment, sending commands in the obscure protocols employed by control systems to switch power on and off. This is scalable attack software that can run without any feedback from the attackers, meaning that once installed, it can target secure networks that are disconnected from the internet. As soon as a system is infected, the malware automatically maps out control systems and locates critical targeted equipment. Additionally, it records network logs and sends that information back to the attackers, thereby allowing them to learn how the power control systems functioned over time. The malware’s swappable component design means it could be easily adapted to protocols used in the U.S or elsewhere, downloading new modules whenever the malware can connect to the internet. The malware also has a built in ability to destroy all files on a system, effectively covering its tracks and destroying any evidence of its own presence. [3]

The rail industry has increasingly deployed communications based TCP/IP based technologies to obtain business efficiencies as well as to respond to statutory requirements [4], potentially increasing the vulnerability of this critical infrastructure. When coupled with the immense geographical dispersion of the rail system, the large number of the industry stakeholders, the limited resources available, and the interconnectivity of the system, successful perimeter defense of the rail infrastructure from all attacks is unlikely, making the need for cyber resiliency essential to ensure system survivability and recovery.

The National Institute of Science and Technology (NIST) has developed a handbook [5] for achieving cyber resiliency outcomes based on a system engineering perspective on system life cycle processes. It allows the experience and expertise of the organization to determine what is correct for its purpose. Organizations can select, adapt, and use some (or all) of the cyber resiliency constructs (i.e., goals, objectives, techniques, approaches, and design principles.) Organizations can apply those constructs to the technical, operational, and threat environments for which systems need to be engineered at any stage of their system life-cycle.

A key point that differentiates cyber resiliency from cyber security is that cyber resilient systems continue to function even after the adversary has penetrated the security perimeter of a network and has compromised its cyber assets. Even at the later stages of the cyber kill chain, cyber resiliency can help to prevent the adversary gathering intelligence on, exfiltrating data from, or taking control of mission-essential systems. The tailorable nature of the NIST approach ensures that systems resulting from application of the cyber resiliency design principles have the ability to protect stakeholders from suffering unacceptable losses of their key assets, and from the associated damaging economic and national security consequences.

Objective:

The proposed research would develop a customized systems engineering approach based on the NIST handbook for enhancing the cyber resiliency of critical rail infrastructure systems. The objective would NOT be to impose any significant additional cost burdens on railroads, but to maximize the leverage of investments that railroads have already made. The first phase of the proposed research would:

  • Identify and characterize functional interactions among critical rail infrastructure components [6] with a focus on key physical, social and behavioral dependencies;

  • Link existing rail infrastructure architectural models to understand the effects of interdependencies across service, security and resilience;

  • Identify potential vulnerabilities based on open source evaluation of threat [7]

  • Create predictive models of physical consequences of cyber attacks against the infrastructure based on both designed and emergent interdependencies;

  • Support collection, classification, validation and integration of existing and synthetic data related to infrastructure interdependencies; and
  • Develop guidance in collaboration on the collection, generation, validation and publication of existing and synthetic data on critical infrastructure design and operation for more effective and efficient resource allocation.
Benefits:

The proposed research will provide a fundamental basis for development of critical cyber based rail infrastructure that can detect, and cost-effectively handle environmental changes while meeting safety, security, and dependability needs. Mission-critical rail applications require the underlying systems to be dependable despite disruptions in the infrastructure that cause failures in sensing, communications, and computation. Dependability constitutes a variety of nonfunctional requirements including availability, reliability, maintainability, safety, and integrity. Several key aspects of dependability must be considered to enable resilience.

  • First, dependability is an end-to-end system property—disruptions at any level of the system (hardware, OS, network, software) can hinder application needs.*
  • Second, the underlying system is inherently dynamic—to support dependability, a structured approach to realizing adaptability is essential, especially when the system is long-lived and must operate under unpredictable situations.
  • Third, designing for both adaptability and dependability requires the ability to reason about system evolution and determine whether adaptations performed meet the dependability needs. One of the key issues today is a lack of understanding of the resilience properties of these systems.
  • Fourth, the environment contains heterogeneous sensing components that generate torrents of multimodal data delivered over heterogeneous networks (wired, wireless). Also, resource limitations exist at multiple levels, making it difficult to capture, deliver, and process information on-the-fly.
Related Research:

Significant work has been performed on the topic of resilience of cyber -physical systems used in other critical infrastructure systems (primarily automotive, aviation, electrical infrastructure, communications infrastructure,) and general resilience [8]. However little work has been done that directly addressed the applicability of these approaches to critical rail infrastructure. There existed an overwhelming body of general knowledge in the Cyber Security area, but very little specific guidance of its relevance and applicability to the rail environment exists. This results in decision makers (management, technical staff, and regulators) facing Information overload; allows some private vendors to “sell” railroads on specific solutions without understanding how those solutions may fit within the overall Cyber Security and Resilience framework, potentially leading to a false sense of overconfidence; and inhibits decision makers’ abilities to optimally deploy their limited Cyber Security resources to provide the best possible protections. [9],[10],[11].

ABR-10, one of the sponsoring committees, is working with a draft of a new ”resilience roadmap” based on an analysis of potential research projects that has been vetted by multiple stakeholders. The proposed research overlaps with several projects in the roadmap, including multi-modal resilience, using the NIST cyber framework, and cyber resilience at the organizational level.

Tasks:
  1. Review and customize the NIST Risk Management Framework (RMF) approach [12] specifically for the rail environment in order to provides a disciplined and structured process that integrates information security and risk management activities into the critical rail system development life cycle.

  2. Review and customize the U.S Department of Homeland Security Cyber Resiliency Review (CRR) Resources Guides Guide [13] specifically for the railroad operational and business environment.

  3. Develop a crosswalk between the modified rail specific RMF and the modified rail specific CRR.

  4. Review and Customize the NIST Technical Guidance for Cyber Resilience [14] for critical rail infrastructure.

  5. Develop specific technical guidance [15] for implementing and achieving cyber resilience at the system, subsystem, and component level for use by railroad technical staff that may not be cyber specialists that systematically enables feasibility and trade-off analysis of resilience characteristics that support the most promising approaches, and, eventually, lead to definition of key features and requirements for that component or subsystem. Because it is unlikely that quantitative data will be available or can be measured in these early stages, this method looks at the system from multiple perspectives (undesirable effects, potential adversary actions, and system impact), that, while not exhaustive, is comprehensive enough to identify all feasible resilience characteristics for analysis.

Implementation:

This research is anticipated to be completed within 12 months, with a final report customizing the NIST process for the rail industry detailing the ConOps, data collection, risk reduction and cost benefit results. The estimated funding requirement for the requested research is approximately $225,000.

KEYWORDS: Rail, safety, security, risk, positive train control, cyber security, NIST, resilience of cyber physical systems

Relevance:

It is anticipated that this research will define new and affordable options for leveraging the investments that railroads have already made for extending safety and security improvements. Subsequent efforts could include direct support to individual railroads in assessing preparedness, identifying vulnernailities, and defining system and process enhancments that improve system cyber security and resilience.

Sponsoring Committee:AR030, Railroad Operating Technologies
Research Period:6 - 12 months
Research Priority:High
RNS Developer:Edwin R "Chip" Kraft, CRC AR030 in cooperatation with Dr. Mark Hartong of Johns Hopkins APL
Source Info:[1] National Research Council. 2012. Disaster Resilience: A National Imperative. Washington, DC: The National Academies Press. https://doi.org/10.17226/13457
[2] DHS/I&A. (U) Russian Targeted Cyber Operations Against US Critical Infrastructure. 14 May 2018.
[3] Greenberg, A. (2017, June 12th). 'Crash Override': The Malware That Took Down A Power Grid. Retrieved from wired.com: https://www.wired.com/story/crash-override-malware/
[4] In the Rail Safety Improvement Act of 2008, as amended by the Positive Train Control Enforcement and Implementation Act of 2015 (PTCEI Act), Congress requires Class I railroads and entities providing regularly scheduled intercity or commuter rail passenger transportation to implement PTC systems on certain main line routes by 31 December 2018
[5] Cyber Resiliency Considerations for the Engineering of Trustworthy Secure System, NIST SP 800-160 Volume 1 and 2,
[6] For the purpose of this analysis, critical rail infrastructure refers to those rail systems that provide for safety, command control and communication of the rail network. See Congressional Research Service Report “Critical Infrastructure and Key Assets: Definition and Identification’” October 1, 2004 for a further discussion of associated issues. Although experts haven’t agreed on a unanimously accepted definition, critical infrastructures generally refers to those products and services that are vital for the normal functioning of society, their protection should be perceived as being one of the pillars which support national security, the governing capacity or economic stability, all in all our way of living. It is a shared responsibility for defining critical infrastictre between the government, the business sector and non-profit organisations, seeing as critical infrastructures are owned, operated and supported mainly by the private sector, whose defining features are diversity, interconnectivity and, to a certain extent, non-uniformity.
[7] See for example “THREAT MODELING: A SUMMARY OF AVAILABLE METHODS,” Carnegie Mellon University Software Engineering Institute, Report July 2018 https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_524597.pdf accessed 30 April 2019
[8] See for example the following representative books:
• Bringiner, Vurgin & Warren. “Critical Infrastructure System Security and Resiliency,”, CRC Press, 2013.
• Flammini, “Resilience of Cyber-Physical Systems: From Risk Modelling to Threat Counteraction”, Springer, 2019
• Linkov & Palma-Oliveria,”Resilience and Risk: Methods and Applications in environment, cyber, and social domains”, Springer 2017
• Gritzalis, Theochardiou, and Stergiopulous “Critical Infrastructure Security and Resilience: Theories, Methods, Tools and Technologies, Springer 2019
• Colbert and Knot. “ Cyber-security of SCADA and Other Industrial Control Systems”, Springer, 2016
• Gheorge, Tatar, and Gocke, “Strategic Cyber Defense: A Multidisciplinary Perspective” IOS Press 2017
• Cronin and Marion, “Critical Infrastructure Protection, Risk Management, and Resilience-A Policy Perspective:”, CRC Press, 2016
• Niglia, “Critical Infrastructure Protection Against Hybrid Warfare Security Related Challenges”, IOS Press, 2016
• Panayiotou, Ellinas, Kyriaakides, and Polycarpou. “Critical Information Infrastructures Security”, Springer 2016
• Luiijf and Paske, “Cyber Security of Industrial Control Systems”, TNO, 2016
• Ganguly, Bhatia, and Flynn , “Critical Infrastructures Resilience-Policy and Engineering Principles”. Taylor Francis, 2018
• Staggsa and Shenoi, “Critical Infrastructure Protection XII”, Springer, 2018
• Kott & Linkov, “Cyber Resilience of Systems and Networks”, Springer 2019
A Google scholar search on the key words “cyber resilience” and “critical infrastructure” resulted in identification of over 2000 different papers have been published on cyber-physical systems cyber reliance in 2019 alone.
[9] See “Carías, Juan Francisco et al. “Defining a Cyber Resilience Investment Strategy in an Industrial Internet of Things Context.” Sensors (Basel, Switzerland) vol. 19,1 138. 3 Jan. 2019”
[10] See Report of the Cyber Resilience and Response 2018 Public-Private Analytic Exchange Program , Office of the Director of National Intellegence, https://www.dni.gov/files/PE/Documents/2018_Cyber-Resilience.pdf accessed 29 April 2019
[11] Bell, Shane. Cybersecurity is not just a 'big business' issue. Governance Directions, Vol. 69, No. 9, Oct 2017
[12] NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", and NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations".
[13] The CRR Resource Guides in the series are:
• Asset Management -The Asset Management guide focuses on the processes used to identify, document, and manage the organization’s assets.
• Controls Management- The Controls Management guide focuses on the processes used to define, analyze, assess, and manage the organization’s controls.
• Configuration and Change Management- The Configuration and Change Management Guide focuses on the processes used to ensure the integrity of an organization’s assets.
• Vulnerability Management- The Vulnerability Management Guide focuses on the processes used to identify, analyze, and manage vulnerabilities within the organization’s operating environment.
• Incident Management- : The Incident Management Guide focuses on the processes used to identify and analyze events, declare incidents, determine a response and improve an organization’s incident management capability.
• Service Continuity Management-: The Service Continuity Management Guide focuses on processes used to ensure the continuity of an organization’s essential services.
• Risk Management- The Risk Management Guide focuses on process used to identify, analyze, and manage risks to an organization’s critical services.
• External Dependencies Management- The External Dependencies Management Guide focuses on processes used to establish an appropriate level of controls to manage the risks that are related to the critical service’s dependence on the actions of external entities.
• Training and Awareness : The Training and Awareness Guide focuses on processes used to develop skills and promote awareness for people with roles that support the critical service.
• Situational Awareness: The Situational Awareness Guide focuses on processes used to discover and analyze information related to the immediate operational stability of the organization’s critical services and to coordinate such information across the enterprise.
[14] NIST Special Publication 800-160 Volume 1, “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems”, NIST Special Publication 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems. And as available NIST Special Publication 800-160, Volume 3 “Systems Security Engineering Software Assurance Considerations for the Engineering of Trustworthy Secure Systems” planned for release in December 2019, and NIST Special Publication 800-160, Volume 4 “Systems Security Engineering Hardware Assurance Considerations for the Engineering of Trustworthy Secure Systems” planned for release in December 2020.
[15] This could include, but is not limited to, Industry Standards based on railroad cyber security best practices, Best practices guidebook for railway cyber security resiliency, and Railroad risk assessment framework to be used by individual railroad or classes of railroads ( i.e. Class 1, Class 2, Class 3, Passenger/Intercity, Passenger/Commuter) for benchmarking.
Date Posted:08/05/2019
Date Modified:09/03/2019
Index Terms:Computer security, Railroads, Rail transit, Infrastructure, Disaster resilience,
Cosponsoring Committees:ABR10, Critical Transportation Infrastructure Protection
 
Subjects    
Public Transportation
Railroads
Data and Information Technology
Safety and Human Factors
Security and Emergencies

Please click here if you wish to share information or are aware of any research underway that addresses issues in this research needs statement. The information may be helpful to the sponsoring committee in keeping the statement up-to-date.