For decades, when we were using the words “railway security”, we were usually referring to the protection and safeguarding of railway property, to the removal of any obstruction in the movement of trains, to the identification of potential situations where crime can take place against railway property or passengers, or the use of a train for criminal purposes or terrorism.
Cybersecurity is the new challenge for the railway industry.
Customers and employees of the railway industry expect that the same level of protection extends to the digital assets that reside on railway systems, including their personal and financial information. The industry is obliged to respect this expectation, especially after the new privacy regulations, including the General Data Protection Regulation (GDPR).
The railway industry must comply with cyber security and privacy laws and regulations, and must follow international standards and best practices that protect customers and employees.
A new cybersecurity culture is necessary. It refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms, values, and expectations of customers regarding cybersecurity. Managers and employees must be involved in the prevention, detection, and response to deliberate malicious acts that target systems, persons, and data.
During the past decades, the railway industry has made substantial investments in information technology solutions that contribute to improved operational efficiency, safety, and customer satisfaction. The more complex and interconnected the systems, the more awareness and training is required for all managers and employees that use these systems.
Important threats for the railway industry are cyber criminals with financial motivation, politically-motivated groups, state-sponsored agents and groups, terrorists, but also disgruntled or terminated employees with access to the systems.
Railway operators often report low cybersecurity awareness and differences in culture, especially among safety and operations personnel. Cybersecurity awareness for all managers and employees in the railway industry is necessary, in order to make information security considerations an integral part of every job.
Course synopsis, recommended training modules
- Railway stakeholders must strike a balance between operational requirements, business competitiveness and cybersecurity.
- Important developments in the railway industry after the new privacy regulations, including the General Data Protection Regulation (GDPR).
- Understanding the challenges.
An overview of some of the attacks described below, that are suitable for the objectives of the training. At the end of the presentation we will cover one or more of these attacks in depth.
- March 2022, the Italian State Railways (FS) and its subsidiaries Trenitalia and Italian Rail Network (RFI) suffered a ransomware cyber-attack which disrupted ticket sales at stations, passenger information screens and tablets used by railway staff.
- 2008, attackers derailed four tram trains in Lodz, Poland by means of TV remote.
- 2011, attackers stopped the train signaling system for two days in the North Western of United States.
- 2013, the Belgian national railway published personal information of several customers, it was a mistake.
- 2022, the Romanian National Directorate of Cyber Security said that multiple public and private sector websites were hit with DDoS attacks. The victims included the ministry of defense, border police, national railway company, and the OTP Bank.
- 2021, Transnet Port Terminals (TPT), South Africa’s state-run ports operator and freight rail monopoly, had its rail services disrupted after a hack by unknown actors.
- July 2021, Iran’s transport and urbanization ministry was the victim of a cyber attack that caused delays and cancellations of hundreds of trains across Iran.
- 2017, a major wave of ransomware infections hits media organizations, train stations, airports, and government agencies in Europe. The malware used leaked NSA-linked exploits. Ukrainian police reported that the ransomware was a cover for a phishing campaign undertaken by the same actor to gain remote access to financial and confidential data.
- 2015-2016, United Kingdom, four cyberattacks, considered as part of a reconnaissance operation before an APT (Advanced Persistent Threat) attack, probably led by a national state threat actor.
- May 2017, Deutsche Bahn was a victim of the WannaCry ransomware.
- October 2017, attack that affected the Sweden Transport Administration (Trafikverket) via its two internet service providers, TDC and DGC. The attack reportedly affected the IT system that monitors trains' locations. It also took down the federal agency's email system, website, and road traffic maps. Customers during this time were unable to make reservations or receive updates on the delays.
- May 2018, Denmark, an attack impacted the ticketing systems of DSB. The Danish travelers could not purchase tickets from ticket machines, the online application, website, and certain station kiosks.
- March 2020, United Kingdom, the email addresses and travel details of about 10.000 people who used the free Wi-Fi provided in UK railway stations have been exposed online. The database contained 146 million records, including personal contact details and dates of birth.
- July 2020, Spanish Infrastructure Manager ADIF has been hit by a ransomware not affecting critical infrastructure but exposing gigabytes of personal and business data.
Who is the “attacker”?
- Countries, competitors, criminal organizations, small groups, individuals, employees, insiders, service providers.
- Hacktivists and the railway industry.
- Professional criminals and information warriors.
- Cyber-attacks against passengers, baggage, cargo, catering, systems, staff, and all persons having authorized access to systems and data.
How do the adversaries plan and execute the attack?
- Step 1 – Collecting information about persons and systems.
- Step 2 – Identifying possible targets and victims.
- Step 3 – Evaluation, recruitment, and testing.
- Step 4 - Privilege escalation.
- Step 5 – Identifying important clients and VIPs.
- Step 6 – Critical infrastructure.
Employees and their weaknesses and vulnerabilities.
- Employee collusion with external parties.
- Blackmailing employees: The art and the science.
- Romance fraudsters and webcam blackmail: Which is the risk for the railway industry?
What must be protected?
- Best practices for all employees that provide services and have authorized access to systems and data.
- What to do, what to avoid.
- From client satisfaction vs. cyber security, to client satisfaction as the result of cyber security.
- Reverse Social Engineering.
- Common social engineering techniques
- 1. Pretexting.
- 2. Baiting.
- 3. Something for something.
- 4. Tailgating.
- Clone phishing.
- Whaling – phishing for executives.
- Smishing and Vishing Attacks.
The online analogue of personal hygiene.
- Preparing and maintaining records.
- Entering and retrieving data into computer systems and devices.
- Researching and compiling reports from outside sources.
- Maintaining and updating files.
- Responding to emails and questions by telephone and in person.
- Ensuring that sensitive files, reports, and other data are properly tracked.
- Dealing with personnel throughout the company as well as external parties, customers, suppliers, service providers.
We will discuss the mistakes and the consequences in one or more of the following case studies:
- March 2022, the Italian State Railways (FS) and its subsidiaries Trenitalia and Italian Rail Network (RFI) ransomware cyber-attack.
- 2008, attackers derailed four tram trains in Lodz.
- 2011, signaling system in the North Western of United States.
- 2013, the Belgian national railway mistake.
- 2021, Transnet Port Terminals (TPT), South Africa’s state-run ports operator and freight rail monopoly.
- July 2021, Iran’s transport and urbanization ministry, cancellations of hundreds of trains across Iran.
- 2017, ransomware infections hit media organizations, train stations, airports, and government agencies in Europe.
- 2015-2016, United Kingdom, four cyberattacks, probably led by a national state threat actor.
- May 2017, Deutsche Bahn, WannaCry ransomware.
- October 2017, Sweden Transport Administration (Trafikverket).
- May 2018, Danish travelers could not purchase tickets from ticket machines, the online application, website, and certain station kiosks.
- March 2020, United Kingdom, Wi-Fi provided in UK railway stations.
- July 2020, Spanish Infrastructure Manager ADIF hit by ransomware.
- What has happened?
- Why has it happened?
- Which were the consequences?
- How could it be avoided?
Closing remarks and questions.
The program has been designed for all managers and employees working in the railway industry that have authorized access to systems and data. They may work:
- for a railway undertaking (RU), in charge of providing services for the transport of goods and/or passengers by rail, and
- for an infrastructure manager (IM), in charge of establishing, managing, and maintaining railway infrastructure and fixed installation, including traffic management, control-command and signalling, but also station operation and train power supply.
They are in the scope of the EU NIS 2 Directive (directive on security of network and information systems), as operators of essential service (OES).
The program is beneficial to suppliers and service providers, employees responsible for reviewing schedules and maintaining communication with crew members of trains, train operators, engineers, train crew members responsible for operational and safety duties, station managers and agents, and revenue protection officers.
One hour to half day, depending on the needs, the content of the program and the case studies. We always tailor the program to the needs of each client.
Delivery format of the training program
a. In-House Instructor-Led Training program - designed and tailored for persons working for a specific company or organization (Board members, executive management, risk managers and employees etc.). In all In-House Instructor-Led Training programs an instructor from Cyber Risk GmbH that is approved by the Client travels to the location chosen by the Client and leads the class according to the needs of the Client and the Contract.
b. Online Live Training program - synchronous (real time, not pre-recorded) training program that takes place in a live virtual meeting room using platforms like Zoom, Webex, Microsoft Teams etc. In all Online Live Training programs, instructors from Cyber Risk GmbH that are approved by the Client tailor the method of delivery (interactive, non-interactive, etc.) to the needs of the Client, lead the virtual class, and answer questions according to the needs of the Client and the Contract.
c. Video-Recorded Training program - professional, pre-recorded training program. Instructors from Cyber Risk GmbH that are approved by the Client tailor the training content according to the needs of the Client and the Contract, and they record the training content in a professional studio. The training material (including any subsequent updates) is licensed by Cyber Risk GmbH to the Client for training purposes. Clients can incorporate the recorded videos to their internal learning system. Video-Recorded Training programs include Orientation Video Training and Compliance Video Training programs.
Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.
George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf
Terms and conditions
You may visit: https://www.cyber-risk-gmbh.com/Terms.html
Cyber Risk GmbH
Tel: +41 79 505 89 60
We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.