At a time of increasing volumes of data flowing across on-board operational networks and growing cyber security concerns targeting the railway industry, complete network visibility is a must for train operators. To protect your network and have a comprehensive understanding of your cyber risk, you need a complete visibility of the network traffic that flows through it, and the devices connected to it. Despite this growing need, many operators fall short of their network visibility requirement.
We work with a lot of vendors in rail and critical infrastructure, and commonly find that there’s a big gap between the system developers and the cyber security team who are working to improve their cyber maturity and meet international security frameworks.
It is easy to see how this situation comes about, for most system developers, a network is a means to an end. They send a message and another system receives that message, their main goal is latency and guaranteed delivery.
This can lead to situations where there is network creep between services. Systems are added, designs are tweaked, and control is lost over the original design for the network services.
New devices such as IP-enabled cameras, are often implemented without considering the effect they may have on the integrity of the network. This can lead to a gap in the train’s cyber security control, which train operators may not even be aware of.
Every network architecture has its weaknesses. If you are not able to identify these weak spots, the traffic flowing through them and their potential impact on your rolling-stock, it is impossible to have a comprehensive view of cyber risk across your fleet.
How can you know your cyber risk without understanding your network?
Well it is simple, you can’t! First let’s look at why this happens. In rail, each project is quite different. You start with a base design that is reused across multiple train fleets, the operator/ROSCO then specifies additional requirements such as a certain switch brand, onboard connectivity, crew devices, PIS hardware etc.
This is where the network creep begins, the base design has now been changed with the addition of systems or change in suppliers. As a result, you need to look at whether the communication patterns have changed, whether the switch configuration is still valid etc.
We see this pattern across operators, train builders and other system suppliers. It is not unique; it happens all the time!
Meeting international frameworks
'Network visibility' is one of the most highlighted concepts in new cyber security regulations and frameworks that cover critical infrastructure, including rail. The NCCoE emphasises that organisations must minimize the cyber security risks by maintaining an updated OT asset inventory and have full visibility of the data within the network. RazorSecure Delta includes asset discovery functionality for detecting and cataloguing new devices connected to the network.
When reviewing international frameworks such as IEC-62443 and the NIST Cyber Security Framework, it is hard to see how it can be possible to meet even the most basic security requirements without understanding traffic flows.
The requirements for network segmentation, zones and conduits, access control and security monitoring are exceptionally difficult to reach without this kind of detailed understanding.
At a basic level, network visibility is the ability to collect and analyze traffic as it flows through your network. It is like having a bird’s eye view of your entire network. This allows you to expose security blind spots, eliminate inefficiencies, and monitor the performance and resources of the systems on rolling-stock.
The different types of network map
There are many different types of network map, we refer back to the OSI Network model.
The easiest to understand of these is the layer 2 (physical) network map, it is the physical network connections to switches, cabling between devices and the layout on a schematic map.
Below this is the layer 3 (logical) network map, how devices connect to each other through the IP network. This is different to the layer 2 network because you can have multiple layer 3 network endpoints at each layer 2 endpoint. At its most basic level it indicates which IP addresses talk to which other IP addresses and on which ports. This will often show a very different network layout to the physical network because of VLAN zoning and other technologies to restrict logical connectivity.
Below this again is the layer 4-7 application protocol network map. This is the layer beneath and shows which traffic protocols are used, layer 4 is typically UDP/TCP/ICMP and beneath that specific protocols like NTP, DNS, TRDP are evident.
A clear understanding of all of these levels is important for measuring cyber security risk.
So how do I look to improve my understanding of network traffic?
A modern rolling-stock fleet requires more than just firewalls and network segmentation. With increased connectivity among new devices and subsystems. network visibility is more important than ever to protect the challenging environment these changes have created.
At RazorSecure, we deal with these changes by completing a data study onboard the trains. We look to deploy network monitoring devices for a period of time while a train runs through a set of operations, these capture packets and allow us to look at the whole traffic flow across the train.
There are three key benefits:
The packet captures can become a testing set for bench systems, enabling replay of these captures across the network without the actual physical devices
They provide a complete visualisation of the layer 3 network traffic for risk evaluation
They can be used as a baseline to pre-configure security gateways and switches, and prevent any nasty surprises or variation orders later
Knowing and understanding your network is essential for ensuring you have all the information required to make evidence-based decisions about cyber risk. We recommend that a data study is completed for each project, it is simply good hygiene for understanding cyber risk and an important first step along the road to cyber security.