Why signature-based threat detection isn’t enough for rail cyber security



Today’s cyber threats can target all types of systems, networks and devices, especially those that make up critical infrastructure. Every industry and organisation is unique, and has its own challenges and parameters for security. The modern network architecture on rolling-stock is no different, as it consists of many connected subsystems which have created a large attack surface. This now presents train operators a challenge which requires a flexible approach to cyber security to protect its operations and passengers.


Organisations are increasingly adopting measures to protect themselves against the constantly-shifting threats, but many available cyber security solutions in the market share the same weakness in their approach to threat detection: a continued reliance on systems that will simply monitor or control traffic into and out of the network, and detects any threats by recognising the 'signature' of a previously catalogued attack.


This traditional security technique has been in use since the earliest days of cyber security, most popular with combating malware. In previous years this approach was able to provide adequate protection, until attackers became more advanced and discovered new methods of avoiding detection.


Signature based approaches fail because they are reactive


Cyber attacks leave a unique signature that can be used to recognise what type of threat it is, based on a catalogued ‘footprint’ or pattern associated with a previously identified attack. A signature-based threat detection solution would monitor data flowing through the network and scan the contents to compare it to code it has categorised in its signature database and, based on this, decides whether to act against the threat.


This approach was easy to implement, but its accuracy relied heavily on the vendors awareness of new threats, and their capability to then push out updates of new signatures to the software out in the field. This means it was able to provide protection from threats that were known to the industry, but this approach has limitations.


One of the biggest limiting factors behind signature-based detection is that these are always reactive in nature. They cannot detect newly discovered threats like zero-day attacks, which are not known to the industry before they are seen in action. New versions of attacks regularly appear that are not recognised or identified by signature-based technology. This is especially true within rail, where there is not an extensive catalogue of previous attacks or a lab of security specialists compiling signatures.


Attackers know what signatures have been collected, and how signature detection works. They know they must find more sophisticated ways to circumvent detection. Unfortunately, the ability to obscure their attacks by working around the known signatures is something that even the less ‘advanced’ hackers can do now. They can mutate their malicious code by making slight modifications in such a way that their attacks keep generating new signatures, while retaining their malicious functionality.


In a recent blog discussing cyber security risks of IP-enabled cameras on rolling stock, we highlighted how the attack WannaCry was released and quickly caused havoc in the industry. The WannaCry attack was a zero-day attack that was able to inflict a lot of damage because of basic flaws in signature-based detection tools. It was a new threat that the out-dated approach was not equipped or prepared for.


With the decline of signature-based threat detection, organisations have begun to turn to more innovative methods of securing their operations. The rail industry would benefit by following suit with this development when it comes to building their cyber security programme. Rather than relying on identifying threats on the network from their signature, moving forward a better suited approach within rail will be the monitoring and detection of threats based on their behaviour.


The threat landscape is constantly changing. Rail needs more than prevention to stay safe


After a growing spotlight in the news covering successful cyber attacks against high profile targets, including those within critical infrastructure, it would seem that the hackers are continually gaining the upper hand. Attacks, such as WannaCry, have shown that it is not enough to rely solely on perimeter defences with signature-based detection. Organisations that were affected by WannaCry had firewalls and other prevention mechanisms in place, but it still found a way to attack their networks. The perimeter of the network is no longer as clear as it once was.


Instead we should be focusing on an attacker's one key vulnerability – their inability to hide their malicious behaviour once they gain access to the network.


Cyber security is a constant battle of escalation and innovation from both sides, the defenders must win every time but the attackers only need to be successful once. A perimeter security approach with signature-based detection technology can never guarantee to keep the attackers at bay forever. Your goal should be to stop insider threats before they become incidents.


With new technologies and techniques such as artificial intelligence, automation and machine learning, organisations now have access to solutions utilising behaviour-based threat detection. This is a proactive approach to security in which all relevant activity is monitored, so that deviations from normal behaviour can be identified, and action taken to mitigate the threats immediately.


Whereas a signature-based detection approach requires consistent updates and patching to stay relevant, a behaviour-based detection solution will remain effective for the life of the asset. It will create a baseline for normal traffic patterns on your network, enabling accurate alerting of threats when it discovers anomalies caused by live attacks, regardless of if the system recognises a signature or attack or not. This new detection approach is allowing organisations to stay in control and deepen their view of what’s happening inside their networks for a much longer period of time compared to signature-based approaches.



Security effectiveness of the RazorSecure behaviour-based solution over the life of an asset, compared to a traditional signature-based approach.



Signature-based detection can be effective at combating a large range of threats. But it is not enough on its own. The threat landscape isn’t static and it is evolving rapidly. The threats are becoming more sophisticated, and every day, new attack techniques are coming to light. Organisations need an intelligent solution that has full visibility and understanding of the network, can continuously learn new attack behaviours and will adapt to network changes.