Rail Cybersecurity is a Journey, Not a Product

Introduction: More than cybersecurity mandates

Long before the TSA issued Security Directive 1580/82-2022-01 to help reduce risks posed by cybersecurity threats on critical rail operations, rail operators proactively banded together to form the Rail Information Security Committee (RISC) and tackle cybersecurity concerns as an industry.

Yet even with this laudable head start, rail cybersecurity remains a work in progress as operators and their ecosystem partners grapple with the complexities of making a vast, mainly legacy infrastructure more resilient and secure.

A big part of the challenge, one rail shares with industrial players at large, is that implementing cybersecurity measures at scale isn’t simply an information technology (IT) problem – it’s also an operational technology (OT) one. There is no single security software vendor with a plan, patch, or solution for the extensive mix of physical and digital assets that comprise today’s rail fleets.

There is no silver bullet.

Developing and evolving the right set of cybersecurity solutions for the rail industry is going to take time and collaboration among carriers and vendors who know the industry best – and an approach rooted not simply in software acumen, but in a deep understanding of operational technology, some of which predates the Internet.

Getting started

A big part of accomplishing this task will be understanding that big fixes take time – and need to be implemented with great care. While tempting to think that bolt-on security solutions can make rail operations more ‘compliant,’ short-term fixes for challenges with long-term safety and security implications won’t cut it.

One major implication of bolt-on solutions is that they are difficult to manage and maintain, making them more costly to operate over time. The most efficient way forward is to think through the problem thoroughly up front and design solutions that will stand the cybersecurity test of time.

“Railroads have a lot on their plates when it comes to cybersecurity,” says Susan Peterson Sturm, Senior Director, Cyber Product and Strategic Partnerships at Wabtec. “The TSA is mandating security capabilities that aren’t organic to the original physical and digital assets in their networks, and the security stack that is emerging now for the enterprise isn’t suited to the realities and rigors of rail operations. That said, the rail industry is experienced at rolling up its sleeves and working with its partners to meet big challenges. Just look at what we accomplished together in developing Positive Train Control (PTC).”