"A CISO's Nightmare": Israel Baron on Railway Security

Railway systems are a mess of old systems built on top of older systems, running ancient operating systems and exposing their most sensitive inner workings to commuters via WIFI. Why are railway systems so difficult to defend, and what are the most probable attack vectors against them? Nate Nelson, our senior producer, speaks with Israel Baron, Israel Railway's first ever CISO.

Hosted By

Ran Levi

Exec. Editor @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 15 million downloads as of July 2022.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Israel Baron

VP Customer Relations at Cervello

Bringing over 16 years of expertise in the Cyber Security domain with excellent interpersonal, presentation & leadership skills. As the Israel Railways CISO, I established and led the Cyber department - defining, with the company top management, the strategy, and tools to defend its critical assets and systems, including the design of the company's Integrated IT/OT Cyber Security Operation Center (SIEM/SOC).

Episode Transcript:

Transcription edited by SODA

[Israel] You can literally stop a train for an emergency break in a matter of minutes.

[Ran] Hi and welcome to Cybereason’s Malicious Life B-Sides. I’m Ran Levi.
A CISO’s nightmare, that’s what Israel-Baron, Israel Railway’s first CISO ever, calls the current state of cyber security in the world of railway transportation. And not only in Israel.
According to Baron, railway systems all over the world are a mess of old systems built on top of older systems, running ancient operating systems and exposing their most sensitive inner workings to commuters via WiFi. To be honest, as someone who takes the train to work every day, listening to Israel-Baron made me a bit queasy.
Why are railway systems so difficult to defend and what are the most probable attack vectors against them? Nate Nelson, our senior producer, spoke with Israel-Baron, who in his previous role served as a senior information security and technology officer at the Israeli Ministry of Defense.
That’s it from me. Enjoy the interview.

[Nate] We all know about hackers planting malware on computers. We’ve heard of hackers stealing data from corporations.
Not everybody thinks about railways in terms of cyber security, so why do train systems need to worry about cyber security in the first place?

[Israel] If hackers want to cause high level of harm to a country, like really hit the country, the nation’s critical infrastructure, like to stop the country, like to jeopardize the daily lives of the citizens, the railway or the transportation industry is a very good and high level target because from one hand, and I’m sure we’re going to elaborate it later, but it’s so easy to hack it.
You know, it’s so easy. It doesn’t take a lot of time and a lot of efforts because there are in most cases very, very old systems. They were not designed to be safe against cyber attacks. So they can do it in no time. They can attack them.
On the other hand, the effect that such an attack can cause on the national level is huge because, for example, let’s say without even a cyber attack, you know what happens in Israel if we have a signaling error in one of the stations, you know, the traffic jams and the people coming late for work and the loss of money in hours. It’s tremendous. It’s only, you know, for one or two hours. Let’s say I do it for three days.

[Nate] But have we ever actually seen something like this happen in the real world?

[Israel] Okay. So in most cases, because railway infrastructures are government owned, in most cases, we don’t hear a lot about what is really going on and things are going on.
So in most cases, you will see that, for example, in Deutsche Bahn, the ticketing system was attacked. For example, I recall that the MTA in New York was attacked, but it was not an operation. So you hear it all the time.
But I think that underneath this layer of what is publicly known, there are a lot of activities, attacks that we even don’t know about. Because no country can reveal those facts because you need to understand that when something like this happens, it immediately can alert attackers that this is a vulnerable system.
So first of all, they will not publish it.
Second, if they do, they will not give a lot of details. Like in most cases, they will say, you know, the IT systems were affected, but that’s it. They will stop there. I think that what we see in the news is only the tip of the iceberg.

[Nate] You mentioned earlier that it’s relatively easy to attack some of these systems. Let’s get into exactly why that is, because as we’ve established, everybody knows the importance of keeping transport moving and what would occur if it couldn’t.
So why don’t we have effective systems in place to protect railways?

[Israel] Railways, they are very complicated systems because it’s not a system, one system. It’s a system of systems. Most of them are from completely different manufacturers. And the fact is that those systems were tailored to be bigger and bigger and more complicated over the years because we have railway systems that are deployed for 50, 60, 70, 100 years.
So you know, you don’t delete what you have, you build on top of it. So it’s another layer and another layer and another layer and another layer. So it’s not uncommon to find obsolete computer systems in such networks. You go and when you look on the network, you see that you have those old, unpatched Windows 95, Windows NT computers that nobody even remembers that they are there. Nobody knows how to handle them. Of course, nobody is touching them because you know, it’s railway.
You don’t touch what is working. You never touch it.
And those systems are very hackable. I mean, if you take Windows 95, it’s a child’s play for an attacker. It’s like nothing.

[Nate] Right, that seems like a big problem.

[Israel] On top of that, you have railway systems that were not designed to be cyber. Because you know, those are systems that were designed like 30, 40, 20 years ago when cyber didn’t exist. So even if I will attack such a system, nobody even will know about it because the system is not designed to look into those kinds of scenarios.

[Nate] So an attacker can send malicious information to these machines, but these machines aren’t smart enough to recognize it?

[Israel] Yeah. Let me give you a scenario.
The signaling network is operated by operators in the control center. So one classic maneuver could be that I will attack such an operator system, his workstation, and I will send commands without him even knowing about it.
Because he has the rights, he has the privilege to send commands to the system. We can move, for example, a switch, a lane switch on the track. So the only thing I need to do is to attack his workstation and tell the system, send the command to move a lane switch in front of a moving train.
That’s it. It’s very easy.

[Nate] And it’s easy enough for an attacker to do that under the guys without the operator knowing?
Because I mean, the only example I can think of off the top of my head, which isn’t exactly railways, is

[Israel] Stuxnet.

[Nate] Stuxnet is one, but I’m also thinking of there was a YouTube video of when Russia in 2014 attacked the Ukrainian power grid, and then there was that video of the operators watching as the hacker moved their mouse.
So is that just for show, more dramatic? You’re saying a hacker could do that without all of the dramatic parts?

[Israel] Yeah. Of course.
This is only for show because a serious hacker like that can do it without anybody even knowing that it’s happening. You know, it can mimic the workstation screen in a grim state, like in a steady state.
And under the scenes, everything is not steady. And you have those abnormal commands in the system. And you will find out about it because you will see that things are not happening as it should.
Like, for example, in the Stuxnet, you know, the operators saw the centrifuges are, you know, blowing up. But in the beginning, they didn’t, you know, relate it to a cyber attack. But eventually you will understand.

[Ran] Israel mentioned Stuxnet and how the technicians at the Iranian uranium enrichment facility, that this extraordinary worm attack, didn’t at first relate the malfunctions they saw in their enrichment facility to a cyber attack. So in case you were wondering how could such an attack fly under the operator’s radars, here’s the gist of it.
Stuxnet did two devilishly smart things to hide its existence from Iranian eyes. The first was that the damage it did to the centrifuges was designed to seem as if it was random. There were thousands of centrifuges operating in the enrichment plant at any given time, and every so often, Stuxnet would pick one out of these thousands of machines and violently alter its rotation speed.
So when a centrifuge broke down as a result of that change, it was natural for the technicians to assume that this was a result of a random malfunction.
A long time later, after many hundreds of such freaky accidents, when the plant’s managers started to suspect that foul play was involved, they asked their programmers to check the code of the industrial control system running the operation. That code was of course Stuxnet, but Stuxnet’s developers, who expected such a move, designed the malware so that when a programmer asked the system to present him the software that was running on the control computers, Stuxnet would provide the developers with the old code, the original code that Stuxnet replaced. That way, the developers had no way of knowing the true nature of the code that was running their centrifuges.
So that’s why Israel Baron says that the Iranian operators didn’t relate what they saw to a cyber attack, and it’s not too hard to imagine a similar scenario playing out in an attack on a railway system. Someone messing with the train’s control system in such a subtle way that everyone would assume that the railway system is just unreliable, instead of suspecting a cyber attack against it.
If you wish to learn more about the Stuxnet attack, the first ever cyber weapon, we covered it in length in a three-part mini-series starting with episode 7 of Malicious Life. Go check it out.

[AD] The best strategy for organizations to avoid becoming a victim of ransomware is to prevent the attack from being successful in the first place.
Cybereason remains undefeated in the fight against ransomware because it moved beyond alerting, to deliver an operation-centric approach that detects and prevents ransomware attacks at the earliest stages of initial ingress and lateral movement. The Cybereason predictive response capability disrupts ransomware attacks prior to data exfiltration, and long before the ransomware payload can be delivered.
Visit cybereason.com to learn more about predictive ransomware protection and how your organization can realize both increased efficiency and efficacy through an operation-centric approach to security operations.

[Nate] So why is it that we can’t prevent these kinds of attacks with the ordinary security tools that we use to protect anything else in cyberspace, like EDR and monitoring, that kind of thing?

[Israel] So in contrary to, let’s say, normal IT networks, you buy a firewall, you buy a WAF, you buy a regular IDS, or an IPS, all you need to do is get the information security officer approval or something like that, and that’s it. In the railway industry, it’s not working like that.
I cannot mention even one railway operator in the world that will authorize something like that, because they are all extremely afraid to lose their safety approval from the manufacturers.

[Nate] Wait, what does that mean?

[Israel] So let’s say, for example, you have some country railway network, all of it is Siemens equipment or Alstom, Bombardier, whatever, they will not authorize for a third-party software or system to be connected into the network without giving them an approval, and they will not give an approval without first testing.

[Nate] Why are they the ones being strict about this, if anything, I would imagine that the reason you don’t stop or change anything in a data stream is maybe government regulations or because railway networks are so confusing, so why are they the stopgap?

[Israel] It’s all about money, in the end.
Those systems were under tenders in most cases, and tenders are very specific about what they require from the manufacturer, and back then they didn’t require cybersecurity. So let’s say that you are the manufacturer, you are the OEM, one of the big guys, and you gave this multi-million-dollar worth of critical infrastructure to a country, and now somebody in this country, a CISO, a cyber director, whatever, as important as he is, he comes and tells you, look, man, I want this cybersecurity system to be connected to your critical infrastructure. This is obvious.
I wouldn’t do it. I wouldn’t do it if I was them. So I can completely understand that they are stopping it, but on the other end, they need to supply solutions because the world has changed and they didn’t.

[Nate] I could also see an argument to say, it sounds like railway supply chains are relatively simple, but once you start bringing in a lot of different companies and a lot of different systems, it becomes easier to do a kind of SolarWinds type of attack against a railway system, right?

[Israel] Absolutely. Absolutely.
You know, this is what I started with, is a system of systems. You have hundreds and thousands of integrated systems that, you know, each and every one of them can be exposed and attacked in the supply chain.

[Nate] For example?

[Israel] Let’s take the Wi-Fi, the onboard Wi-Fi for the passengers or the new entertainment system or the passenger information system that you have on board. All of those systems are in some way communicating with the signaling network, with the control center and in most cases, those are third party suppliers and you don’t really have any control about whether they tested their systems against cyber.
Is it cyber proof? Did they check the code to see that there are no vulnerabilities? You know, you can never know. You can never know.
So on a normal railway car, you will have 20, 30 subsystems that you have no control of.

[Nate] Yeah, that brings me to something I was thinking about earlier, which is like corporations have been talking a lot ever since COVID about bring your own device. You have employees, they bring in their phone, they bring in their personal laptop and suddenly they become a vector of transferring something on their machines to yours.
For railways, you’ve got thousands of people every day bringing personal devices connecting to that Wi-Fi system that you just mentioned, lots of personal data moving around this system. So between all of these subsystems, all of these third party softwares and units that you have to deal with, all of these personal devices, it’s a pretty massive attack surface. So how does anybody even begin to start patching up what amounts to thousands of holes?

[Israel] This is a very good question because this is a nightmare to a CISO. This is a CISO’s nightmare.
And you know, for example, I remember that only a few years ago, you could stick your own disk on key on an airplane to the entertainment system, you know, just a few years ago. And who said that back then the entertainment system was not connected to the flight computer?
I don’t know that, to be honest with you, I don’t know that. And taking it back to the railway, this is a huge attack surface, a huge one.
Because you know, suddenly everything is connected and you have onboard Wi-Fi systems that also connect to the operational networks inside the locomotives, inside the passenger cars.

[Nate] How long then do we have before this whole connected system of operations technologies and safety systems and public Wi-Fi just sort of blows up?

[Israel] It’s not a matter of if, it’s a matter of when.
Believe it or not, some OEMs connect all those networks together for operational reasons. So as a matter of fact, you can just sit down as a passenger, connect to the train Wi-Fi and just pave your way into the signaling network in a matter of seconds. And this is this is crazy.
When you understand it, you understand that this is crazy. You can literally stop a train for emergency break in a matter of minutes.

[Nate] But then why aren’t hackers doing that right now, if it’s that easy?

[Israel] I don’t know.

[Nate] Oh, okay.

[Israel] I honestly don’t know.
I don’t want to give anybody ideas, you know, but I think that, you know, when I was the CISO in ISR, I was terrified because I came from the M.O.D.

[Nate] Ministry of Defense.

[Israel] Yes. I knew that the threats are real. I was terrified that under my shift as the CISO of Israel Railways, such an attack will happen.

[Nate] What in retrospect was the most pressing, specific issue that made you the most worried at the time?

[Israel] My biggest understanding was that I cannot protect what I cannot see because I as a CISO, I was blind. I had those operational networks with critical systems operating and I didn’t have a clue what was going on there, even a clue.

[Nate] And to be clear, it’s not just an Israel problem, right?

[Israel] No, no, no. No, everywhere. Everywhere. You go everywhere.
And I’ve been and I’ve discussed with hundreds of companies, it’s the same. They don’t see. And you cannot protect what you cannot see.
So I think the first step should be to look inside those networks, to understand what you have there, to locate those old and obsolete computer systems that nobody even cares about, nobody even uses. And then after you did this mapping, you can start to really build a mitigation plan that will give you true value.

[Nate] All right, so we discussed how when you sort of entered into Israel railways, you were terrified, as is the word you were using. It’s been a few years, presumably other countries have become a little bit more aware of the threat. From the ground level, do you see progress?
Are you more confident in railway systems around the world today than you were a few years ago, or are you still terrified?

[Israel] No, I’m not more confident at all. And today more than ever, because, you know, I travel around, I speak with CISOs, I meet with them. When going around the world, I think that the understanding is only now becoming more common, only nowadays. In the last year or two, now we really see things are starting to move on, to go to the next level.
And we can take the US, for example, under the Biden administration, that the TSA, which is the regulator for the transportation, they issued new cybersecurity requirements for both rail and air sectors.
So it’s still, it’s not mandatory, but it’s going to be mandatory, as far as I know. And what those requirements imposes to the operators, for example, to nominate a point of contact, a CISO, cyber director, somebody that will be in charge.

[Nate] But why, of all things, is that what you think is most important here?

[Israel] This sounds a bit, you know, silly. You need to tell somebody to put somebody in charge.
But in most cases, it makes a lot of difference. Because when somebody is in charge of something, then in most cases, it takes care of it.

[Nate] Okay. And what are some of the other rules and guidelines that have been put in place?

[Israel] When you have a cyber incident, they need to update the government, the TSA, in a matter of 24 hours. And this is a huge deal, because for you to be able to let the government know that something happened in a timeframe of 24 hours, you need to be able to detect it, understand what it was, and then update the regulators about it.
So you need some kind of a system, you know, some kind of IDF that tells you that an attack occurred, and to give you some, you know, forensic, even basic forensic capabilities to see what was it.

[Nate] And besides the US?

[Israel] We also see Europe, and Europe is very advanced in its railway sector, railway infrastructure. They are very, very advanced.
And they have today regulation, which is the TS-5701, which is going to be the regulation standard in the EU, and it’s dedicated only for railway cybersecurity requirements. And it is a very deep document, very, very deep, very thorough, and it discusses the entire life cycle of railway systems with cybersecurity, supply chains, how to develop to the railway infrastructures.
And this is a major step, it’s still not mandatory requirement, but it’s going to be. So we see things are moving into the right direction, to be honest with you.
But you know, as always in railway, things are moving slow, but steady.