Cyber attacks in commuter rail can be fascinating and hold important lessons for other ICS/OT environments. Over the last few years, I have been fortunate to work more in commuter rail, including recently performing an OT tabletop exercise for the subway operator of a major U.S. city. The initial part of the tabletop included a high-level overview of recent cyber incidents against rail environments which I wanted to highlight here: - Jan 2021: Rail operator OmniTRAX suffers ransomware attack; targeted parent company and did not impact rail operations - Apr 2021: Attackers gain access to NY MTA network - Apr 2021: Ransomware infects UK Rail Network Merseryrail - Jul 2021: METEOR wiper malware deployed against an Iranian rail operator impacting rail operations - Jan 2022: Belarusian government rail provider had online ticketing services taken offline by a Belarusian hacktivist and internal information leaked - Jun 2022: Attacker breaches Wabtec corporate network to steal sensitive data, including Publicly Identifiable Information (PII) - Nov 2022: Danish rail provider subcontractor shuts down train service due to cyber attack In addition to these incidents which each has their own lessons for rail operators to learn from, March 2023 also saw the Vulkan Files disclosure. The reported leak highlighted an adversarial attack framework for rail networks which includes the technical capabilities for "manipulating the speed of trains, creating unauthorized track transfers, causing car traffic barriers to fail, and causing combined heat and power (CHP) units to fail, with the explicit objective of causing train collisions and accidents. “ If you work in rail, these are great examples to use when highlighting not only the most recent incidents and using that intel to learn from, but to also the ever present and continually increasing threats. If you work in any other ICS/OT environments, these incidents can also be learned from, to ensure your own facilities are protected against similar attack and, just like in rail, understanding that you are not only a target, but call attention to the facts that cyber attacks and associated impacts are only continuing to increase. #icssecurity #otsecurity #icscybersecurity #otcybersecurity #cybersecurity #rail #railindustry #railsafety #cyberattack
Although the attacks were not specifically targetting ICS Environments, it is important to note that breach of IT systems resulting in business continuity Impact (i,e, incase of the Rail sector, loss of Rail operations) is still an OT Impact, therefore a Defence in Depth approach to implementing cuntermeasures and a People, Process, Technology approach to Cyber Security Program is still relevant to continuously improve Security Posture.
Supply chain vulnerabilities can have significant impacts on others, the attack landscape is enormous and it can like pushing jelly uphill
Great article which highlights some potiential fragility of transport which sometimes gets taken for granted.
Ingénieur expérimenté
1yInterestingly, none of these attacks affect the industrial systmes themselves. As most published attacks, aitomation, signaling, SCADA are much less attacked than the surrounding environment which makes it usefull. Think also to MES for batch industries. It does not mean we have not to securize automation, but this is a final piece in a larger picture... even considering only OT operation.