Staying on track can be tough.
If it seems like just about every industry is facing cybersecurity threats as they move further and further toward a digital future, well, that’s because it’s true. And global railways are no exception.
Shawn Smith works as VP of business development and strategic alliances for Cylus, a cybersecurity company that is focused specifically on the global rail sector.
IT Brew caught up with Smith at CES in January to talk about how threat actors are targeting the sector.
This conversation has been edited for length and clarity.
What are you doing at Cylus with respect to railway cybersecurity, and why is this so important?
When we established the company five years ago, we foresaw significant digital change that was coming on the horizon within the rail sector. All of the good benefits—digitization, efficiency, automation, passenger safety, lower costs—are counterbalanced by all of that technology increasing the threat landscape that these organizations have to deal with from a risk perspective. We saw that this industry was underserved by the cybersecurity community at large, from a software and tooling perspective. And we also saw a trend that, particularly within security for operating technologies, there would be a growing need to have very purpose-built capabilities that aligned to the needs of specific industries.
We built a platform that enables rail operators to fast-track their security programs by delivering visibility into their operating environment, understanding risks, and then applying monitoring and threat detection capabilities….whether they’re trackside systems like signaling or interlocking—really the foundational systems that enable you to operate in that environment—[or] the rolling stock and train sets, now [they] are interconnected and communicate over standard information technology, functions, and capabilities.
Can you talk more about the threat landscape for the railways? What does this look like?
If you think about ransomware attacks, there are many different systems, ticketing systems, scheduling, systems management systems, that are more susceptible to those types of attacks…Even those types of attacks can disrupt the resiliency of the system. They can potentially carry over into that operating environment. The whole goal of [cybersecurity] systems is to be able to detect that threat, see that visibility ahead of time, and be able to take action from a resiliency point of view, so that those systems remain resilient.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
If [rail companies] understand that an IT system may be impacted, if they have a very good business continuity plan that looks at overall resiliency in the system, they’ll better understand with tools like ours those systems won’t necessarily impact operations, and we could continue to operate in a safe, functional manner while we remediate these types of incursions or incidents on the other side.
As the digitization of the railway business continues, so too will the evolution of threats, as we’ve talked about. Where does that leave the industry as a whole—not just Cylus, but the entire cybersecurity sector as it relates to railways?
If you go back five, six, seven, eight years ago, you had first the notion that IT security tools, in terms of their capability, don’t address the need for a lot of security. You have an evolution of companies that started using passive technology, and basically [gaining] a capability to deliver vulnerability management that delivers asset visibility and threat detection—the core functions of a security program. Now you’re seeing the evolution of companies that really look at their analytics deeply into those subsystems, whether it’s a signaling system in the rail context, or whether it’s a computer-based train control system.
We [now] have a better understanding of how those systems should behave, and what the process would be to address any remediation.—EH