Cervello CEO explains the benefits of ‘Zero Trust’ security to rail infrastructure

Do you think that rail organisations today understand the importance of cyber securing their infrastructure?

With no doubt, this is an undeniable threat and the industry is taking major steps towards infrastructure cyber-security implementation. We see that in standards and regulations to be published during 2021, such as TS 50701 etc., but also in concrete customer requirements. New tenders and infrastructure projects – including the upgrade of old generation equipment – are released with very specific cyber-security requirements at core, and this is a significant change in the operators and infrastructure managers’ approach. Not so long ago, it was mostly required to explain or highlight the risks and different threats related to rail infrastructure – more specifically signalling systems and rolling stock. Today, we are approached by many customers that already understand their risks and consistently explore ways to mitigate them. This is truly inspiring to see, as this change in mindset in a very short period of time means that the industry truly understands that without being cyber secure – it cannot move forward properly from a safety perspective. We are honoured to be an integral part of this important transformational change and hope to continue to help create a safer rail future.

What do you think are the main motivators for railway operators and infrastructure managers to invest in cyber-security?

A railway CISO has a lot of concerns, especially with the massive shift to digital technologies and wireless channels in recent years. Based on the interactions with our customers and partners, we identify several motivators that tend to repeat themselves:

• Lack of Visibility: Rail network environments are extremely complex and contain equipment from different vendors, combining new and old generation equipment, and consist of thousands of assets in different locations and network levels. As such, in most cases, it is extremely challenging to efficiently monitor these networks. In most cases, operators and infrastructure managers are completely blind to what is underlying within their network, and this is exactly what the attackers need. Usually, once we reveal to customers the real network picture for the first time – including a visual display of all their connections and elements, the immediate reaction is that they couldn’t even imagine how compromised and exploitable their networks are.
• Safety Reliability and Resilience: In the event of a cyber-attack, how can a rail organisation efficiently isolate the threat and minimise the potential damage while ensuring its business continuity? Furthermore, many customers share with us their concern about how to properly integrate cyber-security solutions with existing safety systems. With understanding the nature of rail infrastructure, we constantly make sure that we can provide maximum security with zero impact on system functionality and safety measures through a certified and aligned technology that is also trusted by the leading vendors and manufacturers in the market. That way we earn the customers’ trust.
• The Insider Threat: Rail organisations are responsible for national critical infrastructures; thus they understand that the more advanced and sophisticated hackers get (whether organisations or nations) – they will eventually take advantage of different backdoors or use creative techniques to penetrate the networks in ways that most threat detection platforms would fail to identify them. One example is in the event hackers will gain the credentials or access to the network through one of the key employees, in such a case how could companies spot them – acting legitimately in the network? As of today, they are right. It is extremely difficult for today’s rail organisations to detect such attackers with existing tools in the market, as most cyber-security solutions – even when dedicated to railways – are relying mostly on various signature-based mechanisms and DPI (Deep Packet Inspection), having too many security assumptions in place.

What does Zero Trust security mean and how is it brought into context with railways?

Zero Trust, as a conceptual idea, is already becoming the modern way of thinking about cyber-security – just as the firewall perimeter security used to be. The modern approach of performing more contextual, risk-based evaluation of all requests, procedures and activity in general is going to be the norm moving forward in all industries. In fact, over a decade ago, administrators of sensitive mission-critical networks argued that they shouldn’t trust anyone on their networks, regardless of their title or responsibilities. Nowadays, in the wake of two massive cyber-attacks in times of COVID-19, government officials and cyber-security practitioners are also saying that Zero Trust networks may be the single way to stop the evolving cyber chaos. Only in February 2021, the American National Security Agency issued guidance urging network owners related to national security and critical infrastructure to adopt Zero Trust.

In many existing industrial computer and control networks, once an attacker has logged into the system, they can move freely and access various information without any further verification. This reality is what cyber-security experts consider as the traditional ‘castle-and-moat’ approach, protecting perimeter security by investing mainly in firewalls, proxy servers, different intrusion prevention and detection tools and overall assuming activity inside the castle walls is (mostly) safe. Considering ‘closed networks’ is the status-quo. Zero Trust takes a different approach, shifting from perimeter defence model to a resource access-based defence which is location-agnostic and more reliable in today’s data ecosystem that no longer necessarily follows a specific hierarchical flow, in all industries. Assuming the network is already hostile, and that any connection or command is suspicious (hence requiring validation), it potentially eliminates the ability of an attacker to move freely through the system – such as accessing other devices and networks connected without being authenticated at all. In other words, Zero Trust reduces or prevents lateral movement and privilege escalation, overall limiting the potential damage to an infrastructure network, and more specifically to rail infrastructure.

Rail critical systems, powering critical infrastructure such as electric grids, signalling networks and telecom networks, have become high profile targets for nation state attackers. They are becoming more susceptible to cyber-physical attacks with many system deployments becoming digitalised and connected to the internet in various ways, either directly or indirectly, for maintenance reasons and much more, and having digital systems converging with the physical. Thus, the security measures of such infrastructure should be of the highest standards and must be a priority to guard against the continuous threats of increasingly sophisticated malware and malicious cyber-threat actors. Advanced Persistent Threats attackers may be motivated by a potential financial gain, ideology or simply wish to destabilise or otherwise sabotage a critical rail infrastructure. As the most responsible act, we are assuming they can launch their attack over an extended duration of time in order to remain undetected and slowly gain more access and privileges in the system. This is what we consider as a residing cyber-tool which they possess. This use-case is an example of why applying a Zero Trust model becomes crucial especially within rail infrastructure environments, since the safety of passengers and goods should simply not be assumed.

How does Cervello implement Zero Trust security through its platform?

The Cervello platform applies the Zero Trust concepts such as advanced network segmentation, segregation, authentication and monitoring, all while being certified and aligned with the industry restrictions. One pillar of our Zero Trust is the implementation of a role-based access model where the concept of least-privilege is adopted to supervise the access of different network entities who legitimately need access to other assets/resources. Another pillar of our Zero Trust is micro-segmentation. Cervello’s micro-segmentation is our security technique that enables fine-grained security policies to be assigned to different applications, down to the workload level as well as network devices/elements. Such security policies could be practically synchronised with a virtual network, virtual machine, operating system or other virtual security targets. The concept of adaptable Trust based on constant monitoring is important for Zero Trust, and our model is customised to suit the need of the network to ensure security – all without compromising safety measures and while not impeding system availability or integrity. We are the only company offering a patented technology for Rail Signalling Authentication.

Could you share more details about Cervello’s Zero Trust concept for rail?

The Cervello concept is based on a patented authentication technology that is fundamentally different from any existing SCADA, ICS and other railway cyber-security intrusion detection solutions. We apply a Zero Trust framework while segregating every network element and asset, as opposed to only segregating levels or zones in the architecture. Moreover, everything is done passively. The security value is incomparable to other solutions that are based solely on anomaly detection – relying on researched industry specific vulnerabilities/exploits, and that even require human modification to ensure proper network segmentation or device discovery. To illustrate, whenever a certain network element or asset establishes any connection, it is correlated with Cervello’s asset inventory, which continuously collects, analyses and updates changes about the state of the devices with the most minimal effect on latency. The continuous monitoring is imperative, as an adversary may gain control of an asset after a connection is established. In order to evaluate the state of a given asset, our asset inventory has to process a variety of data sources. The processed aggregate data is then sent to the allocated asset policy, which indicates whether the given asset state is trustworthy or not, by assigning a trust score. The trust score is crucial since each network element or resource related to safety will have an associated minimum score required for proper access. By utilising real-time monitoring data from controllers, signalling and rolling stock elements, the Cervello server can correlate rail infrastructure behaviour with signalling device activity. These types of evaluations can detect insider attacks from actors that are usually considered as trustworthy in other hierarchical security models and by other solutions offered to the industry today. Nonetheless, it is of general importance that the trust evaluation is tailored to the specific rail industry subsystems and substations architecture. Therefore, it is highly important to be very well familiar with the industry standards and best practices. This contributes a lot to qualifying additional infrastructure risk from IT and OT network security perspectives.

The heavy reliance on rail signalling infrastructure and safety mechanisms means that the Zero Trust framework must focus on protecting OT and IT devices without affecting the reliability of the machines, components and hardware to produce their expected output. This is why today we implement our platform passively – meaning that eventually we do not interfere with the critical procedures and activity, allowing customers to always be in charge and with full control.

With the industry becoming more digitalised, the proliferation of Industrial Internet of Things (IIoT), which is considered within the industry as Rail Internet of Things (RIoT), can be considered a major motivator to move to Zero Trust as well, since it changes the conceptual and security assumptions that the hierarchical nature of data flow is based on. There are of course challenges and limitations that must be resolved, such as the fact that redesigning and deploying new systems can be disruptive and costly within the industry in today’s reality, yet this could be solved by closely collaborating with equipment manufacturers and system integrators. On top of that, the old protocols in place make the task even more challenging with many of such protocols being proprietary and vendor specific. After years of research and development, we’ve been able to develop a state-of-the-art technology that overcomes these challenges, in an agnostic manner, and for that purpose as well we are working alongside strategic partners to make sure cyber-security is part of their new architecture – all to implement the concept by design.

Cervello and Expandium recently announced a strategic partnership to combine cyber-security with predictive maintenance for rail signalling and telecom systems. How does it affect the market?

We are a customer focused company, and as such we always strive to come up with new and better ways to provide more value to our customers. Partnering with Expandium enables us to combine our cyber-security expertise together with Expandium’s expertise in network monitoring and predictive maintenance, in a way that the customers will gain maximum operational efficiency at minimum costs for a scalable and agnostic infrastructure monitoring software. On top of that, our technologies can feed each other and contribute to the overall insights from both perspectives. I believe we will see more and more strategic collaborations between leading companies in the market.

Does the Zero Trust approach have an advantage when addressing the IEC 62443 standard and the upcoming TS 50701?

When considering the rail industry’s standards for network segmentation or the allocation into security zones and conduits, one of the clear Zero Trust security model advantages is its ability to eliminate unauthorised control of operational rail assets or access to sensitive data and services within the rail network micro-segments. Even once such security levels or zones are defined, the passive supervision and verification of all operational requests strengthens as much as possible the borders of the different types of zones. Overall, and as stated before, reducing security perimeters into smaller, more accurate and well-defined zones – limits lateral access throughout the network, thus enhancing the quality of compliance. Segmented security becomes more important as workloads become digital or even mobile and considering that the industry shall continue moving forward technologically – Zero Trust security is probably the safest way to ensure such alignments going into the future.