FreightWaves recently chatted with Miki Shifman, co-founder and chief technology officer for Cylus, a global rail cybersecurity firm headquartered in Tel Aviv, Israel. Shifman discusses current cyberthreats facing freight and passenger rail systems worldwide.
Indeed, in the U.S., the Transportation Securities Administration in October required freight and passenger railroads to comply with a new cybersecurity directive aimed at protecting the rail networks through performance-based measures, while an industry panel affiliated with the Association of American Railroads has been studying potential rail cybersecurity threats for decades.
This question-and-answer session was edited for clarity.
FREIGHTWAVES: What has changed in the world of rail cybersecurity since FreightWaves and Cylus last talked three years ago?
SHIFMAN: Cyberspace is [still] quite active, but it’s active from a different perspective. On one hand, you have the operators that keep doing tremendous work on upkeep and improving their security posture. [That work is] always evolving, but it’s making more developments and proving strategy and learning over time.
On the other hand, there is the threat actor side, which also always keeps evolving. We see that threat actors use more and more capabilities, geopolitical situations … . For example, Belarus trains were actually attacked as part of the ongoing war between Russia and Ukraine. So generally, we see a lot of progress and, of course, regulation. So the regulators are keeping up with the situation, both on the threat actor side as well as on the operator side, to ensure that regulations [reflect] their knowledge about the landscape.
FREIGHTWAVES: What are some of the evolving issues for freight and passenger rail? Is it more hacking, potentially affecting operations?
SHIFMAN: I think that, in general, what freight or passenger rail companies mostly care about is what could lead to different failure scenarios. They care about what can cause downtime [and] what can cause potential safety issues.
And on the other side, what they’re doing mostly is following a framework, building security organizations and deploying the right tools to ensure that the risk that something is going to happen is lowered over time and they don’t leave a space for this risk to happen, just as they do with safety. So, from what I’m seeing with different organizations, that’s the strategy that they’re following.
FREIGHTWAVES: Does Cylus work in public-private partnerships? What’s your level of involvement in terms of advising policy?
SHIFMAN: We’re developing tools to enable operators to secure the environment in the best way possible. So, our security solutions are customized and purpose-built for the rail industry. Our goal is to help them to bridge the gap between the knowledge that they have, which is always increasing, [and getting the technology] automated and at the scale that rail companies actually need because rail systems can be spread over thousands and tens of thousands of miles.
In order to effectively protect such a system, you need a technology that is fit to that. So what we do is we provide a technology that gives them the ability to look into what assets they have and analyze the rail-specific communications that are happening, [such as] act anomalies and when they happen, how to mitigate them, and how to meet different objectives, such as compliance.
Regulatory compliance is something that the governments [enforce], but at the same time, from the operator side, when you want to [ensure compliance], you have different things that you need to do. You need to pull people and processes in place, as well as technologies. So, we look at the technology side of things. We help them with improving their resilience — basically reducing the risks of threats and also bridging the gap between the staff. Rail organizations have people on the cybersecurity side and the operations side, and these two are now working more and more together in order to address the cybersecurity issues, so we as a company also support them in that.
FREIGHTWAVES: What is the pace of cyberthreats now? Do they grow in sophistication? Who are the actors?
SHIFMAN: Anywhere between nation-states to hacktivists to just script kiddies [hackers who use existing computer scripts for malicious purposes]… .
What I think changes a lot is that knowledge becomes more and more accessible. So what was reserved for nation-states, let’s say five to 10 years ago, now becomes in the public domain, and you can see open-source tools that are doing it. So that’s where the capability tends to increase for the threat actors.
On the defensive side, you have companies like us that build more technologies to support better automated processes, [and] you have the railroads themselves that hire more people or train their teams to be more ready to monitor specific threats and watch for threats targeting operational systems and not just the IT systems.