“Mr. Trainman did (almost) all the things right, but … something got terribly wrong”
This is a short story about how Industrial Control System Cybersecurity goes and the importance of real ICS Cybersecurity companies and professionals. A use case on the railway sector.
Landscape and main characters
Once upon a time, a National Railway company was building a new connection line between two main cities. Public tender for train provisioning on that new line containing Safety and Cybersecurity requirements for new equipment was published.
There was a train vendor manufacturing last generation trains all around the world. with leading edge technology on board equipment to add differential value, always complaining with different Safety and Cybersecurity regulations. Mr. Trainman as corporate CISO in front of these issues.
Nowadays, different networks and systems can be found on board in a train. one of those is CCTV (Inside and Outside):
For this project, they were looking for a unique vendor to provide both solutions (Inside and Outside) on CCTV system, to simplify project management and reduce complexity.
Then Moxa came in as they could provide both solutions, especially the outside CCTV needed for safety on persons going up and down on stops.
Having in mind all the Cybersecurity requirements, Mr trainman had to review that vendor selection.
Mr. Trainman validation checklist
Being a regulated sector, all onboard equipment has to be complain with some railway safety standards:
With this on mind, Mr, Trainman began to check all these requirements on the selected vendor and product:
Good !!!!
Safety certifications and Ethernet protocols documented to place the equipment on the right IEC 62433 zone inside train network. Good !!!!
Some security controls available to protect the device:
- Password access protection
- IP Filtering
- HTTPS (Encryption) supported
Vendor and equipment approved and inside the new train to be delivered to customer.
Mr. Trainman met his stranger on a train
On May 2021, everything changed:
Four critical vulnerabilities on Outside Moxa IP Camera were published by NIST, and:
Vulnerabilities on product leads to a Denial of Service
(CRITICAL for customer and safety)Firmware update MANDATORY on any already deployed cameraVulnerabilities come from a Level 2 protocol (LLDP)LLDP not identified by vendor on Spec SheetsLevel 2 filtering was not on Zoning Firewall rulesA complete revision on train IEC 62433 security Zoning needed ASAP
Now they were facing a huge economic impact on the project due to execution of all the tasks describes above.
Some final advices for Mr. Trainman
- Certification is good, but Not Enough
- Cybersecurity Certification Framework still to come on some sectors. Safety regulations are not security regulations.
- Don’t trust, TEST because:
- Vendor spec sheets, and even technical manuals, don’t describe all the network ports and protocols products use.
- 0-Day vulnerabilities exists even if none had already tested that product, so do it yourself.
- Testing before deploying is cost saving and investment protection
- Always test your new products with an experienced Industrial Control System Cybersecurity Company