[00:00:28] Tom Garrison: Hi, and welcome to the InTechnology podcast. I’m your host, Tom Garrison. With me as always is my co-host, Camille Morhardt. Today, we have a very special guest, Miki Shifman. He’s a veteran leader in the development of complex cybersecurity projects, with over ten years of experience in software engineering, research and management. Prior to co-founding Cylus, Miki served as a cyber researcher and an R&D leader in the cyber R&D division of the Israel Defense Forces Elite Technological Unit. He was named Forbes Israel 30 Under 30 in 2020. Welcome to the podcast, Miki.
[00:01:07] Miki Shifman: Hello, Tom. Hi, Camille, and thank you for having me. I’m excited to be here.
[00:01:13] Tom Garrison: Today, we’re going to talk about something that most people are sort of interested in but don’t know much about, and that is trains and security associated with them, which I thought was just a fascinating topic. Miki, can you give us a little bit of just background about the rail industry with regards to security, the kind of things you need to worry about.
[00:01:36] Miki Shifman: Just as a quick background on what happened in the rail industry in the past, over 150 years of existence, trains and the systems that operate rail networks have moved from being super mechanical, old fashioned, all rely on low technologies to digital, autonomous and also much more effective. That happened by introducing lots of controllers, computers, machines, wireless technologies that are now effectively controlling the entire rail network. So, there’s a lot of technology that is out there for optimization, for safety, and that’s something that happened in the past 20 to 30 years. I think that in last five to 10 years, you’ve seen more and more introduction of those technologies to the rail networks that we know. Those technologies are now very sophisticated and enable lots of function and it’s all computerized. That’s in a nutshell what happened with this industry.
[00:02:48] Camille Morhardt: I’m curious, where are most of these sensors? Are they on the trains themselves, or are they on the rails, or they cross streets, intersections, et cetera?
[00:02:58] Miki Shifman: Yeah. The short answer is everywhere, on the infrastructure as well as on the trains themselves. Some examples, you have technologies that are now in charge of controlling train movements and they’re part of the rail infrastructure, but they send wireless commands to the trains. And according to those wireless commands, the trains are moving or stopping, and also they can determine what’s going to be the speed. You have technologies that are completely computerized that are in charge of braking of trains. They are within the trains themselves. These technologies can, of course, cause the train to stop or not to stop accordingly. There are always some fail safe mechanisms, but the overall trend is that you have more and more technology that is now responsible for critical functions within rail systems.
[00:03:53] Camille Morhardt: I’m thinking about some of these old Western movies where there’s train heists. One of the main things is they have to replace the exact amount of weight that’s in the cargo when they’re removing cargoes. I’m just wondering what kinds of things are measured. Is weight measured? And if you’re putting graffiti on the side of a train, does the company know about it already? Are they basically seeing all that happen? How aware are rail systems as to what’s on them or who’s touching them?
[00:04:26] Miki Shifman: There are various sensors that are now introduced to notice those things. Some of them take into account weight and some take into account different physical interactions that there are with the trains. So yes, there are many sensors. You also have things that are on the tracks and are responsible for ensuring that people don’t get into the tracks.
[00:04:49] Tom Garrison: What about technologies about the cargo that’s on the train? Are there those types of technologies as well?
[00:04:59] Miki Shifman: Right. Effectively, the way it works is that the technologies I’ve mentioned before are responsible for, first of all, safety. That’s the most important part. By safety, basically means the trains need to stop or to move whenever it’s allowed to do it. That’s the base, that’s what you try to automate first. On top of it, you try to optimize for efficiency. Efficiency means, for example, it can be electrical efficiency of the network, it can be timetables, or anything that is on top of the safety layer. That takes an assumption of a safety layer and adds now the level optimization.
Other than that, you have different IoT sensors and things that are being introduced as technologies. In cargo, you have various logistic systems that are being introduced for more logistic purposes and are part of the equipment there. In passenger trains, you have passenger information systems, displays and cameras that are now part of a modern train. A train, by the way, can have sometimes thousands of connected assets on it. A single train will have thousands of assets connected to a train network. It happens in many types of trains.
[00:06:26] Camille Morhardt: How do you keep the sensors on the infrastructure of the train and the rail system itself safe when there’s other kinds of wireless sensors that are potentially riding on the train as well, be it humans with their cell phones and laptops or be it third party cargo shipments that are on the train monitoring their own contents?
[00:06:49] Miki Shifman: First, what train operators are typically doing, they’re starting from understanding what they have designed within their trains and Camille you’re right, each train is being designed with different sets of systems. The basic are, of course, the critical systems, the one that are required for operating the train. There are other systems as well. Typically, there is some level of segmentation between the systems, although we’ve seen that these are not always maintained. Just as an example, we’ve already seen a major train operator that wants to impress passengers with how fast are the trains. They’re doing it by connecting the critical systems that control the speed of the train, the passenger information systems that are effectively connected to the internet. That’s an example.
But one of the concepts that, of course, being applied to segmentation and on top of segmentation, which is not always effective because it’s very hard to maintain over time, there’s this notion of visibility and understanding what you have there, and that’s what many train operators are doing to map the different sensors and systems that they have on their networks.
[00:08:04] Camille Morhardt: Where are the weakest points in a rail system? I always would think it’s this intermodal kind of transport where you’re actually loading containers off a ship onto a train, where two systems are coming together and there’s some sort of a transfer transition there. But where are some of the more vulnerable points? Not to set it up for somebody who’s interested in attacking, but what kind of areas is there a lot of focus on securing?
[00:08:33 ] Miki Shifman: First, of course, yeah, the goal here is to look at it from the perspective of understanding what are the potential threats. One thing I can say is that over the past four or five years, security is considered part of safety within most of rail companies. So it means that in order to be safe, you also need to be secure. Systems that were in the past not really secure because they were developed just as safety system, as security wasn’t part of the process, wasn’t part of the development lifecycle, they’re now more secure and they’re also standards that have been built to support it and help builders of equipment to achieve a more serious level of security.
Back to the question, Camille, there are weak points and there’re also the impact. I guess the weakest points, of course, are always the ones with external interfaces to the outside world. Outside world can be internet, can be some passenger-facing applications, or can be third party modes of transport, or users of the network like cargo systems. At the same time, you can also think of it of what a threat actor will try to achieve, and then you get to the first set of systems that I discussed. The interfaces between them are the interesting ones to explore. How can one get from those weak points to the critical points? That’s what’s important when doing a security assessment or analysis of a rail network.
[00:10:07] Tom Garrison: Can you talk about the human aspect as well? Because there’s also at least one human being on that train that’s up in the front, right? That used to be my dream job as a kid, I wanted to be an engineer. But what role does a human being on the train play? Are they just sort of there to babysit, or do they play an active safety role in addition to all the sensors?
[00:10:35] Miki Shifman: In some systems, they are more babysitting. But in almost all of the systems, whether the autonomous or not, even when the computer makes some decision, typically the human being can override it somehow. So, there is a role also to the people. I can say that in the US, especially in the freight rail side or the passenger rail, the intercity rail, there’s now a mandate for positive train control. That ensures that locomotive drivers, even if something happens to them, the train will stop when it’s supposed to stop. That happened after a major accident.
In transit systems, you can see some autonomous systems. You can see, by the way, some of them in the airports, many times you see a train that crosses terminals. These systems are called automatic people movers, and they’re completely autonomous. Might have someone dispatching it but you don’t have a human being operating the train itself. On transit systems, especially the new ones, you have a concept or standard called CBTC, communication-based train control. That’s again another standard that aims to make as much as possible of the train control automated and controlled from the trackside.
[00:11:57] Tom Garrison: I’m familiar with other types of infrastructure attacks that have been in the news, where power grid was attacked or whatnot, but honestly, I can’t recall ever hearing about a train system in some way being hacked. Does it happen? If it does, can you tell us what was the scenario and what was it that was attacked?
[00:12:22] Miki Shifman: Recently, in the Russia-Ukraine War, trains were attacked and they were responsible for cargo or more correctly for military supplies. Trains in Belarus got attacked by hacktivists. Those hacktivists, they took over the dispatching system of trains and disrupted the network and made sure that the trains will not be able to travel. Those dispatching systems are essential because they control, of course, the scheduling, and they’re responsible from moving the trains from one point to the other. So, there wasn’t a safety incident over there, but there was a massive disruption to the system.
It also happened, especially in the past two or four years, we’re seeing dramatic increase in the start of COVID in attacks against trains. I guess somehow related also attacks about other types of critical infrastructure and other types of systems, but we’re seeing increase in the attacks against rail companies. Many of the rail companies in the world reported they’ve been attacked at some level. Railways are typically critical infrastructure within their countries, and there isn’t a lot of motivation to report such things to the public. But apart from that, there are lots of now requirements to report to regulators when we’re seeing that it’s happening around the world.
[00:13:40] Tom Garrison: Have there been attacks that have either caused a derailment or caused a safety issue, other than just maybe an annoyance here or there, but are there major attacks that maybe I’ve just missed or have we so far been saved from this kind of attack?
[00:13:59] Camille Morhardt: Or would we know? Like you said earlier, Miki, maybe these derailments we hear about are attacks but they’re not being reported that way. How do we know?
[00:14:08] Miki Shifman: That’s a good question. I think that the would-we-know question is very important, and I think companies around the world are working more in on the would we know thing. Until a few years ago, companies wouldn’t have probably any visibility into what’s happening with their systems. They will only get the outside impact of what’s happening. Many of the cyber incidents, especially in a critical infrastructure space, they many time look like a technical malfunctions. These technical malfunctions can be a result or cannot be a result of cyber attack. Just as an example, we’ve seen an operator that received the software update, and the brakes or the electronic brakes stopped working after the software update.
So, would you say it’s necessarily… You need to trace it back all the way back to the development cycle to understand whether that was actually something malicious or something that is benign, someone just made a mistake. That’s part of the challenge when you deal with these type of consequences. It’s not always easy to attribute it to a cyber or to operational function, because many times these things looks really similar.
[00:15:27] Tom Garrison: Yeah. The reason I’m asking is, I know we’re not talking much about cargo per se, but when you do think factor in the cargo on some of these things, they’re carrying some pretty nasty stuff sometimes. It’s either flammable, or it could be construed as a bomb. If you derail the thing at high speed and whatever else, you’re going to have a heck of a problem. And so, it just seems kind of curious that we almost never hear about rail and cybersecurity together. Other than a high level threat, we’ve got to secure our rail system. But you never hear about it being attacked, which to me just seems curious. Other critical infrastructure we do hear.
[00:16:14] Miki Shifman: There are few ways to think about it. Per your point, yeah, rail is being used also for military purposes, also for transporting nuclear materials. There are some countries by the way that also try to evaluate scenarios of someone that’s trying to attack trains, and then making them stop at some point, and then compromising something that is on the train. These are scenarios that were analyzed by different countries, and I think it’s for a reason. As per the question about what we hear and don’t hear about rails, I think that frankly speaking we do hear. You don’t see this shot of someone maybe that’s now reporting that, or no, it’s the movie scenes. Fortunately, we’re not seeing them on the news. But what we do see, we see a major trend, by the way, I’ll say in the US of government briefing real companies on intelligence related to attack on potential trains.
I think that if such intelligence exists, that’s for a reason. The rail CEOs were summoned to the White House for a secret briefing, not sure what was discussed over there, but it was on the news. Before that, you had TSA releasing a security directives for trains and it was quite fast. You’ve seen a similar trends in other parts of the world, in Europe, in Asia as well. The most important thing is we, as an industry, and work together and making sure these events will not happen, and they will not need to reach the news, and hopefully we won’t even hear about them in the future. So, it’ll stay the same. That’s our goal.
[00:18:00] Tom Garrison: All right. Well, Miki, we have come to the end of our time here. But before we let you go, we have a segment that we call fun facts in honor of our topic today, trains. We’re all going to try to have train fun facts. What fun fact do you have to share with us?
[00:18:20] Miki Shifman: All right. I know that many people like to talk about animals as a fun fact, so I try to combine both. One of the things that I read in the past was that in Moscow, actually dogs take the train independently. You can find stray dogs that are going from the suburbs, navigate subway system in Moscow, get to the center, grab some food somewhere, and then get back in the evening.
[00:18:49] Tom Garrison: That is awesome.
[00:18:51] Miki Shifman: Yeah, you just see how smart they are.
[00:18:53] Tom Garrison: Stray dogs navigate the public transit system to get food.
[00:18:57] Miki Shifman: Right. You can sit to the train and see a dog next to you without any owner, but that’s okay. That’s common.
[00:19:06] Tom Garrison: Wow. That’s pretty cool. All right, Camille, what’s your fun fact?
[00:19:10] Camille Morhardt: In Norway, in 2009, they started airing this program, Minute for Minute or Bergensbanen. I don’t know how to say that in Norwegian, but they basically put four different cameras on trains. Some were facing out and some facing in. And then, they filmed and broadcast live as trains crossed the country, all different seasons in Norway. Some of it was just great stretches and great expanses of snow, and it would be a seven-hour long broadcast. It would be the whole 134-hour long broadcast of just the train. They moved it to ships later. They had almost 200,000 people watching every episode on average, and one out of every five people in the country of Norway has seen this show and watched the show, 20% of the population. It became very popular.
[00:20:05] Tom Garrison: Cool. That’s very cool. Okay. My fun fact, Britain adopted a standardized time system in 1847, but it took about 40 more years for the United States to do the same thing. We used to run a thing called local time, and that could vary from town to town or even within cities themselves, which made things like scheduled departure time, arrival time a huge problem for the rail system. So, it turns out that major US railways, they met in October of 1883, and they proposed five time zones. On November 18th, they sent out a telegraph. Everybody set their clocks accordingly. From that point forward, we’ve had standardized time across the US. I thought it was pretty cool that it was the rail system that actually propagated the need for standardized time zones across the US.
[00:21:08] Miki Shifman: That’s awesome.
[00:21:09] Tom Garrison: Miki, thank you so much for joining us today. It was great talking about the rail system and trains and security, and I found it very, very interesting. Thanks for joining us.
[00:21:20] Miki Shifman: Thank you very much, Camille. Thank you very much, Tom. I had a great pleasure being here.
