Last week, multiple reports in Iran indicated that a massive cyberattack was carried out against the country's rail network and several government agencies. According to the reports, Iran’s national rail company halted all railway transportation in the country. Based on these accounts, Amir Levintal, CEO at Cylus, claimed in an interview with Israel Defense that it was an extremely unusual step. "Stopping rail transport in the entire country results in astronomical losses for the operator," explained Levintal.
In addition, Levintal said that, in his opinion, the cyberattack compromised railway signaling systems to a certain extent. To make it clear , rail systems traditionally have two layers: the control layer (operation control center, or OCC) and the operational layer (signaling systems). The first layer controls all train traffic, including the location and timing of departures (also known as "routing"). The second layer is responsible for making sure that trains don’t collide with each other. Among other things, the signaling layer includes wireless devices that constantly check the network to make sure that that there are no safety hazards on the train tracks throughout the country.
"While the common belief is that rail infrastructure is secure because it is critical infrastructure, the reality is totally different," Levintal explained. "The equipment used in trains has a lifespan of 30 years or more, and most of these systems were not designed to deal with cyberattacks or online manipulation by an external entity. These systems were only designed to solve safety problems."
Forensic investigation? Almost an impossible mission
One question that arises after any cyberattack against a country's critical infrastructure is what was achieved by the attacker. In this case, apparently, the attacker did not achieve much more than headlines. Furthermore, there is a question of whether such an attack is worth the cost. That is to say, the capabilities used by the attackers may be exposed by a forensic investigation, so those capabilities could theoretically be lost.
“In the rail industry, there is zero chance of discovering the origin of such an attack or how it was carried out," claimed Levintal. And he probably knows what he is talking about. Cylus, the company he heads, is one of the only companies in the world that provides forensic tools for rail companies. "We’re talking about solutions that produce logs, mainly ones that are relevant to safety."
"If, for example, an attacker spoofs a device, and issues legitimate commands to other assets, then logs will not be produced. Why? Because the assets will identify those commands as legitimate and authentic. That is the way they were designed. That is another reason why our system records everything. Even if you failed to identify the attack in real time, at least you can carry out a successful forensic investigation and make improvements for the next time."
According to Levintal, whoever the attackers were, they did not "waste" their capabilities. There is zero chance that the Iranians knew what happened and how it happened. Therefore, they will not be able to patch breaches or vulnerabilities used by the attackers. Based on this, it is possible, or at least it cannot be ruled out, that the attack was carried out to test capabilities.
"In the Iranian case, according to open-source reports, all of the trains, both military and civilian, were shut down. It means that a potential attacker could, during a conflict, disrupt mobilization of reserves, transportation of supplies, and much more. In light of this, the attack may have been a signal by someone to the Iranians”, Levintal explained.
"Since it is extremely difficult or impossible for a railway company to know what happened on a network level, it is doubtful that the Iranians will be able to patch the vulnerabilities that enabled the incident in the first place. Thus, the attackers didn’t risk anything from a technological and operational perspective."
Another technical question related to the attack is what happens if, for example, an attacker only takes action against a single rail line. Levintal explained that train networks are set up in such a way that a single anomaly will automatically shut down train operations. "Safety above all," said Levintal. "If, for example, an attacker jams wireless communications in a specific rail segment, the train will automatically stop. But it will not shut down the entire rail network. And this kind of attack can be discovered relatively easily because it is pinpointed."
In conclusion, Levintal asserted that railway cybersecurity is a challenging task, to say the least, especially in Iran that for many years has been under sanctions that prevent it from acquiring Western products for upgrading its computer network and the communications of the train network.
In general, according to Levintal, rail networks are mostly unsegmented and comprised of components that were not designed to generate logs or deal with external threats. They also have high maintenance costs that require operators to operate the trains at almost all times, except for unusual cases like the one that apparently occurred in Iran last week.