It’s striking how few engineers in any industry seem to have a seat at the table when cyber vulnerabilities or related control system issues are discussed.
May 25, 2023, I gave a presentation to the American Public Transportation Association’s (APTA) Enterprise Cybersecurity Working Group (ECSWG) and Control and Communications Security Working Group (CCSWG) teleconference on "Undetected ICS Cyber Incidents". The general status was the same as for oil/gas, electric, nuclear power, water/wastewater, medical devices, etc. That is, the focus being on the Internet protocol (IP) networks with the primary attendance from network security personnel with very few, if any, engineers participating. The lack of engineering participation was echoed by one of the few engineers on the call.
As the meeting was for surface transportation, the control system cyber-related events included incidents at pipelines, railroads, and roadways that have killed and injured many yet were not publicly identified as being cyber-related with one exception. The one exception was the 2009 DC Metro Red Line train crash because I was public about the incident being control system cyber-related (the same issues affected the Boston MBTA the evening before). As a result, the Transportation Research Board (TRB) formed a panel of experts to provide guidance on cyber security for mass transit. There were less than five engineers (me included) on the panel of 19 people. The consultant TRB selected to prepare the industry guidance had no expertise on control system cyber security even though the causes of the Red Line train crash were control system cyber issues. Despite the chief signals engineer from a mass transit agency who was on the panel and my protestations, the final report, “Protection for Transportation Infrastructure from Cyber Attacks, A Primer” was on IT issues and excluded the control system issues that caused the Red Line crash. In 2016, TRB held a webinar for the consultant to deliver the final report. On that TRB webinar, the consultant stated that "unfortunately, control systems are still under control of engineers”. I wish I could say things have changed since 2016.
This trend of focusing on IT networks and ignoring the engineering aspects is continuing. This is disconcerting as some of the most significant surface transportation cyber incidents and vulnerabilities are not addressed by TSA cyber security requirements or APTA cyber security recommendations as these incidents were caused by engineering not network issues. TSA earlier confirmed the lack of engineering participation in pipeline cyber security requirements which explains why pipeline ruptures caused by engineering issues are not being addressed. Control system cyber-related incidents in surface transportation continue to occur. Most of the surface transportation cyber-related incidents were malicious.
Surface transportation cyber-related incidents
- Olympic Pipeline Bellingham, WA gasoline pipeline rupture, PG&E San Bruno, CA natural gas pipeline rupture, and many other cyber-related pipeline ruptures that killed and injured many and made PG&E a convicted felon.
- Mass transit station smoke inhalation incident that killed one and injured many.
- Tunnel closure when ventilation, lighting, and signals controlled by a computer system failed.
- Bridge closure because of sensor failure.
- Controller failure that affected all traffic lights.
- Mass transit train with runaway automated speed control stopped by the train operator before a devastating crash.
- Freight train derailments due to hot box detector anomalies.
- Train crashes because of signal failures killing and injuring many.
- More than 17 million vehicles had their fuel and emissions controllers compromised.
- More than 360 over-the-road diesel trucks had their diesel engines remotely reprogrammed.
Surface transportation control system cyber vulnerabilities
- There are at least ten vendors supplying remote diagnostics for diesel train engines some of which may not be secure.
- Electric trains may be using compromised electric equipment such as transformers from adversarial nations.
- Automated track equipment such as signaling and switching may have compromised components from adversarial nations.
- Buses, whether diesel or natural gas, use insecure process instrumentation for fueling and safety monitoring.
- Fire suppression equipment uses insecure process instrumentation.
- Positive Train Control (PTC) is not cyber secure for freight, passenger rail, or mass transit.
- On-Board Diagnostics (OBD) ports are cyber vulnerable.
I was gratified to hear that one of the Working Groups is developing a white paper on system safety and cyber security. However, the attendees were unaware of the work ongoing in the International Society of Automation (ISA) 84.09 – “Cyber Security Related to the Safety Lifecycle”. In my opinion, the ISA84.09 work is the most comprehensive work on cyber security and safety being done anywhere. As a result, this work is being shared with other industries. For example, briefings were provided to the nuclear power industry. The same sharing can be done for surface transportation as surface transportation utilizes much of the same equipment as used in the process industry.
There was a discussion on vendor procurement specifications and using CISA procurement language. However, there is no procurement language in any industry for control system field devices. Given there are no cyber secure or authenticated control system field devices, there was also no discussions about the need for compensating controls. That is, the need for appropriate training, policies, and procedures for technologically insecure devices.
Surface transportation control system cyber incidents are not just a US issue. Similar control system cyber incidents have occurred in Europe, Australia, China, Singapore, and South America with tunnel systems, autonomous vehicles, rail and mass transit incidents, pipeline ruptures, etc. The June 2, 2023 derailment in eastern India that killed at least 288 people and injured more than 800 (information dated 6-4-23) was caused by an “error” in the electronic signaling and switching system that led a train to wrongly change tracks and crash into a freight train and then be hit another passing passenger train. According to information as of 6/4/23, detailed investigation will reveal whether the error was human or technical. To a question whether the crash could be a case of sabotage, "nothing is ruled out.”
As mentioned in a previous blog, cyber incident response starts with the assumption that you can recognize a control system cyber-related event as being a cyber event. None of the above cyber-related cases were identified by the industry as being cyber-related. Globally, there have been more than 17 million control system cyber incidents that have killed more than 34,000 yet most of the incidents were not identified as being cyber-related. As previously mentioned, there is no training for the engineers to recognize an event as being cyber-related and these events are generally not seen on IP networks.
Recommendations
Engineering needs to be involved in cyber security for mass transit. Training needs to be developed specifically for control system field devices. Tabletop exercises and training programs need to address the control system cyber-related incidents that have occurred. Procurement guidelines and certification need to be developed for control system field devices. Executives and Boards of Directors need to understand that cyber threats are more than ransomware and IT malware and not addressing control system cyber issues can result in catastrophic incidents that can, and have, killed people.
