Other side of the tracks – spotting intruders on the rail network

When a security assessor asked Paul Stern, then Arriva Trains Wales' (ATW) IT network and security manager, how he could detect attackers on his network, he wasn't sure how to answer. That simple question accelerated a year of security improvements to ensure that the company was able to respond in the affirmative.

The Arriva train network, which is owned by Deutsche Bahn (DB), extends throughout Wales and the border counties of England. ATW's parent company was already in the early stages of driving adherence to the PCI DSS (Payment Card Industry Data Security Standard).

Paul Stern network operations manager at Arriva Trains

Arriva Trains Wales has since created a centre of excellence with shared IT services for Arriva UK Trains, comprising ATW, XCT (Cross-country Trains) and Arriva Train Care, with Stern appointed network operations manager for all three and still heavily involved in security.  

Trains are now considered part of the country's critical infrastructure. The impact of the cessation of services on some lines could be similar to that of ports and power stations.

Stern explained that “at a very high level, governments are worried about the rail infrastructure, including signalling. On the terrorism side it's about what can you do to stop the train, how can you make an impact? And that is of more concern than it used to be. Five years ago it wasn't really a concern, something people hadn't really thought about protecting the infrastructure from.”

Stern says that although his group doesn't look after signalling, it still has the responsibility of managing where each of its 128 trains are. “If you break the signalling, that will stop the trains; if you can't get the train crew on the trains at the right time, you also stop the trains. So we have to maintain our side of the infrastructure.”

He adds, “we've got more and more advanced systems going in that control where the trains are, starting to replace signalling. So there is quite a big threat from that side of things.”

Stern explained that with the rail industry, all the component parts are connected together in some way or another, whether it be via third parties or directly. He says, “it's not just about protecting the borders anymore, it's about protecting key systems, with network categorisation, protecting the data itself.”

Of course there is also the need to protect the brand name; if there are any retail breaches, or say, on the company's social media accounts, these are considered a financial risk. When a sister company had its Twitter account breached in the past, the issue went straight to the top.

There are always commercial hackers trying to scam financial information such as credit card data.  All of ATW's 257 stations have retail systems with firewalls in place. They conduct transactions by credit card and are a target, thus need to comply with the PCI DSS rules for credit card acceptance.

Part of the PCI compliance requirement concerns not just stolen credit card details but how long that collecting of credit card data been going on. Stern adds, “if you have a breach and it has been going on for four weeks you have no way of protecting that – you have to report a breach, and you've got an issue.”

As ATW budgeted to ensure PCI DSS compliance, it started looking for the best solution it could find to give visibility inside its network.

Until recently there had not been much which could give Stern that: “We looked at numerous systems, and [they exist] on the PCs for the PC to report back that something is going on, but on the retail systems, the third party providers won't allow anything on them to be monitored by us.” Stern looked at a number of systems, but found a solution dubbed LightCyber Magna, which worked on both devices and the network to be the right fit. “And the price was good”, added Stern.  

When ATW finally did do a trial of LightCyber, “It was quite scary to see what was going on on the internal network.” Stern went on to give a specific example of data leakage to Facebook, even though the company blocks Facebook and restricts access to a select few.

He told SC, “our company CCTV footage was being uploaded to private email accounts, to Facebook.” Even with 5,000 people on the network, including 2,500 from ATW, the small group permitted to use facebook made it easy to identify the culprit once the leakage had been spotted.

Magna also found ransomware files on a host that had not yet fired and stopped the threat before it even started.

There are firewalls in place with what Stern described as extremely good logging. It is “one of the best systems we could have, with Smart Event” providing what Stern says is a good indication of what's being attacked coming from what country – usually China, thus China and a few other countries are now completely blocked.

Previously it was not possible to know if a threat was coming from a compromised third party supplier, or a sister company on the same MPNS network.

Stern told SC that just the day before, “on one of our services, a PCI network, flagged up what appeared to be a major security issue.  On investigation it was one of our third party suppliers, Fujitsu, doing testing. It was scheduled work, but an apprentice picked it up and we investigated and found it was a false positive, or rather a true reading, but it was good that the system picked it up.”

Now, Stern and his team can see activity straight away and has a company monitoring the network 24 hours a day and seven days a week.

Initially, it was given to ATW for a month: “It was like someone had pulled a cooker out of the kitchen. We thought – we miss this. Because it did highlight some eyebrow-raising issues on what was going on in the network. It wasn't heart-attack material, but it was something that took us a few weeks to sort out. And we wouldn't have known about it.”

After taking out false positives, ATW ‘probably' gets one incident per week

Stern told SC, “we had budget allocated quite some time previously that I wouldn't spend until I saw something that was fit for purpose, that was easy to use, sat on the network, and learned.”

Arriva also uses Checkpoint firewalls across the UK so that the skills required are the same across the group.  P2P encryption has been recently put in place all retail systems and is currently undergoing certification.

All servers are tested and patched monthly followed by a round of pen testing and firewalls are used to segregate any part of the network that is deemed to require protecting.

LightCyber is the main source of internal behavioural analysis detection, and ATW uses Smart Event on its endpoints, with blades enabled. If it sees anything dodgy it will put it in the cloud and check with virtual sandboxing.

Stern told SC: “We have a data breach response plan, but before we implement that we make sure we know what's been accessed, what's been breached, what data's been lost.  Then we would get expert advice and then we'd release that.

ATW doesn't talk to press or the data protection office, until external professional advice is sought: “The reason for that is going back to TalkTalk where too much information was released to the press before they knew what had happened.”

“Our duty of care is not to the press but to our customers and the bank”, said Stern. And having invested in extending security further into the network, the organisation is confident it is now better placed to discharge that duty while minimising ‘surprises'.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.