Member Article: Cervello’s Important Considerations When Building a Rail Cybersecurity Incident Response Plan

By Cervello, an RSI Member Company

The importance of developing a rail cybersecurity incident response plan cannot be overstated—and not only because having one is now a TSA cybersecurity requirement.

Building a robust response plan is fundamental to ensuring operational continuity and passenger safety in the event of a cyberattack. An expertly designed cybersecurity response playbook provides the protocols, actions, and processes for mitigating incidents that target the rail’s unique and mission-critical assets, such as signalling systems and telecommunications.

But that’s not all. Carrying out an effective rail cybersecurity incident response plan requires a high degree of coordination and collaboration between various stakeholders. After all, it is people who will ultimately execute the playbook and resolve the situation.

The challenge is that not all stakeholders who are tasked with responding to cyber events are familiar with the cybersecurity terminology, risks, threats, and possible outcomes. Unlike other types of disruptive operational events, in which the cause is more tangible, some stakeholders don’t know how to perform their responsibilities properly during cyber attacks. 

To build a meaningful cybersecurity response plan, you need the ability to improve both team readiness and cross-collaboration, but also, to investigate an attack in real-time and assess its potential operational impact. For rails, in which operational continuity and safety go hand-in-hand, this is crucial.

In this article, we cover three important considerations when developing a rail cybersecurity response plan.

Complete visualization provides essential context to remediation guidance

The next cyberattack is not a matter of if, but when. Yet not every attack is the same. Therefore, those tasked with responding to suspicious activity need to be prepared to tailor their response. The only way to do so is with the right knowledge, visibility, and forensics.

Where did the breach occur, and what’s the attacker’s potential path deeper into your internal systems? Which connected operational, mission-critical assets are now at risk? What actions do rail operators and infrastructure managers need to take to quickly mitigate damage, ensure business continuity, and keep passengers safe?

Without clear visibility into the entire rail ecosystem and real-time threat investigation, it’s impossible to understand the severity of an attack, its potential impacts on operations, and eventually how to respond properly.

Threat forensics enables an accurate and effective response

Threat detection is the first stage of any response plan—you can’t respond to what you don’t detect.

Once a threat is detected, all of the data needs to be gathered passively and non-intrusively by a rail-centered cybersecurity solution in order to perform detailed cybersecurity forensics to guide the investigation into what happened before, during, and after the attack.

The forensics report includes a complete threat profile of the attack, including the type of affected assets, functions and connectivities, and event logs.

This information allows those responsible for executing the cybersecurity incident response plan to understand the scale and scope of the attack, as well as the potential operational impacts.

Communication is the key to executing a truly coordinated response

Effective collaboration and a high degree of coordination are integral to efficiently responding to a cybersecurity threat. By establishing a CSOC, led by a CISO, you will have the necessary structure and expertise to carry out a coordinated rail cybersecurity incident response plan, in which every stakeholder understands their role and responsibilities.

A CSOC (cybersecurity operations center) is a centralized unit that is responsible for continuously monitoring the rail organization’s security posture. It is the command post that sits at the center of your IT and OT infrastructure, including your networks, communication and signalling systems, devices, and rolling stock, and combines the knowledge of cybersecurity experts and rail managers.

When threats arise, cybersecurity experts in the CSOC will be the ones leading the response plan to resolve them. Guided by a cybersecurity incident response playbook, CSOC members will dispatch optimized guidance to all relevant stakeholders to quickly resolve the threat and maintain operations. 

Swift remediation depends on both technology and people

We all know that it’s not if an attack will occur, but when. In addition to having a proven remediation playbook, continuous asset mapping and monitoring, as well as threat investigation capabilities, are vital to attack preparedness.

When an attack does occur, effective remediation requires both technical know-how as well as predefined systems of communication so every relevant stakeholder can respond with confidence.

About Cervello

Cervello is a trusted railway cybersecurity leader dedicated to ensuring railway safety, reliability, and business continuity for railway organizations globally.

Our unique, zero-trust and yet fully passive cybersecurity solution provides a complete contextual representation of the operational activity and continuously monitors the railway’s mission-critical assets, enabling railway operators and infrastructure managers to mitigate threats as they arise and avoid disruption — all without interfering with the highly sensitive and complex railway infrastructure.

Railway organizations rely on Cervello to secure both their legacy and modern systems so that they can continue to operate safely.”

For a more complete version of this article, visit the Cervello resource center here.