1 00:00:05,240 --> 00:00:08,519 Someone could potentially just go to the toilet in the place that it's not monitored 2 00:00:08,560 --> 00:00:11,560 at all because they are not cameras, and of course inside the toilet you 3 00:00:11,560 --> 00:00:25,440 can put them there and manipulate something inside the train network. Welcome everyone to 4 00:00:25,480 --> 00:00:30,079 the Industrial Security Podcast. My name is Nate Nelson. I'm sitting as usual 5 00:00:30,120 --> 00:00:35,479 with Andrew Ginter, the vice president of Industrial security at Waterfall Security Solutions. 6 00:00:35,920 --> 00:00:39,359 Andrew's going to introduce the subject and guest of our show today. How's it 7 00:00:39,399 --> 00:00:43,159 gone. I'm very well, Thank you, Nate. Our guest today is 8 00:00:43,240 --> 00:00:49,000 Mickey Schiffman. He is the chief technology officer and co founder at Silas and 9 00:00:49,159 --> 00:00:55,799 our topic is cybersecurity for rail systems harder than it sounds. Okay, well, 10 00:00:55,840 --> 00:01:00,679 then, without further ado, here's you and Mickey. Hello, Mickey, 11 00:01:00,719 --> 00:01:03,159 and you know, welcome to the podcast. Thank you for joining us. 12 00:01:04,159 --> 00:01:07,519 Before we get started, can you say a few words about yourself and 13 00:01:07,719 --> 00:01:11,439 about the good work that you're doing at SILAS. Hey, Andrew, thank 14 00:01:11,480 --> 00:01:14,879 you for having me. It's a pleasure to bear on the podcast. I'm 15 00:01:14,840 --> 00:01:19,159 a little excited towards it. So my name is Mickey Schiffman and I'm city 16 00:01:19,239 --> 00:01:25,040 uncle founder at Silos, so we founded Silos at twenty seventeen. Prior to 17 00:01:25,120 --> 00:01:30,120 founding Silos, I served as an officer in analyt Technology Unit in the Isbrael 18 00:01:30,239 --> 00:01:37,000 Defense Forces and dealt mainly with cybersecurity, communications systems, embedded systems and everything 19 00:01:37,040 --> 00:01:45,840 in between. Within Silos overseeing product and technology and in silence, our mission 20 00:01:46,040 --> 00:01:51,000 is to protect railway systems all around the world from cyber threats. We'll explain 21 00:01:51,079 --> 00:01:56,799 their own why is it even a topic? And Other than my work at 22 00:01:56,799 --> 00:02:01,920 Silos, I'm also contributing to various cybersecurity working groups in the rail field worldwide. 23 00:02:02,879 --> 00:02:07,359 The latest is actually an IC group that is currently working on developing the 24 00:02:07,400 --> 00:02:13,879 latest standard for rail cybersecurity, something that should be drafted like sorry, published 25 00:02:14,479 --> 00:02:19,400 over the next year and we're looking forward to it as supposed to be an 26 00:02:19,439 --> 00:02:24,280 important milestone for rail security worldwide. And our topic today is trains. It's 27 00:02:24,360 --> 00:02:30,159 rail system cybersecurity. We've had a couple of guests on the show some time 28 00:02:30,240 --> 00:02:34,280 ago talking about rail systems. You can you remind us, you know, 29 00:02:34,400 --> 00:02:38,039 what is a modern train? How does it work? How's it automated? 30 00:02:38,800 --> 00:02:43,479 Yeah, So before digging into how the trains actually work, I want to 31 00:02:43,479 --> 00:02:46,080 put like a few facts here just for the audience to get more familiar with 32 00:02:46,120 --> 00:02:53,599 the operating constraints. So first is that trains can operate in speeds that are 33 00:02:53,759 --> 00:03:00,719 over three hundred kilometers per hour and have a stopping distance of one kilometer and 34 00:03:00,800 --> 00:03:07,039 more. Sometimes. The reason I'm mentioning that is to explain that only automation 35 00:03:07,120 --> 00:03:12,319 can enable that because a normal driver cannot really see in such a distance, 36 00:03:12,599 --> 00:03:15,639 and of course in such a speed you cannot really notice the state of the 37 00:03:15,719 --> 00:03:19,599 signals, so you need to have something that transmits the information to the cab 38 00:03:19,680 --> 00:03:24,439 or makes decisions on your behalf. A second thing is that you have more 39 00:03:24,439 --> 00:03:30,479 and more services for passengers, and that results and modern trains, and of 40 00:03:30,479 --> 00:03:38,960 course the safety constraints and the requirements for high availability trains are now many times 41 00:03:38,000 --> 00:03:44,280 have hundreds of connected device in a single train and they communicate with each other 42 00:03:44,680 --> 00:03:49,759 through safety critical and non safety critical communications. Other than that, you have 43 00:03:49,800 --> 00:03:54,120 wireless links, so a train operator can sometimes have a huge wireless network. 44 00:03:54,719 --> 00:04:03,639 In Europe's GSMR for positive train control, they use many times the two hundred 45 00:04:03,639 --> 00:04:11,599 and twenty megahertz radios and other signaling systems have other wireless models of communications, 46 00:04:11,599 --> 00:04:15,199 such as CBTC, which is used for Metro many times uses just Wi Fi 47 00:04:15,240 --> 00:04:20,680 and all of them together as a single system caused the train to be heavily 48 00:04:20,680 --> 00:04:25,480 reliable technology, and this technology is very proprietary and used only in a rail. 49 00:04:29,199 --> 00:04:32,240 Let me jump in here and give just a bit of background. Make 50 00:04:32,319 --> 00:04:38,480 you use the word signaling a couple of times. In the old days. 51 00:04:39,240 --> 00:04:46,800 What was signaling In my dim understanding of it, it was an electrical process. 52 00:04:46,839 --> 00:04:53,040 If a train was on a segment of tracks, it closed an electrical 53 00:04:53,040 --> 00:04:56,720 connection between the two tracks, and so you could sense that, hey, 54 00:04:57,000 --> 00:04:59,240 you know, there's a train on the tracks, or you know, I 55 00:04:59,240 --> 00:05:01,639 suppose a metal bar could have faked it out, but you've got you've got 56 00:05:01,639 --> 00:05:04,800 electricity, you know, a small amount of it, a signal moving from 57 00:05:04,839 --> 00:05:10,639 one track to the other. And this told the you know, a light 58 00:05:11,000 --> 00:05:14,240 at the beginning of that segmented track to go red, saying there's a train 59 00:05:14,279 --> 00:05:16,879 on the track, you have to stop. And it was, you know, 60 00:05:17,279 --> 00:05:21,879 similarly electrically connected to the previous segmented track, so that the light at 61 00:05:21,879 --> 00:05:29,040 the beginning of the previous segments went yellow, So that an engineer driving another 62 00:05:29,120 --> 00:05:32,639 train sitting in the locomotive coming up on a segmented track. If that engineer 63 00:05:32,639 --> 00:05:36,519 saw a green light, and I might have the colors wrong, but let's 64 00:05:36,600 --> 00:05:41,279 use the traffic light, you know, convention. If the engineer saw a 65 00:05:41,279 --> 00:05:44,920 green light, knew that the next two segments and track ahead of them were 66 00:05:45,759 --> 00:05:47,360 you know, clear. If they saw a yellow light, they knew that 67 00:05:47,399 --> 00:05:50,319 the next segment ahead was clear and the one after was not. If they 68 00:05:50,319 --> 00:05:55,120 saw a red light, it was stop stop, Now you've got something on 69 00:05:55,160 --> 00:06:00,040 the tracks ahead of you. This was old school and it relied on the 70 00:06:00,120 --> 00:06:05,519 reflexes and the attention of the engineer. Nowadays it's all been automated and the 71 00:06:05,879 --> 00:06:12,519 buzzword is positive train control. You know. Train control basically means you get 72 00:06:12,560 --> 00:06:16,959 a signal from computers saying which tracks are clear, which tracks have locomotives on 73 00:06:17,000 --> 00:06:21,600 them, are you know, trains on them, and the computer in the 74 00:06:21,800 --> 00:06:27,800 in the locomotive it brings the locomotive to a stop if if it needs to. 75 00:06:29,360 --> 00:06:35,240 Positive train control means that it's it's not a stop signal that is sent 76 00:06:35,439 --> 00:06:42,319 to the locomotive by the computers. It is a go signal. And if 77 00:06:42,399 --> 00:06:46,800 the computer in the locomotive ever fails to get a go signal in a given 78 00:06:46,800 --> 00:06:50,160 amount of time, it immediately stops. That's what the positive in the positive 79 00:06:50,160 --> 00:06:57,319 train control means. It means you continue moving only if you continue getting a 80 00:06:57,360 --> 00:07:00,839 positive signal saying the the heeady was clear. So this is sort of the 81 00:07:01,519 --> 00:07:09,759 modern world that it's all automated. These are safety critical environments. There's there's 82 00:07:09,959 --> 00:07:14,120 challenges in terms of you know, being able to see what's coming down the 83 00:07:14,160 --> 00:07:17,560 track, you know, stopping these these very large, very fast trains if 84 00:07:17,680 --> 00:07:24,639 if there's an issue. How does that relate to cybersecurity? We know what 85 00:07:24,639 --> 00:07:30,160 what are sort of the unique challenges for cybersecurity and the rail systems. Yeah, 86 00:07:30,240 --> 00:07:34,000 so the main aspect of a rail system that is quite unique is the 87 00:07:34,079 --> 00:07:39,560 long life cycle. So a train can be operated in thirty years. Usually 88 00:07:39,680 --> 00:07:43,319 give the analogy of like we can think of what we knew about cybersecurity thirty 89 00:07:43,399 --> 00:07:46,720 years ago, and that would approximately be the level of security that exists in 90 00:07:46,759 --> 00:07:51,759 many of the current trains that are in operation. The other thing is safety. 91 00:07:53,040 --> 00:08:00,240 So to achieve this high level of safety and making trains the safest of 92 00:08:00,279 --> 00:08:05,480 transport, you need to have a lot of constraints, and many times those 93 00:08:05,519 --> 00:08:13,079 contraints constraints they come in conflict with security. So just an example, in 94 00:08:13,120 --> 00:08:16,920 many countries, in order to patch a device on a train or a safety 95 00:08:16,959 --> 00:08:20,319 critical network, you need the government to sign off the patch, and that 96 00:08:20,360 --> 00:08:26,839 can take just months of approval from the time that you even have the patch 97 00:08:26,920 --> 00:08:30,839 available, sometimes years. Sometimes you just don't touch it because it's so hard 98 00:08:30,920 --> 00:08:33,879 to change and you don't want to go through this costly process of updating. 99 00:08:35,159 --> 00:08:41,600 The other is that train manufacturers and the technology is used in trains. There 100 00:08:41,600 --> 00:08:46,799 are many times really dedicated for the rail industry, so they're not used in 101 00:08:46,840 --> 00:08:50,919 other industries. You have technologies has just have been developed for a single industry 102 00:08:52,679 --> 00:08:56,639 and they know how in the industry doesn't necessarily contain a lot of cybersecurity. 103 00:08:56,039 --> 00:09:01,759 It's mainly around safety and operations because these used to be the core values of 104 00:09:01,799 --> 00:09:07,159 those systems. Other than that, you have passengers on those trains, so 105 00:09:07,200 --> 00:09:13,639 although it's a critical infrastructure, it has high interfaces with the public and people 106 00:09:13,679 --> 00:09:20,159 can be on trains there in stations. Trains are moving, so they're not 107 00:09:20,240 --> 00:09:26,519 in a fixed location that you can kind of like protect or put walls just 108 00:09:26,600 --> 00:09:31,240 to protect it, and all of those are quite significant challenges that the industry 109 00:09:31,279 --> 00:09:37,759 works around in order to improve the security of those systems. So a clarifying 110 00:09:37,840 --> 00:09:43,399 question, you know, you it sounds like you're saying, if you know, 111 00:09:43,399 --> 00:09:48,559 when passengers come into a transit uh, you know car or you know, 112 00:09:50,240 --> 00:09:54,000 a commuter car. It sounded like you're saying, some of the computers, 113 00:09:54,000 --> 00:09:58,519 are they're exposed or are the networks exposed? In what sense is this 114 00:09:58,559 --> 00:10:05,200 automat exposed to the public and how big a problem is at Indeed, of 115 00:10:05,240 --> 00:10:09,200 course not in all cases. In many cases it isn't. Indeed, there 116 00:10:09,240 --> 00:10:11,000 are cabinets that are exposed to the public, and I can give a few 117 00:10:11,000 --> 00:10:16,000 examples, and some of them you can see them in train stations. They 118 00:10:16,080 --> 00:10:20,840 use just a key that everyone can buy online and you can see them like 119 00:10:22,039 --> 00:10:26,120 monitors on trains and as I mentioned, in the stations themselves that are like 120 00:10:26,200 --> 00:10:30,360 that, and someone could potentially abuse. The other example, which is a 121 00:10:30,360 --> 00:10:35,080 bit more let's call it exotic, was something that we signed some trains that 122 00:10:35,120 --> 00:10:45,080 apparently the toilet computers or the systems that are responsible for mentioning the state of 123 00:10:45,120 --> 00:10:50,320 the toilet to the passengers like whether they're occupied or not. They're connected to 124 00:10:50,360 --> 00:10:56,080 the network of the train and they are just communicating in a bus with all 125 00:10:56,159 --> 00:11:01,240 the other devices in the network. One interesting thing about it is that sometimes 126 00:11:01,240 --> 00:11:07,159 either their controller or other controllers, there are architectures in which they are located 127 00:11:07,200 --> 00:11:11,639 inside the toilet cabinet, for example, behind the mirror, and in such 128 00:11:11,720 --> 00:11:16,279 cases, someone could potentially just go to the toilet a place that is not 129 00:11:16,320 --> 00:11:20,679 monitored at all because they are not cameras, and of course inside the toilet 130 00:11:20,720 --> 00:11:24,320 you cannot put them there and manipulate something inside the train network. So this 131 00:11:24,440 --> 00:11:33,159 is actually a scenario that we've seen happening at least in some tax simulations, 132 00:11:33,200 --> 00:11:41,200 and it will actually executed by the ones where similar to those attacks. Let 133 00:11:41,240 --> 00:11:45,720 me give you just a little background. In my understanding, modern passenger trains 134 00:11:46,000 --> 00:11:52,799 have not one network automating the train, but three of them. There is 135 00:11:52,799 --> 00:11:56,559 obviously the control network where the positive train control happens, you know, and 136 00:11:56,679 --> 00:12:03,679 other kinds of control functions on the on the vehicle. There is the entertainment 137 00:12:03,720 --> 00:12:07,840 network. Because a lot of the modern trains have Wi Fi. They might 138 00:12:07,120 --> 00:12:11,279 have an Internet connection. You know that you do or don't have to pay 139 00:12:11,320 --> 00:12:16,039 for. They might have movies you can watch on on long rides. And 140 00:12:16,080 --> 00:12:20,039 you know, of course people are connecting their cell phones and their laptops and 141 00:12:20,039 --> 00:12:24,600 their tablets to these these entertainment networks. And there's what's called a comfort network 142 00:12:26,000 --> 00:12:31,120 which is focused on you know, automation that involves the comfort of passengers, 143 00:12:31,200 --> 00:12:35,679 like are the washrooms occupied, what's the temperature in the cabin? You know, 144 00:12:35,720 --> 00:12:39,360 control the air conditioning, you know, control the I don't know the 145 00:12:39,399 --> 00:12:43,759 if you've got on the truly modern cars, the you know, the opaqueness 146 00:12:43,799 --> 00:12:48,039 of the windows so that the sun isn't blasting in on you, you know, 147 00:12:48,120 --> 00:12:50,799 the lighting if it's if it's at night, this kind of thing. 148 00:12:52,000 --> 00:12:56,120 So and these networks you generally want to see, you know, want you 149 00:12:56,159 --> 00:12:58,080 want your passengers to be able to see where you are. And you know, 150 00:13:00,279 --> 00:13:03,960 very small amount of information that's coming out of the control network that's tracking 151 00:13:03,120 --> 00:13:09,039 location and other aspects. You know, how are we late? You generally 152 00:13:09,200 --> 00:13:13,799 want passengers to at least be able to see what's going on comfort wise, 153 00:13:13,840 --> 00:13:18,200 so they know, you know, which which restrooms are are available on how 154 00:13:18,240 --> 00:13:22,519 many cars they got to hike down to find one. But you know, 155 00:13:22,600 --> 00:13:26,480 you should at least have firewalls. If not, you know, uni directional 156 00:13:26,519 --> 00:13:31,720 communications between the more critical networks and the and the less critical networks, certainly 157 00:13:31,759 --> 00:13:37,720 and the entertainment network. Older, older systems, older rolling stock may not 158 00:13:37,879 --> 00:13:43,480 have these distinctions, you know, they may have mixed up some of these 159 00:13:43,519 --> 00:13:48,480 networks that are more separate on the newer stuff. It's it's a mixed bag 160 00:13:48,519 --> 00:13:54,559 out there. The kinds of trains that I've had experience writing do not appear, 161 00:13:54,639 --> 00:13:58,039 at least from the passenger perspective, to have all of these comforts and 162 00:13:58,080 --> 00:14:05,240 amenities. Is this common? I believe it's common in the newer vehicles, 163 00:14:05,279 --> 00:14:09,519 the newer rolling stock. But uh, you know, A, if it's 164 00:14:09,559 --> 00:14:13,440 not there, you know, sorry for you. It would be nice to 165 00:14:13,440 --> 00:14:16,000 have a movie on the ride, you know. B If it's not there, 166 00:14:16,080 --> 00:14:20,440 it also means you don't have any of these risks because it's not there. 167 00:14:20,639 --> 00:14:26,399 So you know, it's a mixed it's a mixed blessing. It reminds 168 00:14:26,440 --> 00:14:31,960 me that very recently we had a scenario in Poland where we saw a bunch 169 00:14:31,000 --> 00:14:39,120 of trains, like twenty of them I think suffer emergency stops because of some 170 00:14:39,200 --> 00:14:43,919 hacking attempt. Can you give us the details there what happened there? Yeah, 171 00:14:43,960 --> 00:14:48,440 so, according to what's known to the public, what happened there was 172 00:14:48,519 --> 00:14:56,240 that there is a legacy system that isn't used for train communications in Poland, 173 00:14:56,279 --> 00:15:03,799 and this system is receiving or capable of receiving wireless signals and those signals are 174 00:15:03,840 --> 00:15:09,320 effectively sub tones, and a specific sequence of those sub tones can make a 175 00:15:09,360 --> 00:15:15,799 train stop and that's by definition, by design. So I want to talk 176 00:15:15,840 --> 00:15:18,600 about a few points related to this case. One of them is the use 177 00:15:18,639 --> 00:15:24,039 of wireless communication. It's not very trivial that Creek infrastructure uses wireless communication, 178 00:15:24,279 --> 00:15:30,480 so heavily is rail and that's a uniquettack factor in rail network that should be 179 00:15:30,519 --> 00:15:33,720 secured as much as possible, not necessarily. There's a lot of things you 180 00:15:33,759 --> 00:15:39,320 can do in such a situation, but it's something to be considered here. 181 00:15:39,320 --> 00:15:41,639 Specifically, it's a very old system. But even if it would be replaced 182 00:15:41,679 --> 00:15:46,279 with a newer system, those systems also rely on wireless communication. And these 183 00:15:46,279 --> 00:15:52,159 are also digital wireless communication, so it's even more susceptible to attacks because you 184 00:15:52,159 --> 00:15:58,279 can do a much more other things. Many times those wireless communication links are 185 00:15:58,320 --> 00:16:04,799 not properly encrypted or using all encryption or non encryption at all, and these 186 00:16:04,840 --> 00:16:11,039 are indefence should definitely be looked at. And protocols like rTMS or CBTC, 187 00:16:11,240 --> 00:16:19,120 they're different potential security challenges there. The other thing is more related to let's 188 00:16:19,120 --> 00:16:25,480 say motivation, and that's something that we're seeing now along those geopolitical disputes. 189 00:16:25,519 --> 00:16:33,440 But real systems are high quality target for FRED actors and the people within the 190 00:16:33,480 --> 00:16:41,759 rail company, the operators, they are responsible for ensuring that the public is 191 00:16:41,840 --> 00:16:48,519 secure in those systems. And what we are unfortunately seeing here is FRED actors 192 00:16:48,559 --> 00:16:52,879 are increasing at sitting setting their sights on those rail systems and showing the motivation 193 00:16:52,919 --> 00:16:57,039 to attack them, and in my opinion, should be a wake up call 194 00:16:57,120 --> 00:17:03,079 to make people in the treated not necessarily looking at security, not necessarily in 195 00:17:03,079 --> 00:17:07,920 discise. By the way, that's just an example of one company that got 196 00:17:07,000 --> 00:17:12,480 targeted not necessarily even my cyber attacks, but over wireless radios. But in 197 00:17:12,559 --> 00:17:18,640 general in the industry, I think that we should look at the fact that 198 00:17:18,880 --> 00:17:23,599 threat actors are actually looking and internet inspecting those systems and they can be aware 199 00:17:23,640 --> 00:17:30,319 of many of the specifications and these systems definitely should be treated with security in 200 00:17:30,359 --> 00:17:37,960 mind. The latest numbers in the twenty twenty three Threat Report on OT cyber 201 00:17:37,000 --> 00:17:41,759 incidents show that the threat environment has changed fundamentally. At the beginning of this 202 00:17:41,839 --> 00:17:48,319 decade, OT cyber attacks with physical consequences have changed from a theoretical problem to 203 00:17:48,400 --> 00:17:52,920 a very real problem, more than doubling every year. The new report is 204 00:17:52,960 --> 00:17:57,759 focused on deliberate cyber attacks in the public record. These are attacks that cause 205 00:17:57,839 --> 00:18:03,759 physical consequences and process industries and discrete manufacturing. Most of these attacks are ransomware, 206 00:18:04,000 --> 00:18:08,599 though the fraction of activist attacks is growing, and the report's appendix includes 207 00:18:08,640 --> 00:18:14,559 a complete list of all cyber attacks since Stuck's Net that meet these criteria. 208 00:18:14,720 --> 00:18:18,559 To see how today's OT cyber threat environment has changed, I invite you to 209 00:18:18,599 --> 00:18:22,799 download the report, a joint effort between Waterfall Security and the ICs drive OT 210 00:18:23,000 --> 00:18:30,720 Incident Repository. You can download the report at Waterfall dash security dot com slash 211 00:18:30,720 --> 00:18:34,839 twenty twenty three DASH Threat dash Report, or just go to the resources menu 212 00:18:34,960 --> 00:18:41,799 at the Waterfall Security site and click on white papers and Ebooks. So, 213 00:18:41,960 --> 00:18:45,680 NY, let's talk about wireless communications for just a minute. Most heavy industry 214 00:18:47,160 --> 00:18:52,480 is deeply suspicious of wireless, any kind of wireless. You know why, 215 00:18:52,960 --> 00:18:57,759 I'll you know it's because cell phones are walking wireless attack vectors, among other 216 00:18:57,799 --> 00:19:00,759 reasons. You know, how does that work? Imagine that you know your 217 00:19:00,759 --> 00:19:07,640 pizza delivery guy has downloaded a trojan game, delivers pizzas into a refinery or 218 00:19:07,640 --> 00:19:12,119 a power plant, and the trojan game, while it's inside the power plant 219 00:19:12,119 --> 00:19:18,319 is scanning for Wi Fi networks and reporting their geographic location to a commanded control 220 00:19:18,359 --> 00:19:22,440 center. Now the bad guys decide they want to target a particular power plant 221 00:19:22,240 --> 00:19:26,400 they know in their database. They've got I don't know six Wi Fi networks 222 00:19:26,440 --> 00:19:30,559 in that plant. One of them has the name Control, the other one 223 00:19:30,599 --> 00:19:33,559 has you know, suggestive names. They launch a phishing attack. They steal 224 00:19:33,559 --> 00:19:38,480 the credentials to log into those Wi Fi networks. And now the next time 225 00:19:38,640 --> 00:19:42,839 anybody carries the compromised game on their cell phone doesn't have to be the same 226 00:19:42,880 --> 00:19:48,720 pizza delivery guy, can be anybody carries that a compromised cell phone into the 227 00:19:48,799 --> 00:19:52,279 site. The bad guys can connect to the cell phone over the cellular network, 228 00:19:53,119 --> 00:19:59,119 operate the trojan on the cell phone, give the credentials, connect to 229 00:19:59,160 --> 00:20:02,079 the Wi Fi netw work in the sight and you know, work their will 230 00:20:02,160 --> 00:20:06,839 upon it. So, you know, heavy industry is deeply suspicious of wireless 231 00:20:06,880 --> 00:20:11,319 for this attack scenario and many others. The problem with the rail system is 232 00:20:11,400 --> 00:20:17,839 that you have no choice. You have to use wireless communications to communicate with 233 00:20:17,880 --> 00:20:21,799 these these locomotives that are traveling at three hundred kilometers an hour, you know, 234 00:20:21,839 --> 00:20:25,559 all over the countryside. You have no choice. And so yes, 235 00:20:25,640 --> 00:20:29,359 you have to encrypt everything. Yes, you need credentials everywhere, and you've 236 00:20:29,400 --> 00:20:34,799 got to train your people not to leak these credentials because you know, there's 237 00:20:34,839 --> 00:20:41,000 just so it's a hard problem. You have to use wireless, but nobody 238 00:20:41,079 --> 00:20:45,559 wants to, you know, and so there's a lot of you know, 239 00:20:45,839 --> 00:20:52,680 focus on on wireless security in the rail system. You know, that's a 240 00:20:52,720 --> 00:20:59,279 distressing picture of sort of constraints and issues in you know, the security in 241 00:20:59,359 --> 00:21:03,279 rail systems. Can you talk about sort of there, what's the response, 242 00:21:03,319 --> 00:21:07,480 what's the industry doing to address these things? Of course, the topic of 243 00:21:07,519 --> 00:21:11,960 security is quite broad. We know it from all other industries as well, 244 00:21:12,720 --> 00:21:18,519 and there are a few motions there. One of them is securing the install 245 00:21:18,599 --> 00:21:22,279 based the other is develop products that are trying to be secured by design, 246 00:21:23,559 --> 00:21:29,559 and also in each one of them you can dig deeper and see the controls 247 00:21:29,559 --> 00:21:33,960 that are being used in order to achieve those purposes. So there are some 248 00:21:34,000 --> 00:21:37,559 controls that are harder to use many times, like for example, encryption is 249 00:21:37,599 --> 00:21:45,799 unnecessarily being used in the industry for other reasons, can be about latency and 250 00:21:45,880 --> 00:21:52,359 potential impacts on the operations. Other than that, you have methods of things 251 00:21:52,359 --> 00:22:00,799 like segmentation in which we also cooperate with waterfall, and solutions like diodes of 252 00:22:00,880 --> 00:22:08,160 firewalls as such. What we're doing is another thing, which is being non 253 00:22:08,200 --> 00:22:15,920 intrusive and trying to be as much easy as possible to deploy. So, 254 00:22:17,480 --> 00:22:22,279 as I mentioned before, the main constrained really environment is safety. So you're 255 00:22:22,400 --> 00:22:27,359 trying to secure as much as possible without compromising safety and operations. And that's 256 00:22:27,400 --> 00:22:34,200 not such an easy task because in order to secure optimally, you of course 257 00:22:34,200 --> 00:22:37,039 need to make a lot of modifications. You would like to maybe change the 258 00:22:37,039 --> 00:22:42,880 devices themselves, as I mentioned before, you might want to introduce encryption wherever 259 00:22:42,880 --> 00:22:48,440 it's possible. But sometimes what we're seeing is that making those changes is much 260 00:22:48,519 --> 00:22:57,680 more expensive it will will cost than just introducing an external solution that will give 261 00:22:57,720 --> 00:23:03,680 you the right compass any control over the fact that those controls do not exist. 262 00:23:03,880 --> 00:23:08,559 And when i's expensive, I'm mostly into the need of recertifying the systems, 263 00:23:08,960 --> 00:23:12,960 passing them for safety approvals, upgrading the huge install base, et cetera. 264 00:23:15,319 --> 00:23:21,680 And our approach in Sileswan was to help operators to be able to meet 265 00:23:22,000 --> 00:23:26,759 the best security practices and follow the security frameworks in a way that is tailored 266 00:23:26,799 --> 00:23:33,799 for their environment, as well as make sure that all of those processes are 267 00:23:34,519 --> 00:23:41,160 indeed aligned with the safety processes and not introducing another risk or a challenge with 268 00:23:41,240 --> 00:23:47,599 that regard. Okay, and you know, in terms of solutions in this 269 00:23:47,720 --> 00:23:52,319 space, you know Silas is you folks, uh you know have services offerings, 270 00:23:52,359 --> 00:23:56,799 You've also got technology. You're selling technology into this space. What are 271 00:23:56,839 --> 00:24:02,640 you? What are you producing and how does it work? Our solution, 272 00:24:02,720 --> 00:24:07,759 saluce one, which is the solution that the company develops, is what we 273 00:24:07,799 --> 00:24:11,319 call a real tech security platform. So a rail tech security platform is a 274 00:24:11,319 --> 00:24:18,799 comprehensive platform. It is capable of providing several benefits to operators. So the 275 00:24:18,799 --> 00:24:23,880 most important thing about this type of a solution is the context that it has. 276 00:24:25,000 --> 00:24:30,559 So we haven't invented the space of operation technology monitoring, but I think 277 00:24:30,599 --> 00:24:34,319 that the major innovation that we bring in the rail industry and in so much 278 00:24:34,319 --> 00:24:40,039 needed in the rail industry is the ability to put context around the information. 279 00:24:40,799 --> 00:24:48,640 So our ability to provide operators with visibility which is precise and is tailored for 280 00:24:48,680 --> 00:24:52,279 their environment. So the ability to differentiate between assets, whether they're safety critical 281 00:24:52,400 --> 00:24:56,880 or not, whether they're interlocking light signals, point machines, or things on 282 00:24:56,920 --> 00:25:02,799 the onboard such as breaking systems in dark trolley units. This ability helps them 283 00:25:03,240 --> 00:25:12,000 to actually identify their environment, understand the exact status of their security poster, 284 00:25:12,720 --> 00:25:18,359 and also remediate security issues as they're cure in a much faster pace because they 285 00:25:18,359 --> 00:25:22,119 have this context. Think about it. If you could have a network of 286 00:25:23,119 --> 00:25:29,200 hundreds of thousands of devices and you don't really know what's the role of each 287 00:25:29,200 --> 00:25:33,319 device, it's very hard for you to prioritize whether an alert is severe or 288 00:25:33,400 --> 00:25:37,839 not, understand who's the owner of a specific device and who should treat the 289 00:25:37,880 --> 00:25:42,240 security issue, Understand the context of the device in the broader rail system, 290 00:25:42,240 --> 00:25:48,160 and whether operations can continue as normal or not, and these are all things 291 00:25:48,160 --> 00:25:52,880 that our solution brings. So roly speaking, our solution helps with visibility, 292 00:25:52,880 --> 00:25:57,480 with detection, the response piece of it, which is very important because detection 293 00:25:57,720 --> 00:26:03,119 is one nice thing that you can do by detecting various stories of tactiques, 294 00:26:03,160 --> 00:26:08,240 techniques and procedures. But understanding how should you properly response under the constraint of 295 00:26:08,240 --> 00:26:11,599 the rail environments is part of our secret sauce and part of the value that 296 00:26:11,640 --> 00:26:15,440 we're bringing to the customers to make sure that they're not just lost and flooded 297 00:26:15,440 --> 00:26:21,200 with lots of alerts. And also of course compliance because compliances paramount in the 298 00:26:21,240 --> 00:26:26,960 industry, so the ability to comply with rail security frameworks as well as security 299 00:26:26,960 --> 00:26:32,440 best practices while meeting the safety constraints. These are all things that you get 300 00:26:32,640 --> 00:26:40,319 through our product and it helps you to also of course meet the requirements of 301 00:26:40,359 --> 00:26:45,400 all the latest regulations such as the TSA Directive in the US and is too 302 00:26:45,440 --> 00:26:52,359 directive in Europe and standards and best practices such as TSFTY seven to one and 303 00:26:52,559 --> 00:26:57,440 i C six four five two that will be developed that will be released in 304 00:26:57,440 --> 00:27:03,680 the future. Sorry, and the system of course will also help operators to 305 00:27:03,480 --> 00:27:08,279 comply with it. Okay, So that's that's a lot of benefits. You 306 00:27:08,319 --> 00:27:14,160 know, these are all important benefits of a solution, but you haven't really 307 00:27:14,160 --> 00:27:18,039 said how it works. I mean, if you want to understand sort of 308 00:27:18,079 --> 00:27:21,640 the purpose of each piece of equipment, do you enter its IP address by 309 00:27:21,720 --> 00:27:23,920 hand and enter the data by hand and now you have it available when an 310 00:27:23,920 --> 00:27:29,720 alert comes up? Or do you discover this stuff automatically? Or what I 311 00:27:29,720 --> 00:27:33,440 mean? How how are you gathering this data and how much of it is 312 00:27:33,480 --> 00:27:37,079 sort of manual? How much of it's automatic? Can you can you lift 313 00:27:37,079 --> 00:27:40,279 the hood for us? Yeah, that's a great point to Andrew. Yeah, 314 00:27:40,279 --> 00:27:42,759 I'm trying not to expose too much the tech inside of me. So 315 00:27:42,839 --> 00:27:45,920 yeah, that's that's a great question. So there are several ways that it 316 00:27:45,960 --> 00:27:49,039 works. First, as I mentioned, the purpose is to be as much 317 00:27:49,079 --> 00:27:52,839 more interested as possible, and the way of doing it is, first like, 318 00:27:53,240 --> 00:27:57,440 we collect information via network traffic. So we passively connect to the network 319 00:27:57,559 --> 00:28:04,519 via tabs or spand forward or diote what is approved by the customer and collect 320 00:28:04,559 --> 00:28:10,400 the information passively through a platform that's thrown network traffic. And we extract the 321 00:28:10,440 --> 00:28:14,119 context that I mentioned through this row network traffic. So it starts by analyzing 322 00:28:14,160 --> 00:28:18,319 the protocols, which is probably the easier part, but then it builds up 323 00:28:18,359 --> 00:28:25,480 over our algorithms for as a database and anomally detection and compliance and helping actually 324 00:28:25,519 --> 00:28:27,599 to make sense out of this data. So that's one source of data that 325 00:28:27,640 --> 00:28:34,079 we treat. The other source of data comes from integrations. Integrations can be 326 00:28:36,079 --> 00:28:40,960 through operational systems that exists in the environment, and these operational systems already gather 327 00:28:41,079 --> 00:28:44,599 insights about the operational state of the real environment, which can be like maintenance 328 00:28:44,640 --> 00:28:48,279 systems for example, and their system can seamlessly integrate with them, and by 329 00:28:48,319 --> 00:28:52,920 collecting this information, users can get a single pane of glass over their operational 330 00:28:53,160 --> 00:28:59,519 and security data in a sense that when security data is out there, we 331 00:28:59,559 --> 00:29:03,440 can actually correlated with the operational info that you have on the environment, and 332 00:29:03,519 --> 00:29:08,480 that usually helps you to spare false positives and have shorter investigation cycles. Other 333 00:29:08,640 --> 00:29:17,200 sources of information can include asset management databases, risk management databases, other security 334 00:29:17,200 --> 00:29:19,680 solutions that are used in the networks, whether in the end points or other 335 00:29:19,759 --> 00:29:25,880 locations, and we collect information from all of those in order to put this 336 00:29:25,960 --> 00:29:32,319 information into the context that I mentioned before. So with these capabilities of information 337 00:29:32,359 --> 00:29:34,880 collection, you can actually get a very comprehensive view of your network and very 338 00:29:34,880 --> 00:29:41,480 precise view of your environment, whether it's trick side, onboard, in the 339 00:29:41,519 --> 00:29:48,079 operations center, or on the stations themselves. So listening to this, you 340 00:29:48,079 --> 00:29:52,279 know, I think some of our listeners might ask, why the great focus 341 00:29:52,400 --> 00:30:00,319 on, you know, detecting and responding to incidents. If cybersecurity is article 342 00:30:00,359 --> 00:30:03,960 the safety, then do we need not need to to prevent the incidents? 343 00:30:06,920 --> 00:30:11,559 And you know, I think I think the answer is, partly, we've 344 00:30:11,559 --> 00:30:14,240 got a lot of legacy equipment out there. It's weaker than we want it 345 00:30:14,279 --> 00:30:17,480 to be, and so one of the compensating measures we can put in place 346 00:30:17,640 --> 00:30:21,799 is, you know, a strong detection. It's it's not as good as 347 00:30:22,400 --> 00:30:26,799 changing the systems to prevent attacks, but you know, it's it's something that, 348 00:30:26,200 --> 00:30:30,680 especially in a passive mode, it's something we can very quickly add after 349 00:30:30,720 --> 00:30:36,039 the fact without without arising the the the eyre of the of the regulators, 350 00:30:36,039 --> 00:30:41,240 the safety regulators. You know, you might also don't don't don't get me 351 00:30:41,279 --> 00:30:44,400 wrong, you might you might also ask, you know, well, if 352 00:30:44,599 --> 00:30:48,000 we were able to prevent these attacks, by applying security updates, by doing 353 00:30:48,039 --> 00:30:52,079 better segmentation, by whatever. Could we you know, do we then still 354 00:30:52,119 --> 00:30:56,279 need detect, respond to recover? And you know the answer is yes, 355 00:30:57,160 --> 00:31:03,839 we need both. You know, the NIST Cybersecurity Framework has five pillars, 356 00:31:03,920 --> 00:31:07,119 and you don't choose between them based on your industry. You might prioritize them 357 00:31:07,119 --> 00:31:12,279 based on your industry, but a robust security program has all of them. 358 00:31:12,319 --> 00:31:21,039 The most sophisticated intrusion detection, the most sophisticated you know, detect responder recover 359 00:31:21,200 --> 00:31:26,799 programs that I've ever seen are at sites that also have the most sophisticated prevention 360 00:31:26,880 --> 00:31:30,079 programs. They sort of go hand in hand. So you know, on 361 00:31:30,119 --> 00:31:33,759 the one hand, it's a compensating measure. You can you can get some 362 00:31:33,839 --> 00:31:37,440 of your assurance back with detect responder recovery. And on the other hand, 363 00:31:37,880 --> 00:31:41,160 it's a long term investment. You know, we need it going forward. 364 00:31:45,039 --> 00:31:49,079 Could I ask you to go maybe a little deeper on response playbooks. You 365 00:31:49,119 --> 00:31:53,759 know, if there is something that might be an incident or definitely is an 366 00:31:53,759 --> 00:31:59,559 incident, you know, it sounds like you have some support for dealing with 367 00:31:59,599 --> 00:32:02,519 the ins and so can you speak to response playbooks and you've also mentioned compliance. 368 00:32:04,039 --> 00:32:08,680 It sounds like you can compare what you're seeing to what needs to be 369 00:32:08,720 --> 00:32:14,440 their compliance wise, So can you talk about sort of response playbooks and compliance? 370 00:32:14,640 --> 00:32:16,359 How do you do that? What does that you know, what does 371 00:32:16,400 --> 00:32:22,160 that look like under the hood. That's fact we response playbooks. So in 372 00:32:22,240 --> 00:32:30,759 response playbooks, our goal is to have the operator capable of handing our alerts 373 00:32:30,839 --> 00:32:36,680 in a way that fits their environment. So it starts actually by helping the 374 00:32:36,759 --> 00:32:43,240 operator to get all the relevant context over a specific alert. So it's the 375 00:32:43,279 --> 00:32:47,559 ability of identifying similar alerts very quickly and correlating it with them. It's the 376 00:32:47,599 --> 00:32:52,880 ability of understanding whether maintenance activities took part of a specific over specific asset. 377 00:32:54,160 --> 00:33:00,920 It's the ability to see what other things this asset has experienced prior to this 378 00:33:00,039 --> 00:33:07,599 alert. And it's basically this and others that create the context that helps the 379 00:33:07,680 --> 00:33:12,880 operator to first understand whether this alert should be either or not, whether it's 380 00:33:12,880 --> 00:33:19,119 expected maybe, and it also afterwards helps them to adjust it accordingly, so 381 00:33:19,160 --> 00:33:23,400 adjustice and nativity of the system and ensure that they will see more or less 382 00:33:23,400 --> 00:33:29,799 of those alerts in the future. Other than that, there is the part 383 00:33:29,880 --> 00:33:34,200 of by identifying the context of the alert, the context of the asset, 384 00:33:34,279 --> 00:33:38,640 the context of the operations understanding how do you actually should respond to this event, 385 00:33:39,240 --> 00:33:45,680 and by responding you can take several actions. Some actions will be hard 386 00:33:45,759 --> 00:33:52,039 to take over specific type of systems, some are more possible. Generally speaking, 387 00:33:52,319 --> 00:33:58,160 the industry is just starting in terms of like the active responsibibility, so 388 00:33:58,200 --> 00:34:02,519 the ability to actually like microsipment to do something similar over assets. It hasn't 389 00:34:02,559 --> 00:34:07,719 been the case until now, but we see more and more sparks of it 390 00:34:08,519 --> 00:34:15,519 specific and specific systems that are inside the industry. And this general ability of 391 00:34:15,679 --> 00:34:20,280 like providing the operator context, it spares a lot of time. It's something 392 00:34:20,280 --> 00:34:23,440 that you can effectively measure by the time that you're sock team or your operations 393 00:34:23,440 --> 00:34:29,760 team needs to take when it analyzes alerts. And I think that's an important 394 00:34:29,760 --> 00:34:35,639 metric to look at when you're having some sort of a sock and rail company 395 00:34:35,960 --> 00:34:40,639 or you're setting up this monitoring or detection program inside your company, and that's 396 00:34:40,639 --> 00:34:45,280 where context is mostly useful. So that's about the response piece in a nutshell, 397 00:34:46,079 --> 00:34:50,440 if we're going to compliance. So compliance is a very broad topic, 398 00:34:51,719 --> 00:35:00,880 and especially in rail, it has a lot of tailwind coming from the different 399 00:35:00,000 --> 00:35:07,639 standards that are being developed and the suppliers themselves, because the industry is used 400 00:35:07,679 --> 00:35:14,559 to develop things that are certified to something and that's the standard the industry provides 401 00:35:15,320 --> 00:35:22,719 to their components. So the general, let's say, major capability of the 402 00:35:22,760 --> 00:35:28,920 major rail suppliers is the ability to have a high level of safety and certification 403 00:35:29,480 --> 00:35:34,719 and that's very hard to achieve. So what we're saying more and more the 404 00:35:34,760 --> 00:35:38,679 trend in the industry is to have a similar approach with security, so to 405 00:35:38,840 --> 00:35:44,039 ensure that there is a baseline of security it is by design in those devices, 406 00:35:44,719 --> 00:35:49,519 and ensure that is being enforced over those devices. And this baseline of 407 00:35:49,519 --> 00:35:53,280 security can be a standard like i C six to four free LASH free Family, 408 00:35:53,400 --> 00:36:00,880 which is more of the system integrator side, and it can be something 409 00:36:00,880 --> 00:36:07,519 around isis free dash too sorry that is coming more of the asset on their 410 00:36:07,599 --> 00:36:12,280 side. And all of those together are being embedded into this new set of 411 00:36:12,320 --> 00:36:15,760 frameworks that is developing the industry. And what our solution helps with is the 412 00:36:15,800 --> 00:36:24,159 ability to first understand your compliance status to some of the requirements, as those 413 00:36:24,239 --> 00:36:30,800 that are related to controls. Because many of the requirements of the relative processes 414 00:36:30,800 --> 00:36:36,519 which are not necessarily things that are visible through just monitoring of traffic or analysis 415 00:36:36,599 --> 00:36:44,480 of data, and other than that, it helps you to understand like your 416 00:36:44,639 --> 00:36:52,119 general level of compliance with specific framework where the system helps you to achieve the 417 00:36:52,119 --> 00:36:59,719 goals that you have on specific requirements, and that's something that can also serve 418 00:36:59,760 --> 00:37:04,199 to Actually it's a compass and control for requirements that you don't have because the 419 00:37:04,239 --> 00:37:08,360 truth is it's very hard to apply security to especially legacy systems. But the 420 00:37:08,480 --> 00:37:14,079 term legacy is really stretching the real domain because it's thirty years So even if 421 00:37:14,159 --> 00:37:16,960 system was developed like five years ago, it's already legacy and doesn't necessarily close 422 00:37:16,960 --> 00:37:21,480 security by design, and with our products you can actually look at the different 423 00:37:21,480 --> 00:37:25,559 parts that you're not compliant with and see what coverage you can actually achieve through 424 00:37:25,639 --> 00:37:30,280 using the solution. So, for example, if you have an unencrypted link, 425 00:37:30,440 --> 00:37:32,320 that's bad, like that's not something that you would like to have, 426 00:37:32,880 --> 00:37:37,559 but let's say the second best of like encrypting it or authenticating it would be 427 00:37:37,719 --> 00:37:44,920 probably to ensure that there is no abnormal communication over the link that could potentially 428 00:37:45,000 --> 00:37:46,800 compromise you. Because it's one thing to know that you have a risk. 429 00:37:46,840 --> 00:37:52,159 The other thing is to actually be able to mitigate it or identify whether this 430 00:37:52,159 --> 00:37:57,320 vulnerability is being exploited. And that's something that we can definitely help with to 431 00:37:57,519 --> 00:38:01,719 the operators that are trying to meet those frameworks, even with partial ability to 432 00:38:01,760 --> 00:38:07,400 implement controls. So I'm still a little confused on the compliance side. Can 433 00:38:07,440 --> 00:38:12,000 you give me a couple of examples, what kind of things can you detect 434 00:38:12,559 --> 00:38:19,320 on the compliance side and report on, maybe just to go back to the 435 00:38:19,400 --> 00:38:24,280 previous question and start from there. So, another important aspect of compliance is 436 00:38:24,320 --> 00:38:28,400 what happens the day after a system is being handed over. So most of 437 00:38:28,400 --> 00:38:34,599 the compliance of most of the frameworks are focused in complying at a certain point 438 00:38:34,599 --> 00:38:37,519 of time, which is usually the hand over time from the system integrator to 439 00:38:37,559 --> 00:38:40,199 the asset owner to the rail operator, and from that point it's under the 440 00:38:40,280 --> 00:38:45,119 responsibility of the operator. But it's very hard to enforce it over time. 441 00:38:45,239 --> 00:38:51,119 So even if there is a configuration that took place initially in a good way, 442 00:38:51,800 --> 00:38:55,639 over the lifespan of thirty years, that could be changed. So, 443 00:38:57,599 --> 00:39:06,159 for example, I mentioned before the idea of vulnerabilities and patches, and one 444 00:39:06,159 --> 00:39:09,440 of the things that you can potentially do is to actually, like through your 445 00:39:09,559 --> 00:39:15,199 vulmerability management and patch management program, you can track the vulnerabilities of their devices 446 00:39:15,760 --> 00:39:21,039 and ensure that the patches that needed to be installed based on your patch manage 447 00:39:21,079 --> 00:39:23,519 or program which is adjusted to your environment, adjusted to the safety constraints, 448 00:39:24,119 --> 00:39:30,159 are actually being installed. And that's something that is essential because you're probably not 449 00:39:30,239 --> 00:39:31,679 going to end up installing all the patches, but you're going to end up 450 00:39:31,719 --> 00:39:37,880 installing at least part of the patches that are needed in order to meet your 451 00:39:37,000 --> 00:39:42,360 objectives. And that's something that we can actually track automatically, So the vulnerability 452 00:39:42,360 --> 00:39:46,960 side and also the installation of patches and the software versions of the devices. 453 00:39:49,239 --> 00:39:52,760 That's one thing. The other thing is actually more more exotic examples of like 454 00:39:53,039 --> 00:39:58,880 systems that haven't been properly segmented at large systems, and one of the challenges 455 00:39:58,960 --> 00:40:02,039 the operator had that they wanted to kind of like divide the system into security 456 00:40:02,119 --> 00:40:07,760 zones and conduits like in the c S four free terminology. So this requires 457 00:40:07,800 --> 00:40:15,679 you effectively to install, of course, some segmentation appliances inside the network, 458 00:40:16,360 --> 00:40:21,039 and they had them in several occations, but several ocasions didn't have. So 459 00:40:21,320 --> 00:40:24,559 one of the things that we could help with through our virtual segmentation capability was 460 00:40:24,599 --> 00:40:31,679 actually to divide automatically or provide suggestion automatically to security zones and conduits over the 461 00:40:31,800 --> 00:40:43,039 environment of that operator and then have the operator kind of enforcing policies or policies 462 00:40:43,119 --> 00:40:46,800 can be enforced for a product in a way that if there is a normal 463 00:40:46,840 --> 00:40:51,840 communication in one of the real application productols between security zones that should not take 464 00:40:51,880 --> 00:40:55,920 place, the system will automatically alert on that and help the operator to fix 465 00:40:55,960 --> 00:41:02,079 this misconfiguration. And that's something that helped them in order to achieve a sort 466 00:41:02,119 --> 00:41:07,840 of a composing and control over lack of segmentation and specific location and later on 467 00:41:07,880 --> 00:41:14,159 to properly segment their system using those insights and accommodations. Thanks for that. 468 00:41:14,199 --> 00:41:19,360 And you know, on the topic of compliance still you've mentioned a few times 469 00:41:19,400 --> 00:41:23,840 there are standards that are out there for cybersecurity in rail systems. There are 470 00:41:23,880 --> 00:41:27,840 standards that are under development. There are standards that are still a gleam in 471 00:41:27,880 --> 00:41:31,599 the eye. You can you survey for us what does the regulatory landscape look 472 00:41:31,679 --> 00:41:37,280 like for cybersecurity and rail systems. I think there are a few things to 473 00:41:37,320 --> 00:41:43,199 look at, like a few dimensions to look at. One is frameworks versus 474 00:41:43,239 --> 00:41:51,519 regulations. The other is the geographical dimension because different countries have their own regulations, 475 00:41:52,079 --> 00:41:55,719 so if we start from the regultary landscape, So in the us PSA, 476 00:41:55,840 --> 00:42:00,400 with the help of csis published a few security directors that are basically used 477 00:42:00,400 --> 00:42:08,519 as regulations and from what we know, more expected to come. In Europe. 478 00:42:10,000 --> 00:42:17,599 The regulations are mostly derived from NISS and niss TO that cover critical infrastructure 479 00:42:17,639 --> 00:42:22,519 in general and realist part of it. But part of it is also for 480 00:42:23,360 --> 00:42:32,639 the member nations to identify their operations operations operators of essential services and kind of 481 00:42:32,800 --> 00:42:40,840 identify how can they comply with the overall directives. And this trend of having 482 00:42:42,119 --> 00:42:45,480 the regulation part of the creetical infrastructure regulation stuff that we've see in rail because 483 00:42:45,599 --> 00:42:52,559 almost every rail operator is part of creetical infrastructure in their country. Other than 484 00:42:52,599 --> 00:43:00,880 that, there is the landscape of standards. So the most comprehensive standard that 485 00:43:00,920 --> 00:43:07,159 is currently available only for rail is called Technical Specification five oh seven oh one 486 00:43:07,239 --> 00:43:12,519 developed by sen Alec and it was published in the end of FLOE twenty one 487 00:43:13,039 --> 00:43:20,840 and this standard is part of an initiative by both operators and suppliers, mostly 488 00:43:20,880 --> 00:43:30,320 from Europe that have taken the IS six two free series and try to identify 489 00:43:30,639 --> 00:43:37,079 how rail is different or where rail is different and developed a sort of like 490 00:43:37,440 --> 00:43:45,119 a paper or technical specification that includes the different phases in the life cycle of 491 00:43:45,199 --> 00:43:51,440 rail systems and how they should be handled in terms of security. One of 492 00:43:51,480 --> 00:43:53,159 the interesting parts, or the unique parts, I think, is the interface 493 00:43:53,199 --> 00:44:00,320 between safety and security, which is the topic that is generally intention So this 494 00:44:00,400 --> 00:44:02,599 tiny specification, it was released in the end of tween twenty one, served 495 00:44:02,599 --> 00:44:07,400 as a basis for another group I'm actually part of part of and it's a 496 00:44:07,440 --> 00:44:12,599 group of IC, which is a global standard organization, and this group took 497 00:44:12,920 --> 00:44:16,079 PS fifty seven to one as well as IC six to four free series, 498 00:44:16,639 --> 00:44:24,360 and it's currently working together to establish this de facto global standard that can be 499 00:44:24,440 --> 00:44:32,280 used by each individual country to align their security within rail systems. Other than 500 00:44:32,320 --> 00:44:37,119 that, you have groups like UATP and app time in the US that are 501 00:44:37,280 --> 00:44:44,320 developing lots of useful papers about things like how should you run a tendering process, 502 00:44:44,400 --> 00:44:52,039 about maturity programs for railway and transit operators, about OT visibility, detection 503 00:44:52,280 --> 00:44:58,519 within rail and all sorts of very interesting topics that I really recommend for anyone 504 00:44:58,599 --> 00:45:05,880 wants to go and dig deeper into the topic to read them and gain more 505 00:45:05,960 --> 00:45:09,039 understanding of how the real environment works and what are the best practices to protect 506 00:45:09,079 --> 00:45:13,280 it. Okay, well, you know this has been good. Thank you 507 00:45:13,320 --> 00:45:15,639 Mickey, thank you for joining us. Before I let you go, you 508 00:45:15,679 --> 00:45:19,159 know, can you sum up for us what should we take away from what 509 00:45:19,199 --> 00:45:23,039 you've been telling us here? So thank you, Andrew. So if I 510 00:45:23,079 --> 00:45:28,679 could summarize it to a few takeaways of first is that it's important to notice 511 00:45:28,760 --> 00:45:37,960 that rail environments they have unique nature and they're very evolving in terms of technologies 512 00:45:37,960 --> 00:45:42,960 that are being used within them. So that's one thing. The second thing 513 00:45:43,119 --> 00:45:46,480 is that in order to operate effectory security within the rail environment, you should 514 00:45:46,480 --> 00:45:53,400 really understand how operations in rail work and the different principles around safety, because 515 00:45:53,440 --> 00:46:00,000 without that, like I feel like it's very hard to get to proper solutions 516 00:46:00,360 --> 00:46:05,559 in securing those environments. And I really recommend to every one of you trying 517 00:46:05,559 --> 00:46:10,440 to secure them to really talk to your operations people and get more understanding of 518 00:46:10,480 --> 00:46:15,119 what's on their mind and what are the risk that they're seeing. The other 519 00:46:15,199 --> 00:46:22,599 thing is that a real tech security platform can really ease your way into securing 520 00:46:22,599 --> 00:46:28,960 your environment, and the changes that you need to make in order to secure 521 00:46:29,000 --> 00:46:32,320 your environment are not as bad as you might think. And other than that, 522 00:46:32,360 --> 00:46:37,760 I just encourage you to visit our website at Silos or at silos dot 523 00:46:37,840 --> 00:46:43,719 com and we'll be happy to assist you with your journey within real cybersecurity. 524 00:46:44,480 --> 00:46:49,119 We have a lot of experience that I really prefer from others to kind of 525 00:46:49,800 --> 00:46:55,760 for others to kind of experre the mistakes that we've seen happening in various places 526 00:46:55,840 --> 00:47:00,519 and try to take the shortcut, and we have to have you for the 527 00:47:00,599 --> 00:47:06,639 journey and help you with our solutions. And of course please feel free to 528 00:47:06,639 --> 00:47:09,639 connect me on linked connect with me on LinkedIn. I'll be happy to chat 529 00:47:09,679 --> 00:47:15,599 with any of you on the topic and having interesting discussions about it. And 530 00:47:15,679 --> 00:47:20,159 of course, thank you very much, Andrew. It was a pleasure chatting 531 00:47:20,159 --> 00:47:23,519 with you to day, and I really look forward to morowpis as our podcast. 532 00:47:23,559 --> 00:47:30,639 Thank you, so, Andrew, that was your interview with Mickey. 533 00:47:30,079 --> 00:47:34,199 Do you have any final thoughts to take us out with today? Yeah, 534 00:47:34,239 --> 00:47:37,360 I mean one of the one of the insights I got from from Mickey was 535 00:47:37,719 --> 00:47:44,400 that this industry is much more heavily regulated than I realized. Yeah, you 536 00:47:44,440 --> 00:47:46,400 know, sorry I didn't interrupt you, but it does bring me back to 537 00:47:46,440 --> 00:47:51,639 a point that we had thought about earlier in the episode. I think he 538 00:47:51,719 --> 00:47:55,800 mentioned that the government has to approve like every patch in this industry, which 539 00:47:55,840 --> 00:48:00,960 correct me if I'm wrong that that that kind of sounds crazy, right in 540 00:48:00,000 --> 00:48:02,360 a sense, it does. But you know, it's all about safety. 541 00:48:02,400 --> 00:48:06,960 I mean, this industry from the very beginning we're talking, you know, 542 00:48:07,039 --> 00:48:08,519 I don't know, the mid eighteen hundreds or something. In my understanding, 543 00:48:08,559 --> 00:48:13,000 this industry has been focused on safety from the very beginning. You know, 544 00:48:13,440 --> 00:48:19,320 to my understanding, the telegraph was invented in large part because or was deployed, 545 00:48:19,639 --> 00:48:22,719 you know, continent wide, in large part because of the needs of 546 00:48:22,800 --> 00:48:28,519 rail systems. You know, if and I don't know what Europe, but 547 00:48:28,559 --> 00:48:32,800 in North America, most of the track that crossed the continent was single track. 548 00:48:32,880 --> 00:48:36,519 You could put one train on it. There wasn't a parallel set of 549 00:48:36,559 --> 00:48:42,679 tracks except at stations where you know, trains had to get by each other 550 00:48:42,760 --> 00:48:45,960 or switch yards, and so one of the inn you know, in my 551 00:48:46,039 --> 00:48:50,719 understanding the history, one of the jobs of the engineer, the person who 552 00:48:51,440 --> 00:48:57,360 ran the engine in the freight trains crossing the continent or passenger trains. If, 553 00:48:57,400 --> 00:49:00,760 for example, the train was not scheduled to stop at a station, 554 00:49:00,800 --> 00:49:07,360 I was taking the track beside the station, blasting on by not even stopping. 555 00:49:07,559 --> 00:49:09,239 One of the functions of the engineer. One of the roles was to 556 00:49:09,320 --> 00:49:13,719 stick their arm out. There was a boom that swung out with a piece 557 00:49:13,760 --> 00:49:16,000 of paper on it. Grab that piece of paper and read it. This 558 00:49:16,039 --> 00:49:22,039 is a telegram telling the engineer whether it's safe to continue on the next section 559 00:49:22,079 --> 00:49:24,719 of track or not, or if there's been a delay and you know there's 560 00:49:24,920 --> 00:49:30,360 or if there's been a derailment or something. Safety has been job one in 561 00:49:30,360 --> 00:49:36,960 this industry since the very beginning, and you know, it persists to this 562 00:49:37,039 --> 00:49:40,360 day. To me, the real challenge that it sounds like is the the 563 00:49:40,480 --> 00:49:46,199 industry is facing is is the dilemma between safety and cybersecurity. In the modern 564 00:49:46,239 --> 00:49:52,440 world, cybersecurity is essential to safety. The threat environment is deteriorating. We 565 00:49:52,559 --> 00:49:59,639 urgently need to make cybersecurity changes to these these you know, safety critical systems 566 00:49:59,639 --> 00:50:02,599 that are the rolling stock in our rail systems. You know, this is 567 00:50:02,719 --> 00:50:07,559 the dilemma that the entire industry it sounds like they're struggling with. And you 568 00:50:07,559 --> 00:50:10,039 know, the good news is not all bad news. The good news is 569 00:50:10,039 --> 00:50:15,239 that folks like Silas are rising to the challenge and they're coming in with technology 570 00:50:15,320 --> 00:50:19,159 and you know, not just a set of technology, but they continue to 571 00:50:17,920 --> 00:50:23,679 to develop and innovate as they're participating in these these industry forums too, you 572 00:50:23,679 --> 00:50:28,920 know, develop solutions that can be deployed against systems both old and new. 573 00:50:30,199 --> 00:50:32,880 Okay, then with that, thank you to Mickey Schiffman for speaking with you. 574 00:50:32,920 --> 00:50:36,840 Andrew, and Andrew, thank you as always for speaking with me. 575 00:50:37,559 --> 00:50:40,000 It's always a pleasure. Thank you. Nick. This has been the Industrial 576 00:50:40,000 --> 00:50:45,480 Security Podcast from Waterfall. Thanks to everybody out there listening.