Constella Intelligence

Europe’s Railway Cybersecurity: The importance of continuous credential monitoring

railway cybersecurity

Too often are discussions around cybersecurity seen as reserved for expert-level specialists or pertaining to complicated technical concepts within the digital sphere. This mindset must change, and we are witnessing a necessary shift in thinking related to cybersecurity as critical infrastructure continues to be a primary target for threat actors. Within this context, public officials are more frequently facilitating dialogue and initiating discussions to seek solutions and implement practical responses.

Cybersecurity has become a mainstream topic of discussion that is affecting nearly every industry. And the threats and consequences are clearer than ever before with well-known breaches like the Colonial Pipeline as prime examples of the real-world consequences of cyberattacks whose repercussions directly affect organizations and everyday citizens.

ENISA’s Railway Cybersecurity Report

Last month, the European Union Agency for Cybersecurity (ENISA), released a railway cybersecurity report highlighting threats of cyberattacks to rail networks across Europe and assessing the level of implementation of specific cybersecurity measures in the sector.

To draft this report, ENISA wisely brought together experts from across Europe to take part in workshops and provide comments – creating robust and thorough documentation of best practices for cyber risk management approaches applicable to the railway sector. This report provides actionable guidelines, lists common challenges associated with the performance of railway activities, and outlines good practices that can be readily adopted and tailored by individual organizations. It is a commendable feat to produce such a collaborative body of work with groups from several distinct national railway organizations.

Within the context of increased digitization, rail networks in Europe now rely heavily on digital solutions across virtually all of their operations, at least to some degree. For example, automated interlocking, train dispatching, and incident handling offer significant benefits including capacity, efficiency, safety, and sustainability to rail passengers, operators, regulators, and manufacturers, according to McKinsey & Company. And the modern railway is “now a network of connected devices processing and analyzing data. With up to one hundred digital systems onboard a single train—some of which are older and difficult to update – it represents a large attack surface for a determined attacker,” said Alex Cowan, CEO of RazorSecure, a company specialized in railway cybersecurity.

This dependence on digital solutions has expanded the number and diversity of attack vectors, creating new vulnerabilities that are appealing targets for cybercriminals seeking to compromise signaling systems and automatic train controls or to wage ransomware attacks leading to the disruption of services.

What Does the ENISA Report Say About Railway Cyber Risk?

The majority of the major cyber risk scenarios in the report include credential theft, phishing, leaked credentials, and PII, or a combination of these cyber risks.

According to the report, what is step one to compromising a signaling system or automatic train control system—a cyber incident that can lead to a train accident? This would be an attacker gathering information (type of requests, IP address, etc.), by trespassing on railway undertaking train facilities (e.g., depos, maintenance center, etc.), from a malicious employee, or using phishing to steal information from an employee. The report also cites the cause of sabotage to traffic supervising systems, leading to train traffic stop, as an attacker introducing an ICS malware through phishing emails sent to employees or removable devices used on OT systems.

ENISA also concluded that an attacker infiltrating the information system by phishing or stealing credentials can be the root cause of a ransomware attack, leading to a disruption of activities.

Finally, and importantly, the report established that railway organizations lack a single cyber risk management approach to cover both IT and OT in a unified manner and found it to be a key challenge to ensure that the security level remains adequate and that the risks are continuously monitored.

What Does the ENISA Report Miss About Railway Cybersecurity?

 The ENISA report highlights several of the possible scenarios and outcomes that cyber threat actors aim to inflict. However, it is becoming increasingly clear that attacks on critical infrastructure are more frequently exploiting a critical attack vector that affects every single organization – the exposed personal information and corporate credentials of employees.

Many of the scenarios noted in the report can be proactively anticipated and addressed with continuous monitoring of leaked credentials and personally identifiable information (PII) of employees. To prevent cybercriminals from gaining access into corporate networks, proactive intelligence on the most abundant attack vector must be a priority. As explained in detail in Constella’s 2021 Identity Breach Report, leaked, breached, and exposed data of virtually every individual with an online footprint is proliferating at scale. Threat actors extract immense value from this exposed data that is either scraped from open sources online, like social media or the open web or acquired via transactions on the deep and dark web where massive volumes of breached personal data are bought and sold each data. Cybercriminals then use individuals’ personal data to launch sophisticated cyber attacks including (but not limited to), phishing, ransomware, business email compromise (BEC), account takeover (ATO), impersonations, and coordinated disinformation campaigns.

In the railway sector, organizations are often sizeable and depend on thousands of employees. This inherently contributes to the type of digital risk associated with exposed credentials circulating in the digital sphere. Without a doubt, there should be an increased emphasis on monitoring leaked credentials and PII of employees as a way to mitigate many of the cyber risks facing the European railway, given its importance to critical transportation and supply chain infrastructure and its geopolitical significance. 24/7 digital monitoring of all employees’ corporate credentials, which is possible and scalable with new industry solutions, would indeed provide effective cybersecurity safeguards for Europe’s railways.

Constella’s Solution

Constella Dome Employee and Executive Protection enables organizations to identify and respond faster to digital risks, such as compromised credentials or leaked confidential data, because it continuously monitors thousands of proprietary and public data sources across the social, surface, deep, and dark web. Constella’s data lake contains over 100 billion attributes and 45 billion curated identity records, the largest in the industry, and the Dome platform provides external digital risk visibility across 53 languages and 125 countries.

With Dome, organizations can leverage real-time alerts to quickly identify and block the use of compromised credentials and initiate takedown of personal information before they can be weaponized and lead to account takeovers, impersonations, reputational attacks, and in extreme cases, cyber or physical threats that put an executive’s or employee’s family at risk.

Learn More About Your Employees’ and Your Organization’s Risk Exposure

Executives and key employees are the new attack vector for cybercriminals as they have top-tier access to sensitive information which can lead to credential theft, account takeover, and a ransomware attack. Surprisingly, most organizations do not recognize a need for employee protection – until it’s too late. Constella Employee Protection helps organizations rapidly identify and remediate threats targeting 1000s of key employees at scale with real-time monitoring, and automated early warning alerts when credentials have been exposed.

Try our Exposure Risk Tool to see if you, your company, or your employees have been exposed – FREE.