A version of this article was originally published on IndustrialCyber.co.
What entices me to sit down and write a blog? It could be a good discussion with a friend, something I am doing at that moment in time, or a memory from the past. And an article is totally different than when I am writing regulatory guidance, a project plan, or a solution brief where everything must follow a focused direction to be done right.
The idea for this particular blog came to me as I was riding a train through the Nordic Region after some incredible partner meetings in Sweden and Finland. This past week I rode on more trains than I have in many years, and the trains I was on were vastly different than the freight-hauling one currently dominating the news back in the US. The Swedish and Finnish trains had all the comforts of an office-on-rails with a restaurant, plush leather chairs, and even an area for children to play. They also travel at speeds of 180 KPH or higher, which, for those of us who live on the other side of the pond (and do not use the metric system), is more than 110 MPH.
The freight train that crashed in Ohio back in February, which did not include any of the aforementioned amenities but did include cars carrying chemicals such as vinyl chloride, butyl acrylate, ethylene glycol, isobutylene, and ethylhexyl acrylate, was traveling at only one-half to one-third of that 110 MPH speed.
One common factor in both trains described above is that both have wheel bearings, and all wheel bearings are prone to fail in time—which is what happened to the freight train in East Palestine, Ohio. In fact, the reason I am making this comparison between trains is to make clear that all modes of transportation are prone to accidents that can have serious consequences for environmental safety and human life.
Ways to reduce the risk of accidents include preventive maintenance, safety and operational training, and monitoring/safety systems. There are also things in the physical world that can be implemented to reduce the risk of train accidents, such as Positive Train Control (PTC), vibration control sensors, and electric brakes; however, such brakes require electrical power and freight cars do not have such a luxury.
When you look at the cybersecurity aspect of rail, you will find that agencies like European Union Agency For Cybersecurity (ENISA) or Rail Information Security Committee (RISC) in North America publish best practices for cyber risk management, coupled with risk scenarios such as compromising a signal system or traffic supervising system, or a leak of client personal or sensitive data.
What you do not generally see are combined physical and cyber scenarios of notifications for sensing when a train, track, or operator control has a deviation from baseline or how to alert and act if they deviate from an indicated pattern. To take this one step further, the derailment in Ohio has revealed patterns of management telling operational staff to skip safety checks, staff ignoring wheel bearing warning alarms, and even inconsistent placement of wheel temperature sensors along the tracks to detect failures.
One area that needs to be explored deeply during this accident post-mortem is how to improve the integration between the physical controls of rail, the strengthening of safety/auditing processes, and cyber monitoring systems to help reduce accidents. This has been done in the airline, shipping, and other industries and is certainly possible for rail as well. And with this should come to a deeper alignment with cyber risk scenarios that are played out in tabletops, internal training, and incident response plans.
Somewhat ironically in light of the slow-speed Ohio derailment, for the past decade the Federal Railroad Administration in the United States has been toying with the idea of having freight trains travel at speeds approaching that at which passenger bullet trains travel, which is just as fast or even faster than the ones I rode recently in Europe.
This notion immediately jogged another memory of mine about a book by Ralph Nader and entitled “Unsafe At Any Speed.” The book dealt with car manufacturers' resisting the introduction of safety features such as seatbelts, setting tire pressure for comfort rather than safety, and not installing stabilizer bars for preventing deadly rollovers due to cost.
Hopefully, the toxic Ohio train accident is a wake-up call and a clear signal that we need to work globally to make rail systems around the world safer.
Kevin Kumpf has more than 20 years of IT security and compliance experience, including over 10 years of cybersecurity, governance and critical infrastructure experience working in the energy, medical, manufacturing, transportation and FedRAMP realms. Kevin’s past roles include Director of OT Security (N.A.) for Iberdrola, where he oversaw the security, and regulatory compliance of multiple OpCo’s, and Principal Security and Regulatory Lead for interactions with the NY and NE ISO’s, NERC, ISAC’s as well as state and federal entities. He has also worked internally and as a vendor/consultant at multiple healthcare and manufacturing entities to mitigate the threats they were under in relation to ransomware, insider threats and malware infestation. Today Kevin works as the OT Technical Lead at Cyolo.