The Role of Suppliers in Rail Cybersecurity // William Heinrich and Mark Grant

The Role of Suppliers in Rail Cybersecurity // William Heinrich and Mark Grant

Show Video

Speaker 1: 0:06 Okay. Hey everybody, thanks  for the opportunity to speak with you all.   It’s nice to see a lot of familiar faces in  the audience. It’s good to catch up with some   people I hadn’t seen in a while. My name is  Mark Grant. And until April of last year,   I was the CISO at CSX and worked there many  years on securing the rail infrastructure.   And today, we are going to be talking about  the critical role that the right type of   engagement with suppliers plays in cyber  security. And Bill and I will be covering   that. So Bill, do you want to introduce yourself? Speaker 2: 0:46 Sure! My name is Bill Heinrich. I  

am one of the three, I think, that raised their  hands earlier about who started their career in   the railroad industry. So I did, I spent over 40  years in the railroad industry. So I am an old   railroad guy. I spent with three railroads: Union  Pacific, BNSF Railway, and Amtrak. I was CISO at   BNSF. And then also the CISO at Amtrak. And you  heard Jesse talk earlier, I handed the baton off   to Jesse when I decided to see greener pastures in  retirement. So that’s kind of where I am at. And   we do want to talk about... We have heard a lot  about partnership here today. And I think Mark and  

I are going to talk more about partnership  and specifically with suppliers. So Mark,   off the conversation you spent time in large  railroad, you spent time with small railroads,   you are in the shipping/container industry.  Talk about cyber security from your perspective.  Speaker 1: 1:43 Yeah. So I think I was reminded  of how important cyber security is for railroads,   in particular in the transportation sector in  general, on a recent road trip I took. And I was  

in Memphis, Tennessee. And I was  driving through Memphis. And of course,   my navigation system. I am not going to say which  one I was using, but my navigation system glitches   like right when I was in Memphis, and so I don’t  think it was a cyber security attack. But if it   was, it was quite advanced, because it threw me  off track, I ended up kind of in the industrial   section of Memphis. And I knew that this was true,  because the traffic pattern changed significantly.   So instead of a lot of cars around me,  suddenly, I was surrounded by, you know,   container trucks the big 40 foot containers  and the 20 foot containers. And it became  

quite congestions. Sure enough, I ended up next  to the Memphis intermodal terminal for BNSF. And,   Bill, maybe you are familiar with that facility,  but it’s quite a large facility. And it reminded   me of all the technology that’s applied in a  facility like that, I mean, at the gate for   checking the truckers in, you know, they have got  automation systems to make that flow easily. They   have people there with handheld computers  that they are using to check that stuff in.   You know, the wide, the big cranes, you have  probably seen them, the wide span cranes, a lot of   that stuff is very automated. And I know that from  the experience I have in the industry. And then   you know, you have got the tracks the mainline  track comes in. And, you know, on the west side,  

there’s technology deploy their technology is  abundant in the in the yard itself, with the   yard tracks. And then we have the locomotives, of  course, which had been referred to at least once   today, as data centers on wheels. So there’s  an awful lot of technology that’s deployed.   And I also remember in my time early in my career,  when I worked at for a container shipping company.  

And we were putting terminal automation systems  in, years ago. And one day when it wasn’t working   well. And again, this wasn’t a cyber attack either  but you know how implementation of new systems   can go. The New Jersey State Police showed up in  the server room and wanted to know when we were   going to have the systems back online, because  we were back in traffic up onto the New Jersey   Turnpike and it was leading to delays and a lot  of congestion. So the reality is, you know, modern  

railroads are our business processes or 95 plus  percent reliant on technology, and some are 100%.   And you know, when they don’t work, it’s a big  problem from a business perspective and from a   supply chain perspective. And so, these things are  important and because of that businesses are very   incented to have a focus on that, those processes,  they need to be able to prevent attacks to the   extent possible, but they also need to realize  that 100% prevention is likely not attainable.  

So therefore, you know, they need to be able to  detect attacks when they occur at the earliest   opportunity. And they need to have a decisive  response when that occurs, so that, you know,   they can minimize the business impact. And so  it’s, you know, it’s why we are here talking about   this topic. And it also made me think, Bill,  about your experience that you have had both   designing and securing critical systems. And how  do you think about Bill the role that suppliers  

and supplier engagement plays in that process? Speaker 2: 5:38 So rails go back a long way, you   know, the rail industry in the United States is  150-160 years old. You have a lot of applications,   a lot of technology out there that rails have  built over the years, some of it still exists.   I can speak from experience that there are OT  systems out there that are 40 and 50 years old.   They are very special purpose things, they very  due. They do what they do very, very well. But   as someone has already mentioned, 40-50 years  ago, cyber security was not a consideration.  

They were put on the network, they do what  they do well, and but they are very fragile,   if you try to do something with them, as far  as maybe do a network scan on or whatever.   So you have to know where those things are. And  do you know where those things are? Number one,   you have IT business systems ever out there a long  time I got, I was a telling story last night that   I was a programmer at Universal railroad, somebody  reached out to me not too long ago and said, Hey,   this program that you wrote back in the early  80s, I just cracked it open, it was gonna make   some modifications to it, I just thought you let  you know that it still exists. I can guarantee you   when I wrote that program, 40 years ago,  that cyber security and security was not   a consideration. So things have evolved but all  this old railroads are running on old technology,   but they are also running on new technology.  They are buying new custom packages. They are  

working with suppliers, you know, all the  Enterprise, Resource Management Systems.   Do you know where those are? Are you involved in  the process? Or you are talking to the suppliers?   Are you involved in the design stages, those  type of things? Mark’s already talked about the   instrumentation and conductivity of railroad  systems and road environments. Technology is   everywhere. And, you know, Jesse talked earlier  about all the different disciplines they have   within the railroad industry, you know, it’s a  power company. It’s a resource management company,  

as far as law enforcement. We are transportation  company, technology’s involved in all that stuff.   Even the police officers are carrying, you know,  cameras, and there’s technology on the police   officers to make sure that just like the municipal  police officers have, so there’s technology   everywhere in every one of our business processes.  And then Cloud is becoming a more predominant   player in the railroad industry. Some companies  have a cloud first mentality says if you are going   to do anything in the railroad industry, you are  going to do it the cloud first and tell me why   the cloud won’t work. And so do you understand  that and you understand the security around  

those cloud guys, and you understand how those  applications are being instrumented? You know,   tripwire put out a report earlier this year, and  you see it out there is that, you know, two thirds   of the supply chain attacks actually started with  a failure or exploited trust in the suppliers,   security. And so how do you handle that? If, if a  supplier has a has an attack, and it affects you,   how do you handle that in your environment?  And what do you do with that? And do you have   things in your system that would help you  understand that and better manage that?  Speaker 1: 8:48 Are we talking about Bill, I mean  are we really talking about supply chain risk   management? Is that what you are talking about? Speaker 2: 8:55 Yeah, maybe that’s what we are   talking about. You know, you know,  in a nutshell, cyber security is all   about risk management. We are risk managers.  It’s a complicated, it’s a specialized risk,   but it’s risk nonetheless. And that’s what we  do. Cyber Security Supply Chain Management Risk   is just one aspect of the risks that  we handle as cyber security people.  

NIST defines the cyber security supply chain,  risk management as the process of identifying,   assessing and mitigating risks associated with  IT and OT and service supply chains. Basically,   from initiation of a project or technology to  the obsolescence of that project or technology,   your cyber security teams need to be involved  in the very front and they gotta be involved   all the way along, even disposal those assets  because it’s important. Even at the end, you may   have stuff that in optimizing stage that you need  to be aware of. And that’s where we talk about,   you know, it’s been mentioned a lot about  automated discovery, is really important in   this because you are not gonna know everything  in the cyber security world. So you are gonna  

find stuff all the time? Do you have technology  that will identify what’s on the network? What’s   out there? And if it can’t find it, can it tell  you what it is.? I mean, it may you may see a   note out there, but you don’t know what it is. You  have technology would specifically tell you what   type of technology? Is this a switch system on a  railroad? And is it manufactured by x, y, z? And   is it running this firmware? Or is it running this  software? Can it tell you that, and then get a   fingerprint for you, you know, gonna tell you  exactly the security password of that device?   And by the way, does your software allow you to  be able to push that stuff off? dynamically, maybe   you need to segment it off dynamic be sandbox it  whatever you need to do to mitigate that risk?   So all those types of things you need to worry  about with suppliers and incident response. Do you  

think about your incident response systems? Is the  supplier involved in your incident response plan?   If one of these cloud providers has a risk, has  an incident and it impacts you. How do they notify   you is? Is that even part of the consideration  as you do incident response? I know incident   response is done very well. And when I worked  in as far as having plans internally. But do   you take into account that the suppliers can also  have an incident and you need to handle that? And   then what’s your engagement with your sourcing and  legal organizations? Jesse mentioned it earlier,   if you are not if you are not putting security  provisions, security clauses in contracts with   the suppliers, you are missing the boat, you need  to have that, you need to have good T’s and C’s   around how you are going to work with them and  being notified, you know, if you have an event and   you are hurt by it, what kind of penalties, those  types of things, you need to understand that but   also it’s about understanding your relationship,  you need to build that in those contracts too,   understand how you are going to work from a  cyber security perspective with those suppliers.   Mark, so you have worked with supplier  engagement and working with new products   and services? What are your thoughts around how  you would engage in work with suppliers there?  Speaker 1: 12:12 Well, I think you mentioned  a lot of good things. But another aspect that   I think about there are actually suppliers  that brings security solutions against the   problem that you need to work with as well.  And you know, there are a lot of smart people   that work on products and are delivering solutions  work for suppliers. And it also is true, I think  

that particularly in the OT environment,  you know, there’s a lot of similarities in   technologies that are employed in different  industries. So if for example, you know, you   know how to hack a pipeline, or you know something  about hacking an automobile, a lot of times those   skills will translate across industries, because  the underlying technologies are very similar.   You know, railroad may be using the same PLC,  certainly, you know, Linux is ubiquitous in   a lot of these control environments. And if you  know how to attack a Linux server for a pipeline,  

you are probably going to have a pretty good shot,  at least having a starting point for a railroad.   You know, also, though, on the other side, if  you are a security professional, and you have   experience protecting critical infrastructure,  those skills translate to a certain extent, also.   But we have also talked about security, but the  point is, you can’t in to deliver these solutions   from a security provider perspective, you really  can’t do that in a vacuum. And the reason why,  

even though these things are ubiquitous, and  the skills may translate, there’s the business   context that we talked about earlier. So you  have to understand, and Jesse talked a little   bit about it as well, you have to understand how  that technology is implied, what are the potential   consequences if this specific system is targeted  from a business perspective? And that part doesn’t   translate very well, you know, railroad, you  know, is significantly different than other   types of businesses. So I think the things that  I have seen work, we really have to think about   ways to engage security suppliers also in these in  the solutioning process. So a good example would   be during penetration testing. I know railroads  do an awful lot of penetration testing on their   IT systems and also their OT systems. And you have  to think of ways and you have to be careful about  

it because the information is very sensitive, but  you have to think of ways to give some engagement   with suppliers who are going to bring solutions  to help you protect those systems. You know, you   can’t expect them to just somehow understand these  things and be able to deliver a solution without   some level of engagement and we have to get better  at that. The other area I think is around threat   intelligence, so we get a lot of indications  of bad things that are happening. A lot of  

that comes from government, a lot of that comes  from other railroads as railroad professionals.   But there is also a role for suppliers, and  particularly, I think of suppliers that may   have a global footprint. And they may be the first  ones to see an attack. And if they are specific to   your industry, that’s an excellent way to receive  a very timely and important threat intelligence on   what’s going on in your industry. So those are  just a couple of ways and thinking about the   future. Now, as we are kind of talking about how  things might evolve. I mean, I don’t know, Bill,   do you have any sort of? I mean, what do you see?  How do you see the supplier relationship? Isn’t   it amazing how we have slides for the questions?  Exactly the same. It’s a coincidence. You know,  

how do you see how do you see these  things evolving for future concepts?  Speaker 2: 16:01 You talked a little bit about  partnerships permission a bunch here today, and   what does it mean? And within the rail industry,  time we spent there, there’s a good partnership,   at least at class one CISO and stuff. And we have  worked across the industry, we have done some   joint testing on things, doing pen testing. But  can you bring your suppliers ahead of you? Have   you brought the suppliers in? And can  you bring the suppliers in to do testing,   sit alongside you while you are doing that, and  by the way, what a great opportunity to train   your security staff is to bring them along. We  did some stuff with CSX you know, crossings and  

worked with the vendor there and had somebody come  in and help us understand what the risks were at   the crossing systems there, been great to have  our security staff sit alongside those learners,   does he talk about all the you know, the 30 new  people you got in there, but a great opportunity   to have them right there in the field or whatever  we are doing testing? Will suppliers let you pen   test their stuff with them? You know, that’s  some of the things you need to work out into   the agreements with him and the partnership.  Production certification, that’s kind of a,   I don’t know, can of worms type thing. But I  read something last week where the White House   is going to start proposing maybe an Energy Star  program for cyber security. And they are gonna   start with consumer products. So what does that  mean? You know, are they you know, what it would   take what kind of requirements or regulations  to get put in there in order that you can put,   I have got the cyber security seal of approval on  my product. And, you know, again, it’s said that   we are gonna start with consumer products. But  you know, once it starts there, where does it go?  

And what does it mean? But even in that, I think  that, you know, within the industry and with your   suppliers, you are gonna hold them accountable  to a set of requirements, maybe it’s a framework,   maybe it’s the ISO standards, whatever it is,  but understand what those are what’s important   to you. We work with our suppliers to make sure  that they are also in agreement and working with   you to make sure that they have their products,  meeting what you need them to do. And you know,   the last thing there I talked about, and I have  already talked about is enhanced instant response.   And instant response per plan that just involves  you and your company and doesn’t involve your   suppliers, especially with the number of suppliers  that are especially in the OT space, there are a   ton of them out there. And you know, the people  that provide power or do trackside stuff on board  

technologies. Do you have an agreement with them?  Or you have response plan with them? And something   goes south there? And how are you going to do  that and how you are gonna work with them as   well as within your organization? So I think those  are things that we need to think about as we look   forward to suppliers and supplier management. Speaker 1: 18:40 I totally agree with that   and wondering what I should comment. I see  Janet in the audience and the rail industry,   I think actually has done a very good job in terms  of outreach to some of the critical suppliers. And   I think you guys are still running, you are  still running the supplier regular updates   and communication with the supplier group,  for those most critical systems to the way   railroads operate. And I think that’s a wonderful  approach to [Unclear], it all these things come   down to communication and partnerships,  and I think building that level of sort   of understanding and trust, and that takes  work and I appreciate the work you guys are   doing in that space. So we have we probably  have a few, I don’t know maybe a couple of  

questions. Anyone have any questions? Speaker 2: 19:28 Scott? [Unclear]  Speaker 1: 19:59 Well, I can talk about some  approaches that I have seen be successful.   So, you know, I think it occurs both from a  supplier perspective, so I think that’s a great   idea that should be included as a best practice in  terms of when you engage with the supplier. It’s a   little bit easier on the IT side because I think  the bit processes are more mature there in terms   of getting the right provisions and the right you  know, sort of engagement by the IT and security   professionals in those contracts early on. The  OTC space probably a little bit is lagging but  

it’s getting there, you know, from what I see. So  I think that’s a good idea but even the stuff that   you develop in-house I mean, the ROG’s is a mix of  things that are you know, purchased and in-house   developed, it’s a problem even for the in-house  stuff because you know, people will get routines   or they will find things and you know, include  them and so what I have seen be successful is   security testing in the development process,  and you know, a set of minimum requirements   and you can get tools a lot of times that will  fingerprint those technologies that are being   used and you do it for security reasons you also  do it because you may run into licensing issues   and there’s a lot of sort of drivers for finding  that stuff early. But I think you know that   and don’t wait until the end of your development  cycle to start testing some of that stuff and   but I agree with suppliers should just probably  handle that from a contractual perspective. Any   other questions? Speaker 2: 21:32   All right, thank you for your time   I don’t know. All right, I guess this one started.  Speaker 1: 22:13 Right.

2023-04-02 15:04

Show Video

Other news