The Role of Suppliers in Rail Cybersecurity // William Heinrich and Mark Grant
Speaker 1: 0:06 Okay. Hey everybody, thanks for the opportunity to speak with you all. It’s nice to see a lot of familiar faces in the audience. It’s good to catch up with some people I hadn’t seen in a while. My name is Mark Grant. And until April of last year, I was the CISO at CSX and worked there many years on securing the rail infrastructure. And today, we are going to be talking about the critical role that the right type of engagement with suppliers plays in cyber security. And Bill and I will be covering that. So Bill, do you want to introduce yourself? Speaker 2: 0:46 Sure! My name is Bill Heinrich. I
am one of the three, I think, that raised their hands earlier about who started their career in the railroad industry. So I did, I spent over 40 years in the railroad industry. So I am an old railroad guy. I spent with three railroads: Union Pacific, BNSF Railway, and Amtrak. I was CISO at BNSF. And then also the CISO at Amtrak. And you heard Jesse talk earlier, I handed the baton off to Jesse when I decided to see greener pastures in retirement. So that’s kind of where I am at. And we do want to talk about... We have heard a lot about partnership here today. And I think Mark and
I are going to talk more about partnership and specifically with suppliers. So Mark, off the conversation you spent time in large railroad, you spent time with small railroads, you are in the shipping/container industry. Talk about cyber security from your perspective. Speaker 1: 1:43 Yeah. So I think I was reminded of how important cyber security is for railroads, in particular in the transportation sector in general, on a recent road trip I took. And I was
in Memphis, Tennessee. And I was driving through Memphis. And of course, my navigation system. I am not going to say which one I was using, but my navigation system glitches like right when I was in Memphis, and so I don’t think it was a cyber security attack. But if it was, it was quite advanced, because it threw me off track, I ended up kind of in the industrial section of Memphis. And I knew that this was true, because the traffic pattern changed significantly. So instead of a lot of cars around me, suddenly, I was surrounded by, you know, container trucks the big 40 foot containers and the 20 foot containers. And it became
quite congestions. Sure enough, I ended up next to the Memphis intermodal terminal for BNSF. And, Bill, maybe you are familiar with that facility, but it’s quite a large facility. And it reminded me of all the technology that’s applied in a facility like that, I mean, at the gate for checking the truckers in, you know, they have got automation systems to make that flow easily. They have people there with handheld computers that they are using to check that stuff in. You know, the wide, the big cranes, you have probably seen them, the wide span cranes, a lot of that stuff is very automated. And I know that from the experience I have in the industry. And then you know, you have got the tracks the mainline track comes in. And, you know, on the west side,
there’s technology deploy their technology is abundant in the in the yard itself, with the yard tracks. And then we have the locomotives, of course, which had been referred to at least once today, as data centers on wheels. So there’s an awful lot of technology that’s deployed. And I also remember in my time early in my career, when I worked at for a container shipping company.
And we were putting terminal automation systems in, years ago. And one day when it wasn’t working well. And again, this wasn’t a cyber attack either but you know how implementation of new systems can go. The New Jersey State Police showed up in the server room and wanted to know when we were going to have the systems back online, because we were back in traffic up onto the New Jersey Turnpike and it was leading to delays and a lot of congestion. So the reality is, you know, modern
railroads are our business processes or 95 plus percent reliant on technology, and some are 100%. And you know, when they don’t work, it’s a big problem from a business perspective and from a supply chain perspective. And so, these things are important and because of that businesses are very incented to have a focus on that, those processes, they need to be able to prevent attacks to the extent possible, but they also need to realize that 100% prevention is likely not attainable.
So therefore, you know, they need to be able to detect attacks when they occur at the earliest opportunity. And they need to have a decisive response when that occurs, so that, you know, they can minimize the business impact. And so it’s, you know, it’s why we are here talking about this topic. And it also made me think, Bill, about your experience that you have had both designing and securing critical systems. And how do you think about Bill the role that suppliers
and supplier engagement plays in that process? Speaker 2: 5:38 So rails go back a long way, you know, the rail industry in the United States is 150-160 years old. You have a lot of applications, a lot of technology out there that rails have built over the years, some of it still exists. I can speak from experience that there are OT systems out there that are 40 and 50 years old. They are very special purpose things, they very due. They do what they do very, very well. But as someone has already mentioned, 40-50 years ago, cyber security was not a consideration.
They were put on the network, they do what they do well, and but they are very fragile, if you try to do something with them, as far as maybe do a network scan on or whatever. So you have to know where those things are. And do you know where those things are? Number one, you have IT business systems ever out there a long time I got, I was a telling story last night that I was a programmer at Universal railroad, somebody reached out to me not too long ago and said, Hey, this program that you wrote back in the early 80s, I just cracked it open, it was gonna make some modifications to it, I just thought you let you know that it still exists. I can guarantee you when I wrote that program, 40 years ago, that cyber security and security was not a consideration. So things have evolved but all this old railroads are running on old technology, but they are also running on new technology. They are buying new custom packages. They are
working with suppliers, you know, all the Enterprise, Resource Management Systems. Do you know where those are? Are you involved in the process? Or you are talking to the suppliers? Are you involved in the design stages, those type of things? Mark’s already talked about the instrumentation and conductivity of railroad systems and road environments. Technology is everywhere. And, you know, Jesse talked earlier about all the different disciplines they have within the railroad industry, you know, it’s a power company. It’s a resource management company,
as far as law enforcement. We are transportation company, technology’s involved in all that stuff. Even the police officers are carrying, you know, cameras, and there’s technology on the police officers to make sure that just like the municipal police officers have, so there’s technology everywhere in every one of our business processes. And then Cloud is becoming a more predominant player in the railroad industry. Some companies have a cloud first mentality says if you are going to do anything in the railroad industry, you are going to do it the cloud first and tell me why the cloud won’t work. And so do you understand that and you understand the security around
those cloud guys, and you understand how those applications are being instrumented? You know, tripwire put out a report earlier this year, and you see it out there is that, you know, two thirds of the supply chain attacks actually started with a failure or exploited trust in the suppliers, security. And so how do you handle that? If, if a supplier has a has an attack, and it affects you, how do you handle that in your environment? And what do you do with that? And do you have things in your system that would help you understand that and better manage that? Speaker 1: 8:48 Are we talking about Bill, I mean are we really talking about supply chain risk management? Is that what you are talking about? Speaker 2: 8:55 Yeah, maybe that’s what we are talking about. You know, you know, in a nutshell, cyber security is all about risk management. We are risk managers. It’s a complicated, it’s a specialized risk, but it’s risk nonetheless. And that’s what we do. Cyber Security Supply Chain Management Risk is just one aspect of the risks that we handle as cyber security people.
NIST defines the cyber security supply chain, risk management as the process of identifying, assessing and mitigating risks associated with IT and OT and service supply chains. Basically, from initiation of a project or technology to the obsolescence of that project or technology, your cyber security teams need to be involved in the very front and they gotta be involved all the way along, even disposal those assets because it’s important. Even at the end, you may have stuff that in optimizing stage that you need to be aware of. And that’s where we talk about, you know, it’s been mentioned a lot about automated discovery, is really important in this because you are not gonna know everything in the cyber security world. So you are gonna
find stuff all the time? Do you have technology that will identify what’s on the network? What’s out there? And if it can’t find it, can it tell you what it is.? I mean, it may you may see a note out there, but you don’t know what it is. You have technology would specifically tell you what type of technology? Is this a switch system on a railroad? And is it manufactured by x, y, z? And is it running this firmware? Or is it running this software? Can it tell you that, and then get a fingerprint for you, you know, gonna tell you exactly the security password of that device? And by the way, does your software allow you to be able to push that stuff off? dynamically, maybe you need to segment it off dynamic be sandbox it whatever you need to do to mitigate that risk? So all those types of things you need to worry about with suppliers and incident response. Do you
think about your incident response systems? Is the supplier involved in your incident response plan? If one of these cloud providers has a risk, has an incident and it impacts you. How do they notify you is? Is that even part of the consideration as you do incident response? I know incident response is done very well. And when I worked in as far as having plans internally. But do you take into account that the suppliers can also have an incident and you need to handle that? And then what’s your engagement with your sourcing and legal organizations? Jesse mentioned it earlier, if you are not if you are not putting security provisions, security clauses in contracts with the suppliers, you are missing the boat, you need to have that, you need to have good T’s and C’s around how you are going to work with them and being notified, you know, if you have an event and you are hurt by it, what kind of penalties, those types of things, you need to understand that but also it’s about understanding your relationship, you need to build that in those contracts too, understand how you are going to work from a cyber security perspective with those suppliers. Mark, so you have worked with supplier engagement and working with new products and services? What are your thoughts around how you would engage in work with suppliers there? Speaker 1: 12:12 Well, I think you mentioned a lot of good things. But another aspect that I think about there are actually suppliers that brings security solutions against the problem that you need to work with as well. And you know, there are a lot of smart people that work on products and are delivering solutions work for suppliers. And it also is true, I think
that particularly in the OT environment, you know, there’s a lot of similarities in technologies that are employed in different industries. So if for example, you know, you know how to hack a pipeline, or you know something about hacking an automobile, a lot of times those skills will translate across industries, because the underlying technologies are very similar. You know, railroad may be using the same PLC, certainly, you know, Linux is ubiquitous in a lot of these control environments. And if you know how to attack a Linux server for a pipeline,
you are probably going to have a pretty good shot, at least having a starting point for a railroad. You know, also, though, on the other side, if you are a security professional, and you have experience protecting critical infrastructure, those skills translate to a certain extent, also. But we have also talked about security, but the point is, you can’t in to deliver these solutions from a security provider perspective, you really can’t do that in a vacuum. And the reason why,
even though these things are ubiquitous, and the skills may translate, there’s the business context that we talked about earlier. So you have to understand, and Jesse talked a little bit about it as well, you have to understand how that technology is implied, what are the potential consequences if this specific system is targeted from a business perspective? And that part doesn’t translate very well, you know, railroad, you know, is significantly different than other types of businesses. So I think the things that I have seen work, we really have to think about ways to engage security suppliers also in these in the solutioning process. So a good example would be during penetration testing. I know railroads do an awful lot of penetration testing on their IT systems and also their OT systems. And you have to think of ways and you have to be careful about
it because the information is very sensitive, but you have to think of ways to give some engagement with suppliers who are going to bring solutions to help you protect those systems. You know, you can’t expect them to just somehow understand these things and be able to deliver a solution without some level of engagement and we have to get better at that. The other area I think is around threat intelligence, so we get a lot of indications of bad things that are happening. A lot of
that comes from government, a lot of that comes from other railroads as railroad professionals. But there is also a role for suppliers, and particularly, I think of suppliers that may have a global footprint. And they may be the first ones to see an attack. And if they are specific to your industry, that’s an excellent way to receive a very timely and important threat intelligence on what’s going on in your industry. So those are just a couple of ways and thinking about the future. Now, as we are kind of talking about how things might evolve. I mean, I don’t know, Bill, do you have any sort of? I mean, what do you see? How do you see the supplier relationship? Isn’t it amazing how we have slides for the questions? Exactly the same. It’s a coincidence. You know,
how do you see how do you see these things evolving for future concepts? Speaker 2: 16:01 You talked a little bit about partnerships permission a bunch here today, and what does it mean? And within the rail industry, time we spent there, there’s a good partnership, at least at class one CISO and stuff. And we have worked across the industry, we have done some joint testing on things, doing pen testing. But can you bring your suppliers ahead of you? Have you brought the suppliers in? And can you bring the suppliers in to do testing, sit alongside you while you are doing that, and by the way, what a great opportunity to train your security staff is to bring them along. We did some stuff with CSX you know, crossings and
worked with the vendor there and had somebody come in and help us understand what the risks were at the crossing systems there, been great to have our security staff sit alongside those learners, does he talk about all the you know, the 30 new people you got in there, but a great opportunity to have them right there in the field or whatever we are doing testing? Will suppliers let you pen test their stuff with them? You know, that’s some of the things you need to work out into the agreements with him and the partnership. Production certification, that’s kind of a, I don’t know, can of worms type thing. But I read something last week where the White House is going to start proposing maybe an Energy Star program for cyber security. And they are gonna start with consumer products. So what does that mean? You know, are they you know, what it would take what kind of requirements or regulations to get put in there in order that you can put, I have got the cyber security seal of approval on my product. And, you know, again, it’s said that we are gonna start with consumer products. But you know, once it starts there, where does it go?
And what does it mean? But even in that, I think that, you know, within the industry and with your suppliers, you are gonna hold them accountable to a set of requirements, maybe it’s a framework, maybe it’s the ISO standards, whatever it is, but understand what those are what’s important to you. We work with our suppliers to make sure that they are also in agreement and working with you to make sure that they have their products, meeting what you need them to do. And you know, the last thing there I talked about, and I have already talked about is enhanced instant response. And instant response per plan that just involves you and your company and doesn’t involve your suppliers, especially with the number of suppliers that are especially in the OT space, there are a ton of them out there. And you know, the people that provide power or do trackside stuff on board
technologies. Do you have an agreement with them? Or you have response plan with them? And something goes south there? And how are you going to do that and how you are gonna work with them as well as within your organization? So I think those are things that we need to think about as we look forward to suppliers and supplier management. Speaker 1: 18:40 I totally agree with that and wondering what I should comment. I see Janet in the audience and the rail industry, I think actually has done a very good job in terms of outreach to some of the critical suppliers. And I think you guys are still running, you are still running the supplier regular updates and communication with the supplier group, for those most critical systems to the way railroads operate. And I think that’s a wonderful approach to [Unclear], it all these things come down to communication and partnerships, and I think building that level of sort of understanding and trust, and that takes work and I appreciate the work you guys are doing in that space. So we have we probably have a few, I don’t know maybe a couple of
questions. Anyone have any questions? Speaker 2: 19:28 Scott? [Unclear] Speaker 1: 19:59 Well, I can talk about some approaches that I have seen be successful. So, you know, I think it occurs both from a supplier perspective, so I think that’s a great idea that should be included as a best practice in terms of when you engage with the supplier. It’s a little bit easier on the IT side because I think the bit processes are more mature there in terms of getting the right provisions and the right you know, sort of engagement by the IT and security professionals in those contracts early on. The OTC space probably a little bit is lagging but
it’s getting there, you know, from what I see. So I think that’s a good idea but even the stuff that you develop in-house I mean, the ROG’s is a mix of things that are you know, purchased and in-house developed, it’s a problem even for the in-house stuff because you know, people will get routines or they will find things and you know, include them and so what I have seen be successful is security testing in the development process, and you know, a set of minimum requirements and you can get tools a lot of times that will fingerprint those technologies that are being used and you do it for security reasons you also do it because you may run into licensing issues and there’s a lot of sort of drivers for finding that stuff early. But I think you know that and don’t wait until the end of your development cycle to start testing some of that stuff and but I agree with suppliers should just probably handle that from a contractual perspective. Any other questions? Speaker 2: 21:32 All right, thank you for your time I don’t know. All right, I guess this one started. Speaker 1: 22:13 Right.