Read the rest of this article by one of our favorite contributors who provide some of the best supply chain content in the industry.

As freight railroads move to digitize their processes, rail companies are also looking into safeguarding their systems against hacking and other malicious attempts to disrupt freight rail operations. 

Those efforts to address cybersecurity are partly because federal regulations, not just in the U.S. but also for other countries, are starting to require companies to tackle the issue.

“The awareness [within the freight and passenger rail industry] is very high. There are many reasons, but one is that regulation in each country has started to focus on cybersecurity for critical infrastructure, and particularly for rail. The reason for rail is because the impact of that trains have on the economy,” said Amir Levintal, chief executive officer for Cylus, an Israeli-based company that focuses on cybersecurity solutions for rail assets such as rolling stock and signaling. Cylus works with companies in North America, Europe and Asia.

Currently, the U.S. government requires railroads to address communications and security requirements for positive train control (PTC) systems per federal code for PTC. The Federal Railroad Administration, which crafted the federal code for PTC, would include cyber threats to PTC systems as a potential security risk. But beyond that, it’s up to companies to decide how to implement cybersecurity measures.

The freight rail industry didn’t say much about this topic for this article. The Association of American Railroads didn’t return repeated requests for comment, while the seven Class I railroads either didn’t return requests for comment or declined to comment.

But the freight transportation industry overall has been working to address cybersecurity, especially amid potential threats to the supply chain. The trucking industry and its supply chain rank fifth among all businesses at risk of cybersecurity attacks as the number of possible threats against the transportation sector has grown 100-fold in just four years, FreightWaves recently reported

Meanwhile, government efforts to address cybersecurity in transportation include the Transportation Security Administration’s initiatives to disseminate information on cybersecurity and a federal working group involving several agencies to address cybersecurity research and development among several sectors, including transportation.

Passenger rail is also addressing cybersecurity through initiatives such as a cybersecurity working group through the American Public Transportation Association.

Potential cybersecurity risks in freight rail

There are several characteristics to freight rail that make the industry vulnerable, according to Levintal, who co-founded Cylus in early 2017 after he and others couldn’t find other companies that dealt with addressing cybersecurity in the rail vertical.

One is that the “safety-critical network” can be vulnerable to cyber attacks because hackers could potentially trigger a train’s safety mechanism, telling it to stop. He defined that network as the rolling stock, the signaling network and the locomotive.

If someone can hack into a company’s rail network and stop a train, that could impact the company’s rail operations and disrupt the supply chain. 

“If someone is sending a message to the safety-critical network and doing something that is not safe or not standard, the train will stop. It’s very easy to stop a freight train and then impact the profitability of a company,” Levintal said.

Another issue is the age of the technology deployed for PTC systems, which uses wireless communications and connects trains to wayside signals. Although the deployment of PTC is still ongoing, the technology is already several years old and companies will need to keep up with newer potential threats. 

“Usually attackers are trying to find the weakest link in the train, and interoperability or integration between two technologies usually leaves a weak link that might have vulnerabilities,” Levintal said.

New tenders for rail projects worldwide are taking into account the need to address cybersecurity, but existing systems must also take the issue into account.

“We see more tenders for new lines with cybersecurity requirements built into them. This is a good new start, but on the other hand, for existing rail and existing lines, I think there’s much more to do. If it’s important to incorporate cybersecurity measures to new tenders, it’s obviously very important to start developing working cybersecurity measures on existing ones,” Levintal said.

“Security is part of [maintaining] the safety of the network. If safety is important for the rail industry, they must be focused on cybersecurity,” he said.