Globally, the rail industry has been the target of many cyber attacks. These
can be on both passenger and freight rail systems and can affect profits and
reliability of systems. Even small railroads have been attacked and the
American Short Line and Regional Railroad Association (ASLRRA) has initiated
some cyber security training to assist in their security.
As larger rail agencies adopt the National Institute of Standards and
Technology’s (NIST) Cybersecurity Framework, smaller agencies have started to
follow along. This is especially important if their systems are interconnected.
A guideline that is particularly useful to railroads is that they should keep
track of all devices on a network, both authorized and not. Additionally,
companies should be strict about what software is allowed to be installed on
computers.
Every couple years, the ASLRRA recommends that companies preform checkups to
make sure that the security guidelines are being followed. This assessment
should result in a plan for fixing any issues found. Third parties can be used
to make these assessments, but the groups found should be working towards the
NITS cybersecurity framework and not just trying to sell a product. If things
are done correctly, railroads can defend against these threats.