In November of last year, Amtrak’s Office of Inspector General published an investigation into the federal rail service’s operational technology. These tools are critical to Amtrak’s service and affect everything from signals to train dispatching. But, according to the inspector general, the railroad wasn’t maintaining a standardized inventory of all its OT assets, exposing Amtrak to a range of cybersecurity risks.
Now, months later, it appears that Amtrak’s cybersecurity team has yet to make a complete and centralized inventory of its operational technology, and does not have “immediate access” to the separate spreadsheets where they are currently tracked. In an email discussing a related public records request, an Amtrak information and records manager told FedScoop that the office did not know which of the many employees referenced in the OIG report might currently have those spreadsheets.
The OIG report argued that Amtrak’s approach was “contrary to industry standards” and may increase “the risk of cyberattacks that could disrupt mission-critical operations.” Amtrak, of course, remains a critical service provider in the United States, and was responsible for transporting tens of millions of passengers last year alone.
Un-inventoried operational technology presents different risks than un-inventoried information technology, but the OIG report still noted that Amtrak’s “practices for identifying and tracking OT assets are not effective because it does not manage the cybersecurity of these assets with an enterprise-wide approach.” David Tochen, an attorney who focuses on transportation issues at Fox Rothschild, and who served as general counsel at the National Transportation Safety Board, called the November OIG report “quite sobering.”
“It prevents you from understanding your exposure attack surfaces,” added Kevin Kumpf, a chief strategist at the cybersecurity firm Cyolo who has written about rail security. “You must establish a baseline. You must do vulnerability scanning to prevent ransomware. If you’re gonna do vulnerability scanning, you have to know all your assets to scan.”
The inspector general’s report pointed to several concerning anecdotes. In one instance, for example, the Department of Homeland Security sent a security alert to Amtrak’s Information Security team about a potential vulnerability, only to have the Information Security team email “five business department employees” to figure out if any of their assets could be impacted by the issue flagged by DHS.
When FedScoop filed a public records request for these spreadsheets in July, Amtrak sent a response noting that “Amtrak employees are maintaining OT asset data in separate inventories and spreadsheets, none of which are tracked” and that “[c]ybersecurity does not have immediate access to these spreadsheets.” Amtrak is in the process of developing a centralized asset management system, the response email to FedScoop noted, but did not say when it would be complete.
Some experts question the overall significance of the issue. The OIG report was “really overblown,” according to Patrick Miller, the CEO of Ampere Industrial Security. Many larger organizations, and particularly those dealing with legacy OT, operate as Amtrak has, he argued. Most of the assets that Amtrak might be dealing with are not connected to the internet, and there are unlikely to be frequently delivering software updates, anyway, Miller said.
“It will improve your security posture,” Miller told FedScoop. “But will it make it to a state where they can patch it when Microsoft issues a patch every Tuesday? No, it won’t do that. And not because they can’t do it or won’t do it or they’re negligent, but just because you just can’t do that with OT. It just doesn’t work that way.”
The report, which was partially redacted, noted that management expected to address all the issues by December 2023.
The safety and security of passengers and employees is our highest priority, and we are always looking to improve security. The OIG report outlined four recommendations. We have addressed two of the recommendations. While we recognize the need for continuous improvement of the company’s cybersecurity posture, Amtrak continues to make significant investments in cybersecurity and a plan is in place to address the other two recommendations to meet the deadline for completion.”
FedScoop reached out to Amtrak’s press office to comment in early July and requested more information on the status of several recommendations that the Office of the Inspector General made, which included creating a network diagram to fully understand the scope of its OT assets and forming a working group focused on tracking these systems.
In a statement, Amtrak said: “Amtrak is in compliance with TSA’s Security Directives for cybersecurity, which includes an inventory of critical cyber systems. We have also submitted a Cybersecurity Implementation Plan that details our steps to protect these critical systems. Additionally, a Cybersecurity Assessment Program has been developed to proactively assess critical cyber systems to determine the effectiveness of the Cybersecurity Implementation Plan.”
The railway company added: “The safety and security of passengers and employees is our highest priority, and we are always looking to improve security. The OIG report outlined four recommendations. We have addressed two of the recommendations. While we recognize the need for continuous improvement of the company’s cybersecurity posture, Amtrak continues to make significant investments in cybersecurity and a plan is in place to address the other two recommendations to meet the deadline for completion.”
Kumpf pointed to a Transportation Security Administration security directive released last October that directed owners and operators of rail services to submit a cybersecurity implementation plan for agency approval. As part of the cybersecurity measure, these operators are supposed to implement several requirements related to operational technology.
Recent cyberattacks on railways
|Hackers target Lithuania’s state railway, airports, media companies, and government ministries with DDoS attacks. A Russian-backed hacking group claimed responsibility for the attack.
|Hackers damage Danish State Railways’ network after targeting an IT subcontractor’s software testing environment. The attack shut down train operations for several hours.
|Ukrainian government agencies and state railway systems hit with email phishing attacks. Emails obtained included information on kamikaze drone identification and deployed malware designed for espionage onto victim machines.
|An unknown third party breaches gains unauthorized access to certain Amtrak Guest Rewards accounts.
“TSA is aware of this OIG Report and is engaged with Amtrak related to the TSA Security Directives. The Cybersecurity Security Directive, issued in October 2022, requires, among other items, operators to conduct an inventory of all cyber systems and identify those systems that meet the criteria for critical cyber systems,” DHS told FedScoop in a statement last week. “Amtrak is current in meeting the performance-based provisions of the Security Directive, and has identified the operator’s critical cyber systems.”
“TSA remains engaged with Amtrak, and we continue to work across the transportation system with owners and operators to strengthen their cybersecurity posture toward outcomes that ensure preparedness and resilience,” the DHS statement added.
DHS did not share more information on how Amtrak is following the requirements of this directory without an inventory of operational technology.
“Historically, [TSA] directives have emphasized processes and reporting of security breaches in both Operating Technology (OT) and IT systems,” the Federal Railroad Administration, which has a role in certifying the cybersecurity of Amtrak’s positive train control systems, told FedScoop in an email. “However, TSA has recently focused on more prescriptive requirements to segregate OT systems from IT systems as well as methods to secure communications and internet-based systems.”
There’s a growing focus on railroad cybersecurity. Last November, hackers targeting a railway in Denmark shut down trains for several hours. In 2020, Amtrak announced that hackers had gained access to its guest rewards systems. The University of Maryland recently founded a center devoted to rail cybersecurity, citing the increased use of digital technologies in railway operations.
At the same time, interest in the cybersecurity of operational technology is also surging, especially as technologies that help operate and support physical infrastructure become increasingly integrated.
The National Transportation Safety Board said it did not comment on issues the agency wasn’t investigating or had investigated in the past. The American Rail Association said it does not comment on its association members.
Editor’s note, 7/18/23: This story was updated to include comment from Amtrak.