How an Israeli cybersecurity start-up plans to keep trains safe from hackers

Published Tue, Nov 12 20198:00 AM EST

Key Points

Railroads are operating on sometimes decades-old technology platforms that were created long before today's cyberthreats, says Amir Levintal, CEO of rail-focused cybersecurity start-up Cylus.
Cylus makes cybersecurity products for signaling systems and monitoring for other traffic-control devices that run alongside tracks, as well as systems meant for rider comfort, like heating and air-conditioning.
Cylus values the rail cybersecurity market at about $6 billion, with projected growth to hit $12 billion in 2027.
Cylus made the 2019 CNBC Upstart 100 list of the world's most promising start-ups, released Tuesday.

Amir Levintal is the CEO of Cylus, an Israel-based cybersecurity start-up focused on the rail and transportation industries. Cylus was named to CNBC's Upstart 100 List.

Cylus

Railroads are operating on ancient technology platforms that were created long before today's cyberthreats, says Amir Levintal, CEO of rail-focused cybersecurity start-up Cylus.

The problem affects only a small niche of industry, but it nonetheless worries many experts and lawmakers. At a February House Homeland Security Committee hearing on transportation cyberthreats, Rail Security Alliance Vice President Erik Olson listed the problems facing transportation, saying technologists "apply technology across every aspect of the nationwide freight rail network, effectively increasing the vulnerability of industrial control systems, train operations and perhaps even the industry's metadata warehousing centers to cyberthreats."

In the last several years, North Korea has reportedly tried to hack South Korea's rail transit system, and criminals have used ransomware to shutdown metro operations in Germany and San Francisco. Rail systems are vulnerable in two primary ways, which Cylus serves: first in how tracks are operated with signals, stop signs and pedestrian crossings, and then, within the ticketings systems, and onboard trains, where heat, air conditioning and safety functions are managed.

"Rail systems were designed in a way that every disruption necessitates that the trains stop running," Levintal told CNBC. "This procedure can potentially be exploited by cyber attackers to cause massive disruptions in the network."

An alarming recent history

Cylus makes software products in two areas: signaling systems and monitoring for traffic control devices that run alongside tracks, along with actual systems on trains, including operational and climate control systems. The company made CNBC's 2019 Upstart 100 list, released Tuesday.

Levintal says Cylus currently values the rail cybersecurity market at around $6 billion, with projected growth to $12 billion in 2027. The growth of the market can be attributed to increased connectivity as well as the growing use of modern technologies being integrated with legacy ones.

Several high-profile cyberattacks have significantly halted transportation in recent years, both consumer transportation and cargo transport. Ships were stranded in 2017 when a global ransomware attack hit Maersk. Shipments went unfulfilled across Europe when household goods maker Reckitt Benckiser was hit with the same bug. FedEx also suffered the 2017 incident, taking a $300 million charge.

Rail systems were designed in a way that every disruption necessitates that the trains stop running. This procedure can potentially be exploited by cyberattackers to cause massive disruptions in the network.
Amir Levintal
CEO of Cylus

In 2016, San Francisco's public transit system was struck by ransomware but continued operating free of charge for customers. Other incidents in large cities like Atlanta, Albany and Baltimore have raised concerns about how a successful attack could bleed into other spheres, including transit. Attacks, some fully disclosed and some not, across Germany, the U.K. and South Korea on public transportation have also raised alarms.

A unique problem

Levintal said he realized rail cybersecurity was a unique problem during his time serving in the Israeli Defense Forces Elite Technological Unit as director of research and development, where he worked alongside business partner Miki Shifman, also a member of the unit.

"Rail travel has undergone a digitization process that may be lagging behind other industries," Levintal said. "Train companies also use safety systems meant to last 30 years or more, which means many of these have been put in place long before contemporary hacking tools were available or threats known."

Formerly with the Israel Defense force, Ari Levintal (right) and Miki Shifman founded Cylus

Cylus

Tackling these problems is the shared responsibility of rail agencies, infrastructure management organizations, local governments and "rail integrators," which specifically deal with the challenges of upgrading these technologies.

Many of the legacy tools used in railways can't tell the difference between a cyberattack or a more innocent technical breakdown, and knowing the difference is an important factor in how first responders deal with the problem. For instance, in a cyberattack, an attacker may target vulnerable systems in sequence — so as soon as one system is back online, a new attack on a different system with a similar vulnerability brings it down.

"The ability to detect cyberattacks and make accurate assessments is critical. Without the proper information, rail companies cannot respond appropriately and false positives have the potential to cause debilitating delays," he said.

Levintal said he also expects growth in the need for tailored rail cybersecurity tools to come from the continued digitization process in the rail industry, including "wireless communication" hardware that is being introduced to improve efficiency of trains in many cities, as well as to maintain safety: "These new technologies have also increased the cyberattack surface, exposing railways to new types of hacks."