Railroads are operating on ancient technology platforms that were created long before today's cyberthreats, says Amir Levintal, CEO of rail-focused cybersecurity start-up Cylus.
The problem affects only a small niche of industry, but it nonetheless worries many experts and lawmakers. At a February House Homeland Security Committee hearing on transportation cyberthreats, Rail Security Alliance Vice President Erik Olson listed the problems facing transportation, saying technologists "apply technology across every aspect of the nationwide freight rail network, effectively increasing the vulnerability of industrial control systems, train operations and perhaps even the industry's metadata warehousing centers to cyberthreats."
More from Upstart 100:
Amazon has triggered an arms race in this technology
How Beddr and other tech start-ups could help millions of Americans get a good night's sleep
This start-up aims to break internet monopolies and deliver 5G broadband for $49 a month
In the last several years, North Korea has reportedly tried to hack South Korea's rail transit system, and criminals have used ransomware to shutdown metro operations in Germany and San Francisco. Rail systems are vulnerable in two primary ways, which Cylus serves: first in how tracks are operated with signals, stop signs and pedestrian crossings, and then, within the ticketings systems, and onboard trains, where heat, air conditioning and safety functions are managed.
"Rail systems were designed in a way that every disruption necessitates that the trains stop running," Levintal told CNBC. "This procedure can potentially be exploited by cyber attackers to cause massive disruptions in the network."
Cylus makes software products in two areas: signaling systems and monitoring for traffic control devices that run alongside tracks, along with actual systems on trains, including operational and climate control systems. The company made CNBC's 2019 Upstart 100 list, released Tuesday.
Levintal says Cylus currently values the rail cybersecurity market at around $6 billion, with projected growth to $12 billion in 2027. The growth of the market can be attributed to increased connectivity as well as the growing use of modern technologies being integrated with legacy ones.
Several high-profile cyberattacks have significantly halted transportation in recent years, both consumer transportation and cargo transport. Ships were stranded in 2017 when a global ransomware attack hit Maersk. Shipments went unfulfilled across Europe when household goods maker Reckitt Benckiser was hit with the same bug. FedEx also suffered the 2017 incident, taking a $300 million charge.
In 2016, San Francisco's public transit system was struck by ransomware but continued operating free of charge for customers. Other incidents in large cities like Atlanta, Albany and Baltimore have raised concerns about how a successful attack could bleed into other spheres, including transit. Attacks, some fully disclosed and some not, across Germany, the U.K. and South Korea on public transportation have also raised alarms.
Levintal said he realized rail cybersecurity was a unique problem during his time serving in the Israeli Defense Forces Elite Technological Unit as director of research and development, where he worked alongside business partner Miki Shifman, also a member of the unit.
"Rail travel has undergone a digitization process that may be lagging behind other industries," Levintal said. "Train companies also use safety systems meant to last 30 years or more, which means many of these have been put in place long before contemporary hacking tools were available or threats known."
Tackling these problems is the shared responsibility of rail agencies, infrastructure management organizations, local governments and "rail integrators," which specifically deal with the challenges of upgrading these technologies.
Many of the legacy tools used in railways can't tell the difference between a cyberattack or a more innocent technical breakdown, and knowing the difference is an important factor in how first responders deal with the problem. For instance, in a cyberattack, an attacker may target vulnerable systems in sequence — so as soon as one system is back online, a new attack on a different system with a similar vulnerability brings it down.
"The ability to detect cyberattacks and make accurate assessments is critical. Without the proper information, rail companies cannot respond appropriately and false positives have the potential to cause debilitating delays," he said.
Levintal said he also expects growth in the need for tailored rail cybersecurity tools to come from the continued digitization process in the rail industry, including "wireless communication" hardware that is being introduced to improve efficiency of trains in many cities, as well as to maintain safety: "These new technologies have also increased the cyberattack surface, exposing railways to new types of hacks."