Pratum Blog

Aerial view of trains in yard

In 2015, a single rail system suffered 2.7 million hacking attempts in less than two months…in a simulation.

Project Honeytrain, a massive cybersecurity experiment conducted by two prominent security companies, Britain’s Sophos and Koramis of Germany, tried to name risks to industrial transportation infrastructure by creating a fake railroad system online and watching the attacks against it. Although the simulation was conducted 7 years ago, there were a number of findings that stay relevant today:

  • Automated dictionary attacks to crack unknown passwords using common and overused words, phrases and combinations were the most frequent form of attack. Even with today’s increased awareness of the need for password complexity, dictionaries are simple, automatic and readily available out-of-the-box hacking tools that only have to work a single time to be worthwhile for the hacker.
  • “Only” four of the attacks resulted in successful logins, but two of those were from dictionary attacks. Attackers who successfully logged in once then logged in repeatedly.
  • One attacker was able to commandeer the front lights of a simulated train engine.
  • Security settings were discovered and exported. The same attacker who took control of the front lights also tried to log into the track signaling interface.
  • Another attack was on the media server, aimed at altering a public-facing website.

What this experiment uncovered is that a sizable portion of railway hackers don’t just have cybersecurity knowledge, but also have a deep understanding of the complexities and intricacies of the rail industry and operations.

The Scope of Railway Infrastructure Cybsecurity Attacks and the Rise of Ransomware

“An unlooked-for consequence of the railroad, is the increased acquaintance it has given the American people with the boundless resources of their own soil…Railroad iron is a magician's rod, in its power to evoke the sleeping energies of land and water.” – Ralph Waldo Emerson

As deep as our country’s “rail roots” run, America’s relationship with rail is more than poetic romance. In a typical year, continental U.S. freight railroads move around 1.7 billion tons over (just under) 140,000-miles of track and accounts for 40% of all American freight. Passengers travel about 17 billion miles a year on rail. American rail composes a major part of the national economic circulatory system. Spiritually, emotionally and physically, rail built the modern US economy and is a critical component of the transportation industry. In conjunction with the trucking industry, transportation can account for 40-60% of the overall costs of supporting a supply chain.

The interchange between trucking and rail has made new innovations. The new Des Moines Transload Facility provides one of the few places in the country where multiple Class 1 (national) and Class 2 trains can seamlessly, openly and competitively exchange freight with trucking companies or even other rail companies. This increased efficiency is critical to lowering shipping costs and making the entire transportation infrastructure more robust, but it also demands an innovative approach to transportation cybersecurity risk management.

Since Honeytrain, the cybersecurity threat landscape for real rail companies has only grown. Last month, many trains in Denmark ground to a halt for several hours. It was the result of a third party vendor falling victim to ransomware.

Rail is very big business and is therefore also a very big target. Cybersecurity in the rail industry is only one part of supporting a safe supply chain, but it is critical.

The Growing Relationship of Operations and Information Security – Risks and Opportunities

In the old days of rail there was only operational technology. When information technology was first introduced, it was thought of as an add-on to the infrastructure. The CIO was in charge of Information Security, and the COO took care of everything that wasn’t a workstation, server or network, such as locomotives, cranes, signaling and switching, rail cars, and anything that causes that equipment to run. With the growth in IoT technology digitally interconnecting once fully autonomous, individually controlled machines, everything from GPS-connected freight locators to internet-accessible locomotive controls, is now under the purview of information technology. The CIO and COO have a lot of overlapping responsibilities.

Traditionally operational equipment becomes more digital. Telematics and other information is readily available. This is great for operations, but provides more challenges for cybersecurity in transportation. This includes ransomware. Rail is uniquely vulnerable to paying high ransoms, just because of the high value of the freight that could be stalled in transit. The value of planning, detection and response in rail cybersecurity can’t be overstated. Project Honeytrain demonstrates the value of rail companies regularly scheduling red team exercises and penetration testing in anticipation of thwarting future attacks.

Rail Cybersecurity Mitigation Actions and Testing Directive

Rail systems now have more and clearer guidance than ever before when it comes to cybersecurity. In October, the U.S. Transportation Security Administration released the Rail Cybersecurity Mitigation Actions and Testing Directive. With the growing sophistication of attack technology and bad actors and organizations and even governments, and with the growing importance of rail as critical infrastructure in the supply chain, the TSA has directed U.S. rail owners and operators to do the following:

  • Identify critical cyber systems.
  • Develop network segmentation policies and controls to ensure that operational technology systems can continue to run safely if IT systems are compromised.
  • Create control measures to secure and prevent unauthorized access to critical cyber systems.
  • Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations.
  • Reduce the risk of exploitation of vulnerable systems by applying security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
  • Establish a Transportation Cybersecurity Assessment Program and send the plan annually to the TSA, describing how the rail carrier will proactively and regularly assess the effectiveness of cybersecurity measures and show and resolve vulnerabilities.

Safety and security of the rail network is paramount, and requires having good technology, good information and good people in place with the power to act. If safety and security fails, freight fails.

For transportation cybersecurity planning and execution, contact the experts at Pratum today.

Person reading a SMiShing message sent to phone

Among the many threats to employee internet security is “SMiShing,” in which bad actors try to steal personal or company data or set up a scam via text.

Imagine if one of your employees got this message an hour ago:

Jeff, this is HR. ACME’s corporate VISA card requires that you verify your PIN for verification that you are an authorized user. Please protect yourself and ACME’s account at once by simply replying to this message with your PIN.

How confident are you that Jeff did not dutifully and swiftly reply to the urgent message from “your” company with her corporate PIN? How confident are you that the attacker – posing as ACME HR -- didn’t ask for more personal or corporate information from Jeff before she caught on to the scam?

Welcome to one of the fastest-growing innovations in phishing: Short Message Service (SMS), text-based phishing…or SMiSHing, for short.

By now, you have likely been SMiShed multiple times, possibly even multiple times this week! Social engineering criminals have found that the ease and convenience of texting for legitimate purposes has created a target-rich environment for victimizing unsuspecting people.

A Real-Life Experience with an SMS Message Phishing Attack

A few years ago, I received a text message from an unknown number containing my full name and asking the simple question of “how are you?”

As a cybersecurity professional, I decided to – with caution – investigate the obvious attempt SMiSHing. It was quite an interesting text message to receive, especially since it contained my full legal name. Already a little suspicious, I responded with “Hello, who is this?” to validate that it wasn’t someone I recently met. The conversation that ensued between me and “Mr. A Morgan” was very clearly an engagement with a social engineer – not a bot – but a real human. I knew and understood immediately that this text message was not legitimate, but I proceeded with the conversation to accomplish a few objectives: consume this person’s time from targeting other individuals and learn how social engineers were trying to steal money/information in 2018 via this avenue of communication.

SMS Text Message Phishing - SMiShing
Image: Screenshot of actual SMS Message Phishing Attack sent to Matthew McGill's phone.

Keep an Eye Out for These SMiShing Tactics

Social engineers will use many tactics to try and coerce information out of us, attempting to catch our eye through tempting offers or the use of fear. The following points are a series of tactics that social engineers may employ to obtain such information.

  • Social engineers know how people work and operate, so they very clearly and intentionally craft attacks to play on some of our biggest psychological fears and wants. They also understand that not everyone will “buy into” their scheme, so they tend to stay broad in their language. Avoid ambiguous texts that fail to mention specific locations, organizations, websites, names, etc.
  • Mention of Western Union. For whatever reason, payments through Western Union tend to be the most popular form of money transfer in such attacks. If a text message says “wire money” via Western Union, this should cause you to raise an eyebrow.
  • Never click on links or navigate to unknown websites as prompted by an attacker. Websites pose a much greater risk to you and your personal information.
  • Legitimate physical locations or addresses will sometimes be included to lend realism. You can look up 4477 Peachtree Industrial Blvd. Norcross, GA 30044, and a real location (with the actual ZIP of 30071) will appear – as vacant land for sale. Not exactly the sort of “pot hole rehabilitation” company you might expect in the Midwest.

Four years later, these principles remain in effect, but the attacks have become more sophisticated and targeted. Employees who once believed themselves socially immune to the grammar-challenged texts of the late 2010s are now succumbing to the deceptive requests in droves. In 2021 they were a problem to the tune of $44 billion in losses, just in the USThe US alone lost $44 billion from them in 2021. According to the FBI, the situation is only getting worse. CNET reports that smishing attempts increased 24% in the United States alone and 69% globally. The average consumer now receives 19.5 spam texts per month, double the rate three years ago.

Extending the “ACME” Employee Scenario

Let’s play out the scenario with Jeff just a little further:

Jeff: Sorry, wrong number.

Attacker: This is the number we have listed as the account. If it is a wrong number, ACME’s corporate VISA card will be suspended for all users indefinitely. Please enter your PIN at the following secure link: securelink.visa@ACME

Jeff: Can you verify that this is ACME?

Attacker: ACME, Inc. FEIN: 123456789. This is Amy in HR. We talked at the company event this summer.

Jeff: Oh, hi Amy! So sorry. I’ll get you the PIN right away.

Much like some of the more gifted mentalists and psychics on television, SMiShers have perfected the art of “cold reading” in their attempts to socially engineer others, which means that if they guess vague events correctly, they confirm to the target that they might be trustworthy. If they guess incorrectly (perhaps there is no Amy who works in HR – perhaps there were no company events last summer), Jeff will likely (at least briefly) doubt her memory of things or be embarrassed that she doesn’t remember ever meeting friendly, helpful “Dave from ACME.” The truth is that, even though Jeff may not initially have given away any useful information to “Amy”, even her initial “wrong number” response confirmed to “Amy” that the number had a live target on the other end. And that left Jeff open to further and more harmful social engineering techniques.

Protecting Your Employees from SMiShing

So, what can ACME – or you – do for employees?

  • If possible, enact some sort of clear “no text” policy with your employees. Assure them that your company will never contact them by text in such a way that asks for a direct response back via text. Corporate announcements or other “FYI” texts are probably okay, but if you need further action in communications, make sure employees know, well ahead of time and by corporate policy that they are to do so by emailing a known, pre-existing corporate in-box or by calling a known, pre-existing number. Make sure employees know that they are NEVER to text any corporate information to anyone under any circumstances.
  • Set up a safe forwarding system for employees to easily forward suspected SMiShing and phishing attempts to a monitored in-box. Then make sure known or persistent SMiShing attempts are publicized to your employees regularly, if for nothing else but to keep their natural” SMiShing-sense” up and monitoring for threats.
  • Make sure employees are aware of an “immediate error amnesty” policy or process, so that employees feel safe and encouraged to admit SMiShing errors at once without fear of punishment. The only thing worse than a successful SMiSh is an unreported successful SMiSh!
  • Set up professionally designed artificial SMiShing tests for employees on a somewhat regular basis. Measure the response rate. Let employees know – privately - when they fail the test. Report the statistics to your employees. Hopefully, over time, you can measure the improved resilience of your staff against SMiShing.
  • Encourage employees, that if they are ever suspicious about a text message they receive, to block the number at once. There are websites and online tools, such as the FTC Complaint Assistant website, that allows you to report unwanted and unwarranted phone numbers.
  • Encourage employees to – independent of the texting stream – to always try to validate the identity of the individual attempting the SMiSh. No financial institution or software company will ever contact employees and request information in this way. Never give out personal or digital information unless the correct identity has been proven and confirmed.

Social engineering is nothing new, and yet it continues to be one of the most attempted and successful ways attackers obtain information. It is important to stay alert to these attacks and their evolution in an ever-increasing digital age. Knowing the risks associated with personal forms of communication can help you stay ahead of the curve and avoid leakage of proprietary business intelligence. It is very important to take a proactive, risk-based approach to social engineering and the various phishing attack vectors. Pratum offers a suite of services ranging from security awareness training to the actual execution of ethical social engineering campaigns to address these concerns and help your organization mitigate its overall risk.

People working in office overlaid with code

In an already unfavorable economic environment, state-sponsored and criminal cyberattacks made day-to-operations difficult for businesses in 2022. Looking ahead to 2023, encryption technology company NordLocker named 7 cybersecurity threats and trends to watch in the coming year:

1. The rise of fileless malware. Because fileless malware does not require its victim to download any files, it is practically undetectable by most information security tools. Malware of this kind exploits vulnerabilities in previously installed and trusted (and usually well-known) software applications. Fileless malware requires significant skills to develop and conduct, but they attack without introducing a foreign file into your system. It sneaks into legitimate operating system processes (especially Windows PowerShell) and works against you. That makes it extremely hard to detect through traditional antivirus software, which works by looking for known file signatures.

2. Targeting supply chains. The interconnected world of commerce has a critical vulnerability in the supply network that only becomes more exposed as the interconnectedness grows. By targeting companies that play critical roles in the activities of other businesses, such as raw materials suppliers or logistics firms, cybercriminals can grind an entire supply chain to a halt and apply mounting pressure to make victims meet their demands. We already see this trend in 2022, and these types of attacks are only ramping up. A data breach anywhere in a business’ supply chain can quickly cascade through other organizations, shutting down operations and creating significant costs. That means businesses must take an active interest not only in their own information security posture but in the security of companies they rely on throughout the supply chain.

3. Employees will be a weak link in corporate cybersecurity. The human factor is a factor in more than 80% of cyberattacks. This means that companies must improve employee awareness and agency. When most people talk about developing an information security program, they are referring to the administrative, physical or technical controls used to protect information. The reality is that employees manage designing, implementing and following all controls put in place to protect sensitive information. One misstep by an employee can spell disaster in terms of information security. And it often does. The good news is that by supplying effective information security training to end users, we can solve many security issues. 

Rather than viewing your employees as a weak link to offset, enlist them as frontline defenders against cybersecurity threats. Use our Employee Security Awareness Training Planner to get started.

4. Ransomware will become more targeted. Usually, ransomware is spread randomly to numerous targets by phishing or other social engineering methods with the hopes that someone will click the link or supply their credentials. What criminals are developing now, however, is a much more selective, customized approach to social engineering. This means that it is more important than ever that you are actively watching for attacks. If a ransomware actor does get a toehold in your system, spotting it immediately lets you shut down the breach before things get out of hand. IBM reports that it takes 280 days to identify the average breach. You can do a lot better. The latest defense is a Managed Extended Detection and Response solution that constantly monitors activity, uses artificial intelligence to recognize multiple different acts as a brewing attack and actively steps in to shut down suspicious activity.

5. Cloud security will become increasingly important. Cloud storage and networking continues to grow. If you’re thinking only in terms of access to office-based computers and servers, you’re several years behind. The rapid switch in 2020 to working from home should cement our understanding that the dispersed workforce is here to stay. Your data probably lives largely in the cloud with access coming from dozens of personal devices and home networks. Your plan and training need to cover all of that.

6. The EU threatens interoperabilty laws, which may make encryption more challenging. In order to encourage greater interoperability between services and devices, the EU put forward a proposal that could weaken encryption laws in Europe, which could have negative effects on encryption worldwide. If it passes, the new law will require digital platforms to scan every single message or file sent through their services for suspicious content. Even if the law is approved, understanding email encryption and figuring out how to balance user security and interoperability is important. The dangers of not encrypting emails are numerous. Not only do you put your clients’ information at a higher risk of being leaked, but you also put your own business at risk. If a criminal were to access private information on your client or your company, they may try to use that information for extortion. They could also utilize certain details found to try and access other areas of your company. With the right data, a threat actor can gain access to systems that are configured securely.

7. Reduced cybersecurity spending will expose vulnerabilities. In a recession, many companies and individuals are rethinking their budgets, and cybersecurity spending is often among the first to receive a cut. This presents an opportunity for criminals who will take advantage of the lowered barriers to entry. It is possible that budget-tightening alone could make 2023 one of the costliest and most destructive years for entities affected by cybersecurity incidents, which means that companies should not avoid spending, but instead should be seeking ways to make spending more effective. By keeping it simple, communicating with numbers, getting to the point quickly, using visuals and not making assumptions, the trusted security expert at a company will make cleaner, more persuasive, more efficient advocacy for risk mitigation and network visibility and defense.

Pratum’s approach to cybersecurity threats is one that is based on risk, not fear. If you are looking for a trusted cybersecurity partner who can maximize your opportunity to extend your security to meet the demands of 2023, contact us today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.