Russian Railways (RZhD) are trying to find more cost-effective ways for utilizing the railway equipment resources of its Central Infrastructure Directorate (branch of JSC RZhD). To reduce electricity costs, JSC NIIAS, a leading industry institute of JSC Russian Railways, developed a cutting-edge project called «SMART. Railway Switch Heating». It optimizes electrical heating of railway switches through process automation and autonomous adaptation to environmental parameters.
This type of project could not have been created without integrated cybersecurity. A successful attack on «SMART. Railway Switch Heating» could not only disrupt system operations but also threaten the information security and physical security of the infrastructure. Kaspersky technologies helped protect this project at all levels. One of these technologies is a specialized KasperskyOS-based solution called Kaspersky
IoT Infrastructure Security, which ensures that the internet of things is secure and functional.
Electrical heating of railway switches throughout most of JSC RZhD network is
managed manually.
The existing switch heating system has the following flaws:
«SMART. Railway Switch Heating» will help resolve these problems through adaptive control based on the monitoring of the temperature of rails, weather conditions and the state of electrical devices. Automated online processing of these parameters will help optimize heating operations, and Kaspersky solutions provide comprehensive protection of the infrastructure and prevent cybercriminals from exploiting its vulnerabilities.
Expanding automation and digitizing the infrastructure of Russian Railways significantly increases the risks of cyberattacks being launched against its facilities. Data transfer channels, cloud platforms and IoT devices attract the most attention from cybercriminals.
Unauthorized connections to the “SMART. Railway Switch Heating” system may lead to malware infection of an automated workstation and, consequently, cause a disruption in its operations. For example, cybercriminals might attempt the following:
Digital infrastructures connected to the internet are especially prone to attacks from the outside. The “SMART. Railway Switch Heating” system is most vulnerable to the following threats:
«SMART. Switch heating» is an important step towards the digital railroad of the future. This smart system helps automate railway infrastructure processes and significantly improve their reliability and efficiency. We are proud to be part of this groundbreaking project with Kaspersky IoT Infrastructure Security, one of the first KasperskyOS-based solutions for transport infrastructure that protects systems from cyberattacks and keeps them running smoothly. We continue to develop technologies for highly automated and selfdriving vehicles.
Modern railways are a complex technological system with increased information security requirements. The use of Kaspersky’s advanced cybersecurity technologies makes it possible to accelerate the implementation of innovations at JSC Russian Railways that provide new levels of quality, speed and safety in railway transportation.
Cybersecurity of the railway switch heating system requires an integrated approach at all levels of the architecture:
| Levels | Threat vectors | Kaspersky products and solutions |
|---|---|---|
|
Management level ❔ |
Antivirus protection | Kaspersky Hybrid Cloud Security Kaspersky Total Security for Business |
|
Data transmission channel |
Protection of data transferred to the cloud via traffic encryption (TLS-MQTT) Protection against external threats (Firewall/IPS) DDoS (channel unavailability) |
Kaspersky IoT Secure Gateway 1000
Kaspersky DDoS Protection |
|
Endpoint level |
Detection of unauthorized devices
Prevention of unauthorized interactions (Firewall) Protection of the gateway against hacking:
|
Kaspersky IoT Secure Gateway 1000 |
 |
Kaspersky IoT Secure Gateway (KISG) 1000 is a hardware and software system based on the KasperskyOS operating system. Technologies of this OS do not allow manipulation of its critical functions, and also block all unauthorized actions by default. The gateway protects data, generates security events in the IoT infrastructure, enables management of connected devices via the MQTT protocol over TLS, and helps build secure systems for the internet of things. Centralized administration of KISG 1000 is via the Kaspersky Security Center platform. |
 |
Kaspersky Hybrid Cloud Security is a solution for protecting virtual machines and systems (local ones as well as the ones residing at data centers or in public clouds). |
 |
Kaspersky Total Security for Business is a solution for protecting endpoint devices (workstations and servers) and other nodes of an enterprise network (mail servers, internet gateways). |
Kaspersky’s comprehensive approach to the cyber protection of «SMART. Railway Switch Heating»
Solutions developed by Kaspersky ensured the cybersecurity of the «SMART. Railway Switch Heating» system at all levels, and made the system transparent and manageable.
| Attack vector | Potential threat | Продукты и решения «Лаборатории Касперского» |
|---|---|---|
|
Cloud |
DDoS (system unavailability) | Kaspersky DDoS Protection (service) |
| Compromise
(hacking, gaining access, modifying configurations, data spoofing/leakage) |
Kaspersky Hybrid Cloud Security | |
|
Data transmission channel |
Compromise
(Man-in-the-Middle, gaining access to data and substituting it) |
Traffic encryption (MQTT) ensures that the connection and data transfer are secure (Kaspersky IoT Secure Gateway 1000) |
| DDoS
(channel inaccessibility) |
Kaspersky DDoS Protection | |
|
Gateway |
Gateway compromise — network or local attack/physical access
(hacking, gaining access, modifying software configurations, data spoofing/leakage) |
IDS/IPS, Secure Boot, Secure Update; inability to perform unauthorized actions or manipulate critical functions of the system (Kaspersky IoT Secure Gateway 1000 and KasperskyOS technologies) |
|
Internal IoT network (inside breach) |
Breach of the structural integrity of the network (new unauthorized connections to the network) | Network Discovery — detection of a breach and notification about the connection of an unauthorized device/user (Kaspersky IoT Secure Gateway 1000) |
|
Cloud platform (external breach) |
Disclosure and compromise of the “SMART. Railway Switch Heating» system | Kaspersky Hybrid Cloud Security |
|
System administration and operational maintenance processes |
Difficulty of monitoring the IoT infrastructure and prolonged response time to information security incidents
(inability to detect dangerous manipulation until physical damage is already apparent; lack of a full picture in real time; late detection/notification of the problem) |
Multitude of notification capabilities:
|
| Security system management and operational maintenance (lack of a unified system for management, reporting, and incident response) | Unified cybersecurity management system with a centralized system for reporting, logging, and notifications (Kaspersky Security Center) |
