Skip to content

Understand Railroad Security

    Share
    Download
    Understand Railroad Security
    Bookmark this page
    Close

    Understand Railroad Security

    • Spring 2025
    • Mark Coressel

    Railroad security is often overshadowed by concerns over accidental derailments, which are highly visible and have immediate costs. While strong safety protocols are essential, they alone do not ensure security. A false sense of safety may arise if resources are allocated solely to accident prevention without addressing broader security risks.

    Understand Railroad Security

    Security in rail systems can be categorized into two distinct types: Physical Security and Cyber Security.

    Physical Security protects people, cargo, and infrastructure from theft, vandalism, or physical threats.

    Cybersecurity focuses on safeguarding digital systems, operational technology (OT), and sensitive information from cyber threats.

    Both aspects are interconnected, and their effectiveness relies on a comprehensive approach that acknowledges their unique challenges and solutions.

    Physical Security

    On January 13, 2025, thieves attacked a freight train traveling through a remote stretch of the Mojave Desert between Arizona and California. Their target? Not weapons, gold, or high-tech equipment—sneakers.

    Specifically, 1,900 pairs of the highly anticipated Nigel Sylvester x Air Jordan 4s, set to release on March 14 at $225 a pair. The total haul? A staggering $440,000.

    However, the impact went beyond financial loss. The theft disrupted product launches, affected the brand’s reputation, and underscored vulnerabilities in supply chain security. It served as a stark reminder: Identifying potential threats and mitigating security risks is crucial for railroad operations.

    MSG(R) Shane M. Kerwin

    Security expert Shane Kerwin, Founder and Lead Instructor at Personal Survival Solutions, has collaborated with various businesses, leveraging his experience as a retired U.S. Army Master Sergeant and Green Beret. He stresses that security measures must be adaptive, proactive, and constantly updated. According to Kerwin, three essential security protocols can significantly mitigate risks—without incurring significant costs or requiring substantial effort.

    1. See Something, Say Something

    Your employees are your first line of defense. Fostering a culture where team members can report anything unusual without repercussions—such as unidentified individuals, misplaced equipment, damaged infrastructure, or unexpected delivery schedules—can help detect threats early.

    The key is clarity. Employees should know exactly how and to whom to report concerns; every report should be taken seriously and investigated.

    2. Controlled Access for Personnel and Guests

    Restricting access to sensitive areas is a basic yet essential security measure, whether through secured badge systems, color-coded ID badges, or other verification methods. It should be easy to identify who belongs and who doesn’t.

    Many organizations neglect to inform employees about changes in access, especially when someone is terminated. A disgruntled former employee can present a significant risk, so prompt communication regarding access revocations is essential.

    3. Build Relationships with Law Enforcement and First Responders

    Knowing your local police and emergency personnel strengthens security in two ways:

    They’ll respond more urgently to incidents at your facility when they have a personal connection to your team.

    Their expertise can help you improve security measures proactively.

    Hosting a casual event, like lunch with your employees and local officers, fosters familiarity, making it easier for your team to seek help when needed.

    The Cost of Inaction

    Security isn’t just about prevention; it’s about cost management. Kerwin often reminds clients that the price of ignoring security risks can be far higher than the price of prevention: “Some individuals hesitate to invest in security for situations that ‘might not happen.’ But, consider the costs if something does occur—property loss, legal fees, increased insurance rates, damaged reputation, and expedited security upgrades at premium prices. Proactive security is always more cost-effective than reactive security.”

    By implementing these straightforward measures, organizations can enhance security, protect assets, and build resilience against potential threats.

    Cybersecurity

    In May 2021, the Colonial Pipeline suffered a significant cyberattack when hacker group DarkSide stole 100GB of data and deployed ransomware. Colonial paid a $4.4 million ransom and shut down the pipeline from May 7-12 to investigate and repair its technology and security. That shutdown caused fuel shortages and price spikes, and President Biden declared a national state of emergency. The breach led to costly investigations, legal battles, and economic disruptions. The ransomware assault on Colonial Pipeline was a cybersecurity wake-up call to companies working in and around critical infrastructure networks. It showed how significant and extensive the costs and effects can be.

    James Motes

    James Motes, Chief Information Security Officer at Ryan, LLC, found that “rail systems have seen a 220% rise in cyberattacks over the past five years due to increased digital connectivity and aging operational technology (OT) exposure.”

    The ISA Global Security Alliance underscores the concern: “The railway industry is increasingly viewed as a viable target for cybercriminals. Signaling systems, traction systems, train control systems, passenger information systems, and station infrastructure are all potentially at risk. […] Railway systems, which have been considered safe for decades, can now be compromised by newly introduced digital commands. The manipulation of such commands can cause collisions and other nightmare scenarios: Cyber-criminals may decide to attack ticket machines, passenger information displays, and passenger Wi-Fi systems.”

    Jeff Stark

    Jeff Stark, Cranemasters’ CIO notes, “In the railroad industry, there’s a combination of old and new technologies. A lot of rail technologies have been in use for decades. However, Wi-Fi, the Internet of Things, AI, and other advances have provided new, cutting-edge tools that provide opportunities but also potential threats. Differences in how legacy and newer systems work complicate connecting them without leaving the door open for cyberattacks. The challenge is bridging the security gap between these technologies, as we find new ways to gain efficiencies and interact with our clients.

    Your Primary Defense

    Stark says the employees are you primary cybersecurity defense. He believes that your goal should be ensuring that all your employees understand IT best practices and follow them diligently. During his six years at Cranemasters and more than 25 years creating and supporting secure technology networks for Fortune 50 companies, including Verizon and IBM, Stark has defined four keys to ensure employees are prepared and your defense is as strong as possible. 

    1. Pay Attention and Stay Cautiously Aware 

    Employees use technology throughout the day at work and home. They can typically sense when something is wrong. Long boot times, programs that take too long to respond, and sudden or repeated browser crashes can indicate that your system has been hacked. Reporting suspicions is the best practice. Remind employees to remain “cautiously aware” in both their professional and personal lives. This isn’t about being afraid; it’s about being aware. 

    2. Dangers: Phishing, Ransomware, Spoofing, Malware, Virus

    Spam arrives in everyone’s inbox daily. It’s important to distinguish between annoying emails and genuine email attacks. You want your employees to delete nuisance emails and report real threats. Awareness of actual threats that reach an employee’s inbox enables you to adjust your defenses, preventing similar emails from getting through to other employees. 

    3. Share Actual Examples

    Once a threat is no longer a security risk, quickly inform your entire staff about the incident. Explain what actions you have taken to prevent its recurrence, what they need to do, and how they can identify and report it if it happens again. Breaches provide an opportunity for further security education for your employees and serve as a reminder of the importance of remaining vigilant.

    4. See Something, Say Something

    Clarify how and to whom suspected threats should be reported. It is essential to take every report seriously by investigating each one thoroughly. Additionally, do not discourage employees from reporting concerns, even if they seem excessive. Instead, treat false alarms as opportunities to educate employees on refining their skills in identifying risks. Ensure they understand that it is always better to over-report than to overlook a critical breach. 

    Stark emphasizes that staying abreast of technological changes and educating employees is essential for your cybersecurity defenses. However, it’s important to remember that no technology is impenetrable, and you cannot guarantee that a breach will not occur. Consider it an arms race and prepare for the inevitability of an attack.

    Build Your Security Program

    Here’s a straightforward three-step framework for developing and maintaining robust security programs:

    STEP 1: Assess, Determine, Implement

    Assess your security risks and vulnerabilities:

    • What security risks exist for cargo, equipment, and personnel?
    • Is the location prone to high crime rates?
    • Who has access to critical computer networks?
    • What physical security measures (cameras, alarms, patrols) are needed?
    • How should security investments be prioritized within budget constraints?
    • Determine the best security solutions based on identified risks.
    • Implement security measures in a structured, strategic manner.

    STEP 2: Train, Verify, Train

    • Train employees thoroughly in security protocols relevant to their roles.
    • Verify that protocols are being correctly followed. This process should focus on identifying weaknesses rather than punishing employees.
    • Train continuously to ensure employees remain prepared and vigilant.

    STEP 3: Evaluate, Update, Amend

    • Evaluate security measures at regular intervals (monthly, quarterly, annually) to identify strengths and weaknesses.
    • Update security measures in response to new threats, industry advancements, or environmental changes.
    • Amend security protocols proactively to prevent costly breaches.

    Step 4: Seek Expert Assistance

    Consulting a security expert may be beneficial if your team lacks the expertise to conduct thorough security assessments. When selecting a partner, consider:

    • Relevant expertise in physical or cyber security.
    • Experience with security assessments and solutions for similar-sized organizations.
    • Long-term partnership potential, rather than vendors focused solely on sales.

    This is just a top view outline to get started. The details of the plan will depend greatly on your particular situation, complexities, and goals. Security requires a relentless effort but is essential to preventing financial loss, reputational damage, and operational disruptions. Proactively strengthening your security posture today will safeguard your rail operations for the future.

    More From This Issue

    SPRING 2025 NEWSLETTER
    Spring 2025 Newsletter