Case Study: Find the Most Cost-effective Controls against Cyber Attack on a Railroad’s Automated PTC Safety System

By Christina Dulovich | March 6, 2020


In this case study, RiskLens Professional Services team members assist the company’s analysts to uncover the likely impact of a cyber attack that could have devastating effects on railroad operations – and to weigh the options for security investments on a cost/benefits basis, using the RiskLens Platform and the FAIR™ Model for cyber risk analysis.

The Challenge

A railway company with over $900M in total assets was preparing for the upcoming Federal Railroad Administration (FRA) Positive Train Control (PTC) regulations. The regulation requires full PTC implementation and full functionality on all track lines by December 31, 2020. PTC systems use communication and processor train control technology to prevent train-to-train collisions, overspeed derailments, obtrusions into established work zone limits, and movements of trains through switches in the wrong position.

Executive management was faced with a decision: Implement network-wide multi-factor authentication (MFA) or invest in additional application programming interface (API) security measures to protect the functionality of their PTC system? The organization’s conventional approach to risk rankings could not support executive management’s decision. In order to answer these questions, the security team needed to start communicating risk using the method best understood by business stakeholders: dollars and cents. They turned to the RiskLens Platform and Professional Services team.

The RiskLens platform combines an intuitive workflow process for scoping and data collection with a sophisticated analytics engine based on Factor Analysis of Information Risk (FAIR™), the industry standard for the quantification of cyber risk.

The Solution 

Analysis began on the amount of risk associated with a cybercriminal causing a system-wide outage of the PTC system via stolen credentials or phishing. The analysts used the easy scoping capability within RiskLens to rapidly determine what data points were necessary for the analysis, effectively reducing their workload by removing research into data that did not ultimately support quantifying risk.

The analysis collected data through structured workshop questions on key risk and control factors including historical number of malicious cybercriminal campaigns, existence of monitoring tools, segmentation of the network, number of locomotives potentially impacted, financial impact to the organization’s productivity, and resources required to respond to the outage. The analysis also took into account fines that might be imposed from FRA regulations.

Over the course of a three-day period, the organization was able to efficiently produce both high level reporting and detailed results describing, in financial terms, the effect of a system-wide outage of PTC.

Figure 1 illustrates the loss exposure materialized across several categories that incorporate incident response efforts, lost productivity due to the outage, regulatory fines, and lost market share. The tabular data communicates the varying range of probable outcomes.

Figure 1: Loss exposure by category

Analysts then created alternate, future-state scenarios to make “what-if” adjustments to the baseline scenario to model risk in the event that network-wide multi-factor authentication or additional API security is implemented. These comparison reports provided the organization with tangible data to make a decision on the type of control to implement. The results were telling – one type of investment clearly outweighed the other in terms of risk reduction.

Key Benefits

The RiskLens platform allowed the organization to rapidly quantify the loss exposure of a cybercriminal causing a system-wide outage of the PTC system. Additionally, the quantitative inputs and documented rationale provided an opportunity to review and challenge the inputs used during the analysis. More importantly, the analysis empowered management with data to make a strategic decision on the type of control to invest in while maximizing their risk reduction.

Figure 2: Loss exposure comparison. Current State $6.8M, additional API security $6.2M, Multi-factor Authentication $2M

Inevitably the estimates used to calculate risk have a degree of uncertainty associated with them. However, like all data input into the analysis, distributions allow the organization to account for uncertainty.

Figure 2 compares the loss exposure for the current state environment compared to the loss exposure once either of the two controls were implemented. Combined current state loss exposure (average) was $6.8M annualized. Implementing additional API security only slightly decreased the loss exposure by $800K, which was driven primarily by a slight reduction in the vulnerability of the PTC system itself to the cybercriminals.

The more significant impact was the $4.8M risk reduction from implementing network-wide multi-factor authentication which was driven primarily by the reduction of threat event frequencies. For the cybercriminals to be a threat to the PTC system, they would first need to gain a foothold onto the network. Implementing network-wide multi-factor authentication would create an additional barrier for the cybercriminal to bypass before they would be in position to be a threat to PTC. This decrease of threat events ultimately reduces the frequency of the loss event – the outage of PTC.

Through the use of the RiskLens platform, for the first time, the analyst team could report results to executive management that were actionable, using the financial language common to all stakeholders.