A report by The European Union Agency for Cybersecurity (ENISA) has outlined the growing threat of cyber-attacks to rail networks across the UK and Europe. These include balancing the needs for high levels of cybersecurity against business competitiveness and ensuring the security of legacy systems that may now be vulnerable to attack. As coronavirus restrictions ease and rail passenger numbers begin to rise again, finding the perfect balance between physical security and digital safety is vital for the future of the UK rail network.
Changing nature of cyber-threats
Cyber-attacks are arguably one of the most significant and serious threats to railway networks. As the modern rail network has rapidly evolved this has led to large scale increases in the quantity of systems on-board a modern train and those used in signaling networks, which has in turn increased the number of potential cybersecurity vulnerabilities. The railway is becoming a huge and mobile network of highly connected computers processing and analyzing data. This means cybersecurity begins with a fundamental challenge: if you do not know what is connected to your network then you cannot secure it. Ultimately, a network is only as strong as its weakest link.
The evolving nature of cybersecurity risk is impacted by the motivations of different people engaging with each system and the operational risk associated with change. Only some systems have a high level of safety integrity and with up to a hundred systems on-board a train, it can represent a target rich environment for a determined attacker. The primary goal of railway cybersecurity is to protect a system’s essential functions which, in some cases, are required to maintain the safety and availability of the rail network. Technical cybersecurity measures need to be implemented to provide protection, allowing the train to maintain a continuous operation. It is a balancing act that is continuously evolving.
New networks are often more complex than conventional networks found on established rolling stock and IT infrastructure. This requires a cybersecurity programme that considers the distinctive challenges involved with a moving digital data center. As more of the network becomes connected, there is an increase in vulnerability – especially at the points where new and legacy systems meet. Where there used to be gaps between systems, there is now a digital connection, so cyber-attacks can move across the network – making these legacy systems accessible and vulnerable to cyber threats.
The importance of security and safety
The rail industry has an incredibly effective culture around safety but in the past the focus around cybersecurity was more on protecting data, rather than the protection of safety critical infrastructure.
This is changing thanks to a couple of factors. Firstly, the EU Directive (NIS Directive) on security of network and information systems, which has been implemented across Europe, requires rail operators to boost levels of cybersecurity and develop a stronger and deeper culture around security. This has helped rail companies focus on designing and implementing more effective cybersecurity programs to better manage risk within the control of rail networks. Also, new rail cybersecurity standards and technical specifications including IEC62443 (Global) and TS50701 (Europe) are giving clearer guidance on requirements for rolling stock and signaling.
The growing importance of cybersecurity to the rail industry’s long-term commitment to safety is now driving the industry to consider that if a train is not secure, then it can no longer say that it is safe. A typical modern train includes more than a hundred digital systems and each one is potentially a vulnerability unless it is protected – even a mid-size fleet of a hundred trains has tens of thousands of systems that require protection. The sheer number of systems, some of which might be quite old and difficult to update, can present a large attack surface.
Initially, cybersecurity in rail focused around developing and implementing technical products and solutions, often as a quick fix in response to an identified vulnerability. More recently, cybersecurity certifications and standards have been introduced to encourage further cyber resilience. Now there are signs of how building the culture is the next step on cybersecurity’s evolution, which recognizes that people make an organization secure, not just technology. Although a cybersecurity culture started with basic awareness training, the industry is adapting as organizations understand that people can be both the best response to cyber-attacks and the weakest link. To get security culture right, it is critical to foster an environment where everyone is security conscious.
What the future holds
The rail industry needs to have a clear understanding of the numerous connected train and trackside systems. Trains will often have a working life of 25 years or more and will undergo changes during their lifespan with new connected systems added by each owner or operator. Vulnerabilities can appear as information systems are added, replaced, and connected.
The priority is to identify all the connected systems on a network and understand the behavior and traffic flows between them. Then the industry needs to implement the proper cybersecurity monitoring systems to ensure that anything out of the ordinary is identified and stopped in real time. After that, these monitoring systems need to record anything out of the ordinary.
Implementation of safety through existing legislation is now being driven into the digital domain through a combination of new cyber-security technology, standards and guidance, as well as policy and governmental shifts. The rail industry needs to keep pace with these changes. Encouragingly, rail organizations are responding to regulatory changes in cybersecurity and through collaboration with manufacturers, operators and owning companies, technical aspects of cybersecurity are beginning to be implemented under the umbrella of achieving safety.
Industry priorities should go beyond just technological solutions and work towards the development of a culture that understands the role cybersecurity plays when maintaining a safe railway. As practices evolve cybersecurity is being integrated into the design of critical transport systems, driving the industry into an era of increased collaboration part of an industry-wide approach to management of all safety risks, including those of a digital origin.
Alex Cowan is CEO of rail cybersecurity specialist RazorSecure, which he founded in 2015. With more than 15 years’ experience in the gaming industry, Alex used his expertise to develop RazorSecure’s technology which provides intrusion detection cybersecurity software to the rail industry.
Headquartered in Basingstoke, RazorSecure now provides leading companies across the rail industry with tailored cyber security solutions. Its technology is powered by machine learning and designed to protect rolling stock, signalling and infrastructure systems.
To date, RazorSecure software has been deployed in more than 1,600 rail vehicles and protected more than 50 million rail passenger journeys.