Advertorial

Addressing the challenges and opportunities around cyber-security for the railway industry

Posted: 13 August 2020 | | No comments yet

Joe Ferguson, NCSC Certified Cyber Practitioner and a Senior Information Risk Analyst, explores the challenges around cyber-security for the railway industry and the priorities to focus on moving forward.

Addressing the challenges and opportunities around cyber-security for the railway industry

To what extent do you think the rail sector must make quantum leaps in developing comprehensive strategies to ensure their assets are cyber-secure?

The convergence of information technology, digitalisation and operation technology has resulted in a paradigm shift for railways as a public service, and IT has brought reliability, maintainability, efficiency, capacity – better passenger experience. With digitalisation comes vulnerability to cyber threat; operators must embrace security analytics and automation to prevent breaches and quickly identify and respond to security events. While we move towards more intelligent, connected, user-centric systems we see only advantages, but beware – it also poses new opportunities for cyber-criminals, opportunists and terrorists. Can the authorities nurture an environment where train operators can grasp the opportunities without imperilling themselves and their passengers to cyber-attack? The authorities must at least try.

With digitalisation comes vulnerability to cyber threat; operators must embrace security analytics and automation to prevent breaches and quickly identify and respond to security events.

I have worked in government for 40 years. I believe in the duty to serve, to give direction and leadership. I am no rail expert, having worked in the industry but a few years. I have, though, many friends that know rail and cyber. They want action so rail systems remain protected. I am a cyber-risk analyst, certified by NCSC. My first instinct is to explore the context and recognise ‘opportunity risk’. What a massive opportunity the rail industry could miss if it does not recognise the threats it faces.

We must address the vulnerability to cyber-attack that accompanies the advanced, IP-based, technology of modern communications. A terror attack on a moving train would severely impact public confidence, dissipate operation and cripple revenue streams. It does not even have to be ‘Die-Hard’ disaster – a successful attack on ticketing systems, passenger information system could be seriously debilitating.

We need governance by consent. The Department for Transport (DfT) leaders should embrace and enforce standards, achieved through communication and collaboration throughout the industry. We now know what ‘good looks like’! It is for central authority to enforce good cyber in practice, a paradigm shift for DfT.

What do you consider to be the main challenges around cyber-security that the railway sector is facing at present?

New signalling systems are needed. GSM-R is a 1990’s technology relying on G2 mobile and 3-DES encryption abandoned by MOD 20 years ago. It has been hacked and the hack published on the dark web. The Future Railway Mobile Communication System (FRMCS) is coming but GSM-R will be with us for another 10 years just as we are advancing with ERTMS, ATO and HS2 (HS2 has advertised for a partner to develop advanced signalling to support high-speed trains). The main challenge is generating parallel investment in cyber-security.

Cyber-crime is a threat to security as well as to safety; everything that relies on technology can be broken, and manual backups are rapidly becoming obsolete. Train companies rely on IT for almost everything – ticketing, PIS, and operations – a denial of service attack on the ticketing or PIS would severely impact the finances of the company. Underlying train planning, crew rostering, station management and train maintenance are critical applications based on corporate Networks and Information Systems (NIS).

Cyber-crime is a threat to security as well as to safety; everything that relies on technology can be broken, and manual backups are rapidly becoming obsolete.

On-board the train is a local area network supporting Wi-Fi, CCTV, heating/aircon, passenger information, door operation, and brakes. With ATO and ERTMS, we have on-board computers recognising movement authority and speed restrictions.

The railway is a national asset of UK Plc as well as being critical to individual businesses. Its systems need protection, Solutions come from a world-wide plethora of technologies and suppliers; it not always easy to choose the best value for money. Dissemination of information is a practical way to discover the most appropriate means of defence. Collaboration and communication, sharing experience, good and bad, is needed to generate pragmatic, consistent and pertinent approaches. Strategic leadership and communications, governance with authority, and the opportunity to develop and share ideas are paramount. How best to meet the prevailing standards with continuous, sustainable improvement, means getting together, sharing information.

To what extent do you think the rail sector still lacks awareness or understanding of the criticalities of cyber-security?

Not so much awareness, as understanding priorities and overcoming constraints. The need is for consistent strategy. NIS emphasises the criticality of ‘essential services’ (IT) and is law. The ORR considers cyber deficiencies in investigating safety and penalises accordingly. Ansi/ISA 62443 (Secure Automation and Control) addresses ‘essential functions’ – movement, traction, speed, signalling – OT. CyRail incorporated this into a risk methodology. CENELEC are standardising cyber-security, TS 50701. To incorporate cyber defence into the supply chain, RDG produced the Key Train Requirements for manufacturers, specifying controls, network separation and best practices in software development.  Senior managers recognise rail as critical to UK Plc but introduction of cyber has not been rapid. There are reasons for slow uptake:

  • Inability to quantify cyber risk.
  • Rail encompasses many different businesses
  • Supply chains are international, complicated, fragmented
  • Rail fails to recognise criminal and international threats
  • Separation of Network Rail from train operating companies (TOCs).

The franchise system contributes to this:

  • Cyber eats into profit – many TOCs are losing money
  • Cyber-security is not recognised as a key differentiator in competition
  • Cyber-attack is somehow ‘out-of-scope’, not bargained for, or budgeted for in the franchise – not a TOC problem
  • Many treat standards-compliance as a box-ticking exercise without understanding
  • NR is not joined up with the TOCs on cyber.

Whose responsibility is it for cyber-secure rail – Network Rail, TOCs, ROSCOs or manufacturers? The NCSC/CiSP portal encourages government and industry to share but has a poor uptake in rail. The Rail Information Exchange is a well-attended group-initiative talking cyber – but meets only quarterly. The RGD have their bi-monthly RCSC on cyber. These are great initiatives but why should commercial and competing TOCs share? The best thing to happen would be support for central authority, a Cyber-Apex, to promote and enforce these standards, NIS for essential services, (IT) KTR and 50701 for essential functions (OT).

Where does IL7 fit into the rail sector, and how can you improve its cyber-security approach?

IL7 delivers methodical risk analysis satisfying NIS-CAF, successfully demonstrated to NCSC and DfT. Quantified risk evaluation supports investment that is appropriate, applicable and proportionate. It fits well with the CyRail risk methodology (2018). We strongly believe risk management is the answer to the cyber challenges facing rail. IL7 leads in accreditation and assurance, having accredited systems, applications, on-board train management, signalling and communications. Assurance comes from consistent risk analysis; it should be a prime strategic goal for all in rail. IL7 has developed and matured its Assurance Model over years.

We strongly believe risk management is the answer to the cyber challenges facing rail.

Whiteflare are well known to rail, providing consultancy throughout the industry as well as to MOD and HMG. IL7 and Whiteflare, together, offer a wide range of consultative skills, from analysing threats and vulnerabilities to matching these with appropriate solutions. We will offer empathetic, consultative skills within a strategic partnership where we wish to generate collaboration and risk-based solutions to the cyber-threat we all face. Together we can join with you as risk analysts to supply a consistent, pragmatic approach.

IL7 created a free-to-join, collaboration site with partners called Transport Cyber. This will be a go-to site for:

  • Papers, expert opinion and newsfeeds on cyber
  • Cyber-threats, risks and solutions
  • Cyber-tech defences and best practice
  • GDPR and NIS, 62443, 50701, KTR cyber-advice
  • Supply side cyber information
  • Communicating your opinion and getting feedback.

Transport Cyber provides a free-to-join, welcoming, collaborative, on-line forum to discuss the day-to-day challenges and to develop strategic direction. We want a top-down, bottom-up flow of information – a collaborative groundswell from academics, technicians and engineers who have interest in rail.

From data comes information, from information comes knowledge and by testing that knowledge we arrive at wisdom (Cyber-Wyse). We hope to attract many professionals and enthusiasts from within rail and from cyber throughout the public and private sectors.

How important do you think it is to learn from previous cyber-attacks that have impacted rail?

NCSC recorded dismay at the Stadler breach. Information regarding shared impact to personal data was not communicated; we need to share, to recognise the consequences of an attack on information, PII and GDPR, but also to signalling, communications and underlying systems. Talking shops and committees don’t deal with the truths because competitive operating companies don’t want to admit their failings or liabilities. Real security risk-based workshops are needed with real dialogue to express the combined effects of a potential cyber-attack on a delivery service already prone to the weather, physical and criminal damage.

Today, while threats from organised crime, terrorists, and foreign governments are aimed at the UK, not targeted at the operating companies, we must stay alert, monitor, procure security, and make ready.

Train managers use IT and comms to mitigate the consequences of infrastructure failure, floods and signalling faults. What if, at the same time, armed with a weather forecast and a team of hackers a terrorist group or foreign government, targeted the comms, the PIS, the planning and rostering systems. We would really struggle.

Which TOC has not suffered phishing emails asking their staff to connect to a dodgy site? What if the site contained a zero-day virus, or loaded a trojan onto a corporate system? What if the message contained ransomware, encrypted a server harddrive and made planning or rostering inaccessible? Threats can come from criminals, cyber-vandals and script-kiddies. We need to recognise this and build in appropriate defences.

Security Services (MI5, MI6, and GCHQ) and armed forces readily admit they are at constant electronic war with Russia and China, whilst the risk of friendly fire (in electronic terms) from the USA has never been higher. The terrorism threat to citizens has been constantly elevated for several years and concerns rail transportation and its associated infrastructure.

Today, while threats from organised crime, terrorists, and foreign governments are aimed at the UK, not targeted at the operating companies, we must stay alert, monitor, procure security, and make ready.

IL7IL7 Joe Ferguson Security Consultants provides cyber consultancy services to MOD, HMG, the Police and rail. Joe Ferguson is an NCSC Certified Cyber Practitioner and a Senior Information Risk Analyst. He has produced risk assessments for the ITC on RAF Aircraft, RN submarines and ships as well as trains such as the Siemens C700, as well as more traditional IT Systems.