Six cyber risk mitigation strategies for software obsolescence in railways

Posted: 26 January 2021 | | No comments yet

Serge Van Themsche, Vice President of Strategic Partnership at Cylus, shares his six recommendations for the railway industry to avoid software obsolescence pitfalls.

Six cyber risk mitigation strategies for software obsolescence in railways

Railway and public transport operators today are confronted with major obsolescence issues, a problem that will only grow with the increasing usage of commercial off-the-shelf (COTS) and Internet of Things (IoT) products. It is easy to understand why. The expected life span of rolling stock and other railway assets – which is from 20 to 40 years – collides with the much shorter lifecycle of COTS hardware. The utilisation of commercial firmware and Operational Systems within the railways’ Operational Technology (OT) environment and its hard-to-manage related software obsolescence only amplifies the problem.

Operators relying on obsolete solutions can face heavy fines and even legal action if they do not comply with government or industry regulations, particularly when a data breach occurs resulting from the use of older technology with known vulnerabilities.

Concretely, it means that, even with the best obsolescence management system, applying all of the recommendations from the standard IEC standard 62402:20191, there will be a time when the rolling stock, signalling or any other railway sub-systems (e.g. SCADA, Passenger Information, Platform Screen Doors, etc.) will have to be operated with known obsolete elements. In fact, the International Association of Public Transport’s (UITP) cyber-security sub-committee working group on obsolescence2 has identified that, after eight to 10 years, public transport operators must generally put in place mitigation measures to protect systems that inevitably become obsolete. This working group, that Cylus led, wrote a comprehensive whitepaper defining a strategy for public transport operators on how to deal with software obsolescence.

Let me be clear: Obsolescence goes beyond cyber-security risks. Obsolescence creates sustainability risks, with significant impacts on operations and maintenance costs, as well as operational efficiency risks linked to RAMS (Reliability, Availability, Maintainability and Safety) issues are also involved. For those interested in these non-related cyber risks, I recommend consulting the IEC standard 62402:20193, especially the section on risk assessment of obsolete assets and this UITP report.

Why can obsolete software become a time-bomb?

Here are the reasons why operators must tackle obsolescence from a cyber-security perspective:

Legal and regulatory compliance risks

Operators relying on obsolete solutions can face heavy fines and even legal action if they do not comply with government or industry regulations, particularly when a data breach occurs resulting from the use of older technology with known vulnerabilities.

No security patches

Hardware obsolescence can be the triggering factor of firmware obsolescence, since no security updates are made. Without patches sent, systems are becoming vulnerable to known attacks that could be easily prevented.

Discovery of new vulnerabilities

Software (i.e. operating systems, firmware, application software) obsolescence on its own makes a rail network more vulnerable to cyber-attacks. As time goes on, the probability of finding new vulnerabilities only increases.

Increased likelihood of exploitation

The more vulnerabilities that are found, the greater the chance of exploiting them. To make matters worse, in the longer-term, low-skilled attackers can slightly adapt an already developed malware from other verticals and replicate the attacks. Not having to develop from scratch the attack vectors will only increase the attacker’s pay-back motivation and the likelihood of attack.

Excluded from security ecosystem

To aggravate the vulnerability’s impact, the obsolete software never really integrates the latest security controls coming from newer ‘secure by design’ coding best practices, making the detection more difficult and the exploits more likely. Furthermore, the newer protections offered by antivirus and similar cyber-security solutions are not tuned to malware attack signatures on outdated rail systems, once again increasing the difficulty to detect such attacks and the probability that it will happen. In other words, software obsolescence can become a time-bomb without the right cyber mitigation measures.

Recommendation to mitigate obsolescence risks

Based on my experience and the work performed within the UITP cyber-security sub-committee, here are my six recommendations to avoid obsolescence pitfalls:

1. Obsolescence planning

Obsolescence monitoring should start at the tender stage, with requirements to be integrated within the system design phase and carry-on throughout the system’s entire lifespan. All railway and public transport operators should establish an obsolescence management system that follows the IEC 62402:2019 standard, which demands planned obsolescence risk assessments.

2. Asset monitoring and obsolescence identification

Within their obsolescence policy, operators must map all their assets and identify when they are becoming obsolete. Though some follow-up can be done manually, with time passing by and the number of assets increasing, software driven monitoring solutions become mandatory. Monitoring systems with auto-discovery functionalities not only identify all assets running on the network, but are increasingly able to detect the hardware details with its software or firmware version and flag-out obsolete versions and their overall risk scoring. After setting a baseline, they also monitor any suspicious dataflow or unauthorised access attempts going to an obsolete equipment from an existing or new equipment.

3. Zone partitioning according to security levels

The monitored assets shall be assigned to consistent security zones and policies connected by conduits according to the new TS 507014 standard (railway adaptation of IEC 62443) and based on an initial risk assessment. Asset partitioning should be possible according to the technology lifecycle (i.e. obsolescence) criterion, alongside the many other permitted segmentation criteria (e.g. risks of the asset in terms of: Integrity, availability and confidentiality; physical or logical location; access requirements; operational function; safety aspects, etc.). Modern continuous monitoring technology of OT networks allows for such partitioning and alert when these policies are being violated.

4. Treatment of obsolete IT solutions

The NCSC (the UK’s National Cyber Security Centre) recommends that obsolete systems should be treated as ‘untrusted’. It even recommends using only solutions still supported by vendors, which implies migrating away from obsolete platforms and applying short-term mitigations until this migration is complete. While applying this recommendation in IT environments is possible, it isn’t feasible for practical and economic reasons in OT rail networks.

5. Dealing with obsolete solutions in OT environments

Implementing a monitoring solution that includes network traffic analysis and deep packet inspection capabilities is the only efficient mitigation measure besides physically isolating the network that is running the obsolete asset through a data-diode, a solution that generates many other complications in existing OT networks (e.g. latency, homologation). Just to emphasise once again, a monitoring solution is essential for asset supervision, obsolescence identification and zone partitioning, and can provide compensating controls to ensure real-time detection of malicious behaviour until these systems are migrated.

6. Dealing with obsolescence in safety-critical networks

The increasing usage of COTS and IoT products will improve a railway and public transport operator’s efficiency while reducing, in the long run, their cost.

Not all monitoring systems can deal with obsolescence in safety-critical networks. However, a rail-specific monitoring solution that understands the proprietary and dedicated protocols can do it. Indeed, such a solution must have the capacity to analyse the ongoing dataflow to the obsolete asset, including the ones from the higher levels of the OSI stack, which must then be compared systematically to an updated library of known viruses and threats. Furthermore, the operator must rely on a supplier that can update its rule-based monitoring systems to establish new barriers around the newer, exploitable vulnerabilities caused by obsolescence.

To conclude

The increasing usage of COTS and IoT products will improve a railway and public transport operator’s efficiency while reducing, in the long run, their cost. However, the benefits of this digitalisation process will also amplify the problems linked to obsolescence, especially in safety-critical systems. Hence, railway and public transport operators’ compliance mandatorily requires an updated obsolescence management system and a continuous railway-focused monitoring solution that will enable identification, partitioning and mitigation solutions to ensure that the obsolescence issues are dealt with.


  1. IEC 62402:2019 standard: Be aware that this standard’s focus is mainly on hardware obsolescence
  3. This risk assessment methodology defined by the standard differs from the IEC 62443 approach that cyber-security specialists are familiar with
  4. The future standard TS 50701 specific to the railway cyber-security environment has been in its official draft version since 10/10/2020 and should be published in early 2021.

Cylus Serge Van ThemscheSerge Van Themsche is a senior executive who has over 30 years of experience in managing big international infrastructure projects and multinational divisions. His experience covers the railway, energy, IT and automation markets. Among his previous assignments, he was Bombardier’s turn-key division VP for the EMEA region. Serge headed the UITP working group on software obsolescence.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.