Expert View: Cyber-Security In or Out?

How do most cybersecurity threats occur?

A cybersecurity attack is a malicious piece of software (or malware) that infiltrates a digital platform, but nine out of ten times it is accidentally caused by employees. Your organisation’s vulnerability to malware is significantly reduced if your employees are aware of the signs of the red flags. Cybersecurity has been around 20-25 years, but it has only come to the surface for rail systems in the past decade.

What would be the potential effects of a cyberattack?

It can take down a station, train, line, route, or region. It’s potentially worse when infrastructure doesn’t totally fail, which is what we are terming ‘grit in the system’. This is when performance is degraded across both corporate and railway systems, impacting operations across multiple fronts. If systems start to degrade simultaneously, it can be difficult to ascertain the root cause and prioritise your response. This can be compounded by limited cybersecurity resource and 24/7 railway operational commitments.

What training can prevent cyberattacks?

Transformational leadership from the top down – building the people, process and technology capabilities to enable your staff to manage cyber risk. This is not easy in the rail industry as it requires both cybersecurity and complex rail system knowledge, so it requires both engineering and operational input. You need cultural change to prevent your people clicking on the wrong link, plugging in their own equipment, or doing something outside of your policies that puts your core systems at risk.

When should cybersecurity be considered in the design process for rail?

Cybersecurity is far less effective and more expensive when it is a bolt-on, after railway infrastructure is designed and built. It’s incredibly risky to build a railway system and then say, “right, we have to commission it in three months’ time, let’s make it secure.” You now have to rebuild those same systems to make them secure, meaning you’re building it twice and likely delay the project for years.

For this reason, at AtkinsRéalis we mandate a Secure by Design approach that prioritises cybersecurity risk identification and management, starting with concept design. We’ve changed our corporate assurance and delivery processes to reflect Secure by Design and we’ve invested in training project managers, consultants and engineers alike to be able to ascertain and mitigate cybersecurity risk in all our railway solutions.   

How can national rail companies prevent cybersecurity threats?

At a board level, conversation about risk is typically focused on operational, reputational and financial impact. A cybersecurity attack can manifest itself in all those areas. Those responsible for cybersecurity need to articulate the risk – both in terms of likelihood and impact – and build an investment case that clearly states the risk and reward of varying mitigations. This requires an in-depth knowledge of both cybersecurity and railway operations, which is something AtkinsRéalis has completed for many of our transport and infrastructure clients.

Cybersecurity, particularly when applied to railway systems, is complex and requires the right mix of people, process and technology mitigations to ensure cyber resilient operations for our clients. However, the most effective starting point is not technology focused – if your biggest threat comes from within, then that’s the threat that needs priority billing. The insider threat requires a cultural shift in your organisation’s understanding and approach to cybersecurity, and at all levels.

To find out more, visit: www.atkinsrealis.com