Rail IT: Secure digital services for the safest mode of transport
The ongoing digitalisation of railways results in a wealth of new, useful features being installed on trains to provide passengers with entertainment services and useful features such as seat reservations and the ability to purchase tickets for onward journeys. But it is imperative these digital services are protected against cyber- and hacker-attacks. Martin Wittke, Product Line Manager at Siemens Convergence Creators, explains what can be done to protect train IT infrastructure.
ON-BOARD wireless internet access is now widely available via web portals to provide passengers with all kinds of information about their journey, the train, and the region of travel. It also provides entertainment services such as news, magazines, films, music, and games. In addition, passengers can see free and occupied seats on carriages, make reservations, or book rental cars, taxis and bikes. All of these services are accessible via smartphones and tablets and helps make passenger journeys more relaxed and enjoyable.
How secure is this new IT on trains?
A lot of work goes into achieving the highest safety standards in train operation, but we still need to anticipate unexpected events. We must also be well-prepared for cyber-attacks on our trains’ IT infrastructure.
Cyber- or hacker-attacks on digital train services can vary considerably in both form and impact. They may go unnoticed, or they may be immediately detected. They may be of little consequence, and merely satisfy the ambition of tech-savvy people who lack a truly malicious intent. Or they can be malicious attacks that steal critical information like customer or usage data, alter this data, manipulate system information or media content, generate ‘fake news’, or impair the availability of the system.
Siemens Convergence Creators has developed the Media4Rail1 Security concept to establish a standard for protecting railways’ digital services assets from cyber-attacks. Product and system security, network security, and system integrity form the three pillars of this approach (see Figure 1), with each of the central components requiring independent attention in order to effectively defend against cyber-attacks.
Product and system security
Product and system security is the fundamental product development parameter when it comes to IT security. Siemens Convergence Creators’ compliance with ISO 27001 – a standard that defines the requirements for an information security management system including people, processes and IT systems – offers appropriate guidelines. As part of the product’s development, a Risk and Threat Analysis workshop was conducted to evaluate its proneness to threats and examine potential vulnerabilities. Adequate security measures were then defined based on the assessed risk. Later, extensive security tests including penetration tests demonstrated compliance with specifications and with the efficiency of the implemented safety measures. The final penetration test on the Media 4Rail Live System included checks for outdated software, application misconfiguration, and various access, password, unsafe function, and protocol probes involving different hardware sections of the system. Conducted by a product-independent organisation, the test’s findings confirmed the high security standard of the Media 4Rail solution.
Network security focuses on preventing IT networks from unauthorised access. In the first step, the train network is divided into different areas, strictly separating the network that handles the internet-on-board and the passenger infotainment system (Passenger Network), the train control system (Control Network) and the train operation network (Operator Network). The protection and monitoring of all interfaces – such as Wi-Fi access for passengers and the remote maintenance access – requires additional measures that go beyond the function of the traditional firewall.
Within the Passenger Network, data transfers from different services are isolated and encrypted using virtual private networks (VPNs) in order to reduce the threats to data integrity.
In addition, network areas are only accessible after secure authentication and with limited authorisation. Users and cyber-attacks with unusual access behaviour can now be detected more quickly.
Media 4Rail’s third IT security component is system integrity, which provides the entire system’s robustness against hacker-attacks.
A cornerstone for minimising vulnerabilities to cyber-attacks is software maintenance and regular installation of the latest updates and patches. Another important activity is continuous monitoring for irregularities in order to identify attacks early on. Measures of defence such as isolating affected components must be defined in detail for every system. In the event of an attack, rapid countermeasures can be decisive for mounting a successful defence.
With the tenacious implementation of its Media 4Rail Security approach, Siemens Convergence Creators’ Media 4Rail solution is making a vital contribution to IT security.
MARTIN WITTKE is Product Line Manager for Siemens Convergence Creators’ Media 4Rail solution. He graduated from University of Rostock with a degree in Electrical Engineering. Martin has worked for Siemens since 1997 with previous roles including Software Engineer and Project Engineer heading different business departments in Siemens Austria and Germany.