Why is cyber-security so important for the rail industry?
Emma Megan, Rail Industry Writer, discusses how the cyber-security paradigm is a highly operational and technical topic, but nonetheless, a priority that the rail sector must address.
The dawn of the digital age, with its associated 4G technology, has certainly bought some major benefits to the rail industry as a whole. However, such opportunities have been deterred by the numerous challenges that the industry faces at a holistic level. It is imperative that these are overcome to ensure the sector remains reliable and sustainable in the foreseeable future.
This industry faces a myriad of issues that typically include the ever-increasing competition from other modes of transport, as well as the massive cost of maintaining railway operations. Perhaps one of the most significant challenges that this sector faces, is that of cyber-security. Since most railway operations focus more on core functionality and affordability, the entire industry sidelined cyber-security until certain breaches went public. Federal1 and national cyber-security enactments have become far more stringent and the railway industry now has to adhere to these regulations.
Unfortunately, the seeming inability of the railway sector to evolve at the same pace as the technology around it, is effectively penalising the entire industry. It is imperative that this key issue must be addressed as soon as possible.
There are three main elements to be considered:
- The main change of technology
- The new system’s overall lifecycle
- The associated costs of the change.
Cyber-security paradigms in the railway sector
The railway sector is left with no alternative than opting for a complete paradigm shift from any proprietary technology that the industry has been using – switching to as many off-the-shelf components as possible.
Not only will this help the whole system become more adaptable and flexible, but in the long run allow for a more rapid adoption of technology advances. These will consequently cause many changes in terms of system lifecycles, IT systems and central control.
Finally, the element of cost has to be taken into consideration. The general rule of thumb is that the more obsolete the technology is, the more expensive it will be. This is because of the ever-increasing scarcity of important components, parts and vital software. These in turn will impact the overall economies of scale, or alternately, the lack of them.
Threat landscapes today
The threat landscapes of the railway sector are steadily increasing. This is perhaps a natural outcome of different railway-related business concerns becoming more integrated over time.
However, many cyber-security challenges that are part of the overall threat and cyber-security paradigm are not specific to technical attacks: They are not restricted to malware and viruses. In the railway sector, there is a far more lethal aspect of terrorism to take into consideration.
This is why, for rail, there is more to the concept of cyber-security management in comparison to the ‘run of the mill’ form of protection which other business sectors use. For instance, there are several pressing issues surrounding cyber-security governance in this industry. These include security operations risk management and compliance monitoring activities that require near-constant attention to be able to maintain a reasonable level of maturity.
Various roles and responsibilities
There are several actors in the railway industry that have to be taken into consideration when assigning responsibilities. Amongst those actors, there are divisions and departments that must share the overall responsibility of cyber-security for the industry. These responsibilities will almost certainly differ depending on the capability and the capacity of the individual actors.
For instance, the asset owners will share responsibility for railway management, risk operations and mitigation, and network management. The system integrators will be responsible for access management, technical evaluation and system-wide architecture. Finally, product suppliers will be responsible for a secure product design, secure software design and overall product engineering security.
As an example, take the generalised role of an infrastructure manager. Here, it is perfectly possible to identify three traditional silos which are as follows:
- The Command & Control Systems (CCS) environment: This is mainly related to a railway’s safety and signalling systems
- The rail traffic and operations environment: This has the main responsibility of managing the traffic, including handling the Traffic Management Systems and scheduling the different activities associated with train traffic
- Corporate business: This mainly addresses customer-related information including ticketing systems and information displays.
Keeping the above tiers in mind, it can be observed that the railway sector has an all-too-real opportunity to address a myriad of different cyber-security concerns at the highest possible level within the company. The top level management is ultimately accountable for cyber-security for the whole organisation, with the responsibility to ensure the company’s assets and information are adequately safeguarded.
The top tier management can delegate responsibility to other entities in order to implement the various cyber-security countermeasures. The organisation will also be directly responsible for validating cyber-security resourcing requirements and investments for the management of all cyber-security related information.
It is an almost axiomatic assumption that cyber-security will become a necessary component of various railway businesses, even as the industry adopts new-age technologies. The digital railway projects across the globe, and the pressing need to integrate with various other modes of transport, will slowly but surely make it necessary for the railway community to open their businesses to other active players working in the field of multimodal transportation solutions.
Emma Megan is a tech blogger at Mars Technology, a Virginia based data security and cyber-security company. She is passionate about technology and loves to analyse the tech industry in her spare time.