We tend to take our personal safety for granted when travelling by rail, whether it’s our daily metro commute or a cross-border journey by high speed rail, and in the context of the millions of kilometres travelled every year accidents are mercifully rare. However, even as the rail transport industry moves to embrace the digitalisation of systems and operations, which will improve physical safety for passengers (among other benefits), a potential new threat is emerging. The deployment of these new technologies inevitably opens the door to risks, threats and the possibility of cyber attacks. 

The future of rail transport is unquestionably digital. Traditional features provided via electromechanical and/or analogue electronics are increasingly being implemented with software.  Advanced software solutions are allowing operators to have real-time information on train movements and analyse overall performance – ultimately reducing costs by streamlining processes and improving efficiency and reliability. From predictive maintenance to automated signalling, and from driverless operation to enhanced passenger experience, digital technology is enabling more advanced performance and delivering benefits to authorities, operators and passengers. 

The downside of this exciting future is that trains that increasingly rely on digital technology are complex computer systems and, like any digital system, can be hacked.

It must be recognised that the risks are real. Railway transportation is as susceptible to cyber attacks as any other industry. In practical terms, the risks of a cyber attack for railway operators and their stakeholders may be summarized as: 

• Risks to operations, in terms of  quality of service and revenue generation
• Potential risks to the safety of passengers and assets
• The impact on company image and reputation

Every stakeholder in the development of  railway systems – systems integrators, service providers and original equipment manufacturers (OEM) - has to make an active contribution to the resilience of the overall railway system and ensure that it has the necessary internal organisation, processes, products and solutions to support this. 

Ensuring the security of a railway system is significantly different to securing a typical IT infrastructure, since the ultimate goal is the safety and reliability of a mass transportation network. There are practical issues to be borne in mind - the system architecture is distributed across long distances, with a large variety of contexts, from a centralized control room to on-board embedded equipment. Also, the anticipated duration of the rail system as a whole is much longer than the life cycles of the various technologies that go to make up the overall system. It is also necessary to integrate and secure several generations of technologies, each of which has its own security levels.

Additionally, from the perspective of operational demands, it is simply impossible to just halt an entire train network’s operations or access an entire fleet at the drop of a hat, in order to broadcast a new patch for example.

To address these issues, it is necessary to implement a Secure Development Life Cycle and a vulnerability management process. This starts with an initial Cybersecurity Risk Assessment. The analysis starts with a risk assessment, in order to identify the main risks and the mitigations to be implemented. During the risk assessment, the context (likelihood of the threat, system vulnerabilities) is defined and the mitigations are allocated to the system components, finding the right balance of protection level, operational constraints, time to market and to deploy, and – naturally - cost. It is also necessary to harden equipment and services with protective measures against cyber hacking and put in place reliable mechanisms to detect cyber intrusions. Finally, Security Testing and Security Assurance will ensure that the selected security measures are correctly implemented. Rail networks are operating in a rapidly changing context and it cannot be assumed that security measures, once implemented, will be effective for all time. That is why it is essential to put in place a robust vulnerability management process that allows the detection and remediation of any vulnerabilities identified in the system’s components. This is the only way to maintain security throughout their lifecycle.  

Having said that, it must be recognised that cybersecurity goes beyond simply the development of products and solutions. It must also cover other phases such as manufacturing, testing & commissioning, supply chain and installation, as well as maintenance, which includes the decommissioning and disposal activities at the end of an asset’s useful life. It must include threat landscape evolution monitoring and vulnerability watch over time, compliant with a strong security incident management approach.  

The whole cybersecurity philosophy cannot be abstract – it crucially demands that the industry hires the right people and trains them well. Adequate resources must be provided to install, administer, operate, and maintain the system. These steps will ensure its security over its complete life cycle and constantly increase its threat intelligence. High priority must be paid to elements like a company-wide cybersecurity handbook that lays out security policies & processes, backed up by regular mandatory training sessions for everyone interacting with the system, operators and maintenance staff alike.

The task of ensuring cybersecurity cannot be the responsibility of one player alone. The whole industry needs to cooperate to collectively address the issue. When a new system is being implemented, or a legacy one updated, all industry stakeholders need to sit together and agree on the security risk evaluation and the relevant protection target they want to achieve. A common language, methodology and references are needed. Such collaboration should also cover incident/threat sharing; we need to have at industry level a common view of threats identified and incidents recorded. This will support the definition of the relevant measures and priorities the industry should adopt.

The work currently being carried out in international standardisation committees such as IEC 62443 for industry or Shift2Rail or CEN/CENELEC for railways, is heading in the right direction and should be given even more support. These groups are due to deliver results in the near future.

It can also be helpful to identify existing best practices with industry partners. A notable example is an agreement undertaken with aerospace manufacturer Airbus to introduce into the railway business the best practices of the air transport industry. The air and rail industries are both engaged in moving large groups of people, and both are subject to the lethal possibility of terrorism. A cyber attack on a train, with hundreds of passengers traveling routes through densely populated city centres, would be catastrophic. The cybersecurity co-operation agreement signed with Airbus in 2017 will support a new risk management model for the transport industry, focusing on the co-development of new analysis services concerning transport vulnerability and new shared core protection technologies. 

In the light of society’s vulnerability to cyber attack, and the particular risks faced by major transport operators, all stakeholders, including passengers, need the reassurance that railway products and services meet the latest cybersecurity and government specifications.

Written by Ling Fang, Senior Vice President, Asia Pacific, Alstom.