The Digital Railway

Dr Emma Taylor CEng FIMechE FSaRS, Head of Digital Safety at RazorSecure explains how the implementation of cybersecurity in the railway has evolved considerably over the past ten years

Initially, cybersecurity focused around developing and implementing technical products and solutions, often as a quick fix in response to an identified vulnerability. More recently, cybersecurity certifications and standards have been introduced to encourage further cyber resilience. And now, we have begun to see how building the culture as the next step on cybersecurity’s evolution recognises that people make an organisation secure, not just technology.

Although a cybersecurity culture started with basic awareness training, the sector is adapting as organisations understand that people can be both the best response to cyber-attacks, and the weakest link.

A cybersecurity culture begins by creating a cybersecurity mind-set in all staff, including senior management, that the risk is real and their daily actions and decisions can impact that risk. Just as safety is now seen as something where everyone must play their part, so it must be with cybersecurity.

When people think of a cybersecurity ‘insider threat’ they usually picture a malicious employee seeking to cause disruption. In reality, an insider threat is more than likely to be from ‘accidental security incidents’. These are incidents that can be caused by several different factors, such as poorly designed security processes, genuine mistakes, or staff unaware of the behaviours they need to follow in line with a security protocol. To get security culture right, it’s critical to foster an environment where everyone is security conscious.

The modern rail network has rapidly evolved, which has led to large-scale increases in the quantity of systems on-board a modern digital train. When considering cybersecurity risk, it is important to consider the motivations of

different people engaging with each system and the operational risk associated with changes. Only some of these systems have a high level of safety integrity, and with up to 100 systems on-board a train, it can represent a target rich environment for a determined attacker.

The primary goal of railway cybersecurity is to protect the system’s essential functions which, in some cases, are required to maintain the safety and availability of the rail network. Culture, within safety and cybersecurity is essential, however technical cybersecurity measures need to be implemented to provide protection allowing the train to maintain a continuous operation. It is a balancing act which is continuously evolving.

Cybersecurity – a technical challenge with a technical solution New networks on rolling-stock are more complex than conventional networks found on established rolling stock and IT infrastructure. This requires a cybersecurity programme that considers the distinctive challenges involved with a moving digital data centre. A fleet will contain train control systems, monitoring systems, passenger information systems, video surveillance cameras, HVAC, and Wi-Fi systems, amongst many others. The more ‘digital’ and connected the systems within rail networks become, the more vulnerable the critical systems are to cyber threats.

The railway is in effect becoming a huge and mobile network of highly connected computers processing and analysing data. Cybersecurity begins with a fundamental challenge; if you do not know what is connected to your network then you cannot secure it; a network is only as strong as its weakest link.

A rail cybersecurity strategy must be based on establishing visibility of systems, to effectively protect the infrastructure from ongoing cybersecurity threats. An understanding of your assets will discover how they are exposed, and how you can mitigate the risks. Establishing visibility of systems is referred to as ‘asset discovery’ and is the first step for ensuring operational continuity, reliability, and safety. If rail operators know the assets they have in their environment, it enables them to conduct more effective vulnerability and risk analyses. With new vulnerabilities developing daily, it is important to know your assets better than the threat actor does.

If you are not able to identify weak spots, it is impossible to protect yourself from every threat. You cannot secure what you cannot see.

Cyber incidents will not always be actioned by external sources, and insider attacks may allow threat actors to bypass many measures of perimeter cybersecurity. By monitoring activity within the network, rail operators can detect cyber incidents that occur beyond the secured perimeter.

An example of suspicious communications could be between the Train Control Management System (TCMS) and an internet connected, IP-enabled device in your network. If a device such as a video surveillance camera is trying to communicate with a safety critical control system – it is probably misconfigured or acting maliciously. It is recommended to use a ‘defence in depth’ approach, which is a cybersecurity principle based on ‘layers’ of protective measures, from physical to technical coding and communication protocols.

Defence in depth aims to reduce the vulnerability of systems by eliminating single points of failure within the systems’ various levels of protection. Layered cybersecurity, along with network segmentation, increases the security robustness of the network as a whole.

Ed Hodson, Chair of the IOSH Railway Group, noted at a recent IOSH webinar the analogy with the Swiss Cheese Model in health and safety: ‘If the layers of defence are breached, the inevitable risk will materialise. The questions to ask are; Are your digital systems adequately protected? Do you have a secure system and network design and configuration? And, finally, is there Defence in Depth secured by Secure by Design and subjected to authentication.’

The regulation of cybersecurity and safety and standards Safety regulation of the rail industry is well established in many countries worldwide with regulatory agencies such as the UK’s Office of Rail and Road (ORR) playing a key role in requiring the active use of Safety Management Systems. Co-ordination is also implemented by international organisations such as European Agency for Railways (ERA), and technical understanding is enabled through standards organisations such as ISO and CENELEC.

Recent cybersecurity legislation such as the EU NIS Directive has put in place financial penalties for failure to meet requirements as well as increased the range of systems within scope. Governments have also increased focus on specific challenges associated with maintaining safe and efficient operations of an increasingly complex and digital system as part of national infrastructure.

Taken overall, implementation of safety through existing legislation is now being driven into the digital domain through a combination of new legislation, standards and guidance and policy and governmental shifts. The rail industry needs to keep pace with these changes.

Cybersecurity – prevention incorporating positive change While visibility and monitoring are vital components of cybersecurity, the data received from these measures should not be just a cybersecurity use case. Operators can benefit from operational efficiency. With better data, operators can make proactive decisions based on accurate feedback in realtime. This could ensure potential failures are detected early and are dealt with before they result in significant operational disruption. Conversely, an incomplete and ongoing asset management could result in a commercial and financial performance impairment.

The investigation of the Cambrian ERTMS incident by the RAIB, probed into why and how a complex software-system went wrong, can require a deep dive and forensic analysis, rightly engaging many industry resources.

Effective digital risk management includes all digital parts in the supply chain. Given that this involves integration of electronic systems within the physical rolling stock infrastructure, cybersecurity must form part of product assurance and competency framework used as part of assurance of suppliers. A global supply chain increases the need for this focus on commercial and financial and the safety elements of cybersecurity.

Addressing the benefits and challenges from digitalised railway systems Rail organisations are responding to regulatory changes in cybersecurity and importantly, through work with manufacturers, operators and owning companies, technical aspects of cybersecurity are beginning to be considered and implemented under the umbrella of achieving safety.

Although we work with advanced technologies that are embedded in railway digital infrastructure, industry priorities should go beyond just technological solutions and work towards the development of an industry wide cybersecurity culture that understands the role cybersecurity plays when maintaining a safe railway.

A new approach is taking place to meet the main goal of railway cybersecurity in parallel with a strengthened security-focused culture and understanding. An increase in cybersecurity culture will create a positive drive towards collaboration with safety, and integration of disciplines and sectors as part of a system-wide approach to management of all safety risks, including those of a digital origin.

Dr Emma Taylor CEng FIMechE FSaRS is a Chartered Engineer with more than 25 years of safety, risk and design experience across space, energy and transport. As Head of Digital Safety at RazorSecure, a rail cybersecurity solutions company, Emma is leading the integration of safety and security for the railway, UK and worldwide.

Ed Hodson LLM BSc(Hons) CMIOSH AIRO is the Chair of the IOSH Railway Group. A Chartered health and safety professional with experience in rail safety, audit and regulation, Ed is a Senior Consultant at Law Firm Rradar.

Ed Hodson recently introduced Dr Emma Taylor to raise the awareness of cybersecurity to the Group in the webinar ‘Digital Systems in the Modern Railway – Vulnerabilities and Opportunities’. The webinar led to a great deal of interest in cybersecurity and a request for more information from Dr Taylor, whose webinar can be viewed at bit.ly/3yqNYVq.