The convergence of information technology, digitalisation and operation technology has resulted in a paradigm shift for Railways as a Public Service, IT has brought reliability, maintainability, efficiency, capacity – better passenger experience. With digitalisation comes vulnerability to Cyber threat; operators must embrace security analytics and automation to prevent breaches and quickly identify and respond to security events. While we move towards more intelligent, connected, user-centric systems we see only advantages, but beware – it also poses new opportunities for Cyber-criminals, opportunists and terrorists.  Can the authorities nurture an environment where train operators can grasp the opportunities without imperilling themselves and their passengers to Cyber-attack? The authorities must at least try.

I have worked in government for forty years. I believe in the duty to serve, to give direction and leadership. I am no Rail expert, having worked in the industry but a few years. I have, though, many friends that know Rail and Cyber. They want action so Rail systems remain protected. I am a Cyber risk analyst, certified by NCSC. My first instinct is to explore the context and recognise ‘opportunity risk’. What a massive opportunity the Rail industry could miss if it does not recognise the threats it faces.

We must address the vulnerability to Cyber-attack that accompanies the advanced, IP-based, technology of modern communications. A terror attack on a moving train would severely impact public confidence, dissipate operation and cripple revenue streams. It does not even have to be “Die-Hard” disaster – a successful attack on ticketing systems, passenger information system could be seriously debilitating.

We need governance by consent. DfT leaders should embrace and enforce standards, achieved through communication and collaboration throughout the industry.  We now know what “good looks like”!  It is for central authority to enforce good Cyber in practice, a paradigm shift for DfT.

New signalling systems are needed. GSM-R is 1990’s technology relying on G2 mobile and 3-DES encryption abandoned by MOD 20 years ago. It has been hacked and the hack published on the dark web.  FRMCS is coming but GSM-R will be with us for another 10 years just as we are advancing with ERTMS, ATO and HS2 (HS2 has advertised for a partner to develop advanced signalling to support high-speed trains). The main challenge is generating parallel investment in Cyber security.

Cyber-crime is a threat to security as well as to safety; everything that relies on technology can be broken, and manual backups are rapidly becoming obsolete. Train companies rely on IT for almost everything – ticketing, PIS, and operations – a denial of service attack on the ticketing or PIS would severely impact the finances of the company. Underlying Train Planning, Crew Rostering, Station Management and Train Maintenance are critical applications based on corporate Networks and Information Systems (NIS).

On board the train is a local area network supporting Wi-Fi, CCTV, Heating/, Aircon, passenger Information, door operation, and brakes. With ATO and ERTMS, we have on board computers recognising movement authority and speed restrictions.

The Railway is a national asset of UK PLC as well as being critical to individual businesses. Its systems need protection, Solutions come from a world-wide plethora of technologies and suppliers; it not always easy to choose the best value for money. Dissemination of information is a practical way to discover the most appropriate means of defence. Collaboration and communication, sharing experience, good and bad, is needed to generate pragmatic, consistent and pertinent approaches. Strategic leadership and communications, governance with authority, and the opportunity to develop and share ideas are paramount. How best to meet the prevailing standards with continuous, sustainable improvement, means getting together, sharing information.

Not so much awareness, as understanding priorities and overcoming constraints. The need is for consistent strategy. NIS emphasises the criticality of ‘essential services’ (IT) and is law. The ORR considers cyber deficiencies in investigating safety and penalises accordingly. Ansi/ISA 62443 (Secure Automation and Control) addresses ‘essential functions’ – movement, traction, speed, signalling – OT. CyRail incorporated this into a risk methodology. CENELEC are standardising cyber-security, TS 50701. To incorporate cyber defence into the supply chain, RDG produced the Key Train Requirements for manufacturers, specifying controls, network separation and best practices in software development.  Senior managers recognise rail as critical to UK Plc but introduction of cyber has not been rapid. There are reasons for slow uptake:

  • Inability to quantify cyber risk.
  • Rail encompasses many different businesses
  • Supply chains are international, complicated, fragmented
  • Rail fails to recognise criminal and international threats
  • Separation of Network Rail from train operating companies (TOCs).

The franchise system contributes to this:

  • Cyber eats into profit – many TOCs are losing money
  • Cyber-security is not recognised as a key differentiator in competition
  • Cyber-attack is somehow ‘out-of-scope’, not bargained for, or budgeted for in the franchise – not a TOC problem
  • Many treat standards-compliance as a box-ticking exercise without understanding
  • NR is not joined up with the TOCs on cyber.

Whose responsibility is it for cyber-secure rail – Network Rail, TOCs, ROSCOs or manufacturers? The NCSC/CiSP portal encourages government and industry to share but has a poor uptake in rail. The Rail Information Exchange is a well-attended group-initiative talking cyber – but meets only quarterly. The RGD have their bi-monthly RCSC on cyber. These are great initiatives but why should commercial and competing TOCs share? The best thing to happen would be support for central authority, a Cyber-Apex, to promote and enforce these standards, NIS for essential services, (IT) KTR and 50701 for essential functions (OT).

IL7 delivers methodical risk analysis satisfying NIS-CAF, successfully demonstrated to NCSC and DfT. Quantified risk evaluation supports investment that is appropriate, applicable and proportionate. It fits well with the CyRail risk methodology (2018). We strongly believe risk management is the answer to the cyber challenges facing rail. IL7 leads in accreditation and assurance, having accredited systems, applications, on-board train management, signalling and communications. Assurance comes from consistent risk analysis; it should be a prime strategic goal for all in rail. IL7 has developed and matured its Assurance Model over years.

We strongly believe risk management is the answer to the cyber challenges facing rail.

Whiteflare are well known to rail, providing consultancy throughout the industry as well as to MOD and HMG. IL7 and Whiteflare, together, offer a wide range of consultative skills, from analysing threats and vulnerabilities to matching these with appropriate solutions. We will offer empathetic, consultative skills within a strategic partnership where we wish to generate collaboration and risk-based solutions to the cyber-threat we all face. Together we can join with you as risk analysts to supply a consistent, pragmatic approach.

IL7 created a free-to-join, collaboration site with partners called Transport Cyber. This will be a go-to site for:

  • Papers, expert opinion and newsfeeds on cyber
  • Cyber-threats, risks and solutions
  • Cyber-tech defences and best practice
  • GDPR and NIS, 62443, 50701, KTR cyber-advice
  • Supply side cyber information
  • Communicating your opinion and getting feedback.

Transport Cyber provides a free-to-join, welcoming, collaborative, on-line forum to discuss the day-to-day challenges and to develop strategic direction. We want a top-down, bottom-up flow of information – a collaborative groundswell from academics, technicians and engineers who have interest in rail.

From data comes information, from information comes knowledge and by testing that knowledge we arrive at wisdom (Cyber-Wyse). We hope to attract many professionals and enthusiasts from within rail and from cyber throughout the public and private sectors.

NCSC recorded dismay at the Stadler breach. Information regarding shared impact to personal data was not communicated; we need to share, to recognise the consequences of an attack on information, PII and GDPR, but also to signalling, communications and underlying systems. Talking shops and committees don’t deal with the truths because competitive operating companies don’t want to admit their failings or liabilities. Real security risk-based workshops are needed with real dialogue to express the combined effects of a potential cyber-attack on a delivery service already prone to the weather, physical and criminal damage.

Today, while threats from organised crime, terrorists, and foreign governments are aimed at the UK, not targeted at the operating companies, we must stay alert, monitor, procure security, and make ready.

Train managers use IT and comms to mitigate the consequences of infrastructure failure, floods and signalling faults. What if, at the same time, armed with a weather forecast and a team of hackers a terrorist group or foreign government, targeted the comms, the PIS, the planning and rostering systems. We would really struggle.

Which TOC has not suffered phishing emails asking their staff to connect to a dodgy site? What if the site contained a zero-day virus, or loaded a trojan onto a corporate system? What if the message contained ransomware, encrypted a server harddrive and made planning or rostering inaccessible? Threats can come from criminals, cyber-vandals and script-kiddies. We need to recognise this and build in appropriate defences.

Security Services (MI5, MI6, and GCHQ) and armed forces readily admit they are at constant electronic war with Russia and China, whilst the risk of friendly fire (in electronic terms) from the USA has never been higher. The terrorism threat to citizens has been constantly elevated for several years and concerns rail transportation and its associated infrastructure.

Today, while threats from organised crime, terrorists, and foreign governments are aimed at the UK, not targeted at the operating companies, we must stay alert, monitor, procure security, and make ready.