The convergence of information technology and operation technology and the associated paradigm shift toward Industry 4 in complex systems, such as railways has brought significant benefits in reliability, maintainability, operational efficiency, capacity, as well as improvements in passenger experience. However, with the adoption of information and communications technologies in railway maintenance, vulnerability to cyber threats has increased. It is essential that organizations move toward security analytics and automation to improve and prevent security breaches and to quickly identify and respond to security events.
Railway infrastructures are moving towards more intelligent, connected, user-centric and collaborative systems. While it brings many advantages for the industry and users, it also poses new opportunities for cyber-criminals and terrorists. Are the authorities nurturing an environment where Train Operators can grasp the opportunities without imperiling themselves and passengers to cyber attack…
The Williamson Report is due out this Autumn. It will
probably say a lot of things about the rail industry and the current failure of franchising. But it could equally be saying this about Cyber and the portending threat presented by enemies of UK’s critical national infrastructure. This paper looks at the present situation and why rail is so important to the UK and why, then, Williamson will probably not be enough.
Passenger Figures have been rising almost without a pause
since 1994-5. This follows the creation of 25 Train Operating Companies (TOCs)to fulfil the requirements of the UK Government’s rail privatisation policy under the Railways Act 1993. Present demand for passenger miles has not been seen since the 1920s; the railway carries over four million passengers on an average day. This is despite punctuality and reliability being the largest cause for complaint,
Passenger trains are usually operated by TOCs through
franchises. These are won and lost through competitively tendered contracts offered by the Department for Transport (DfT) in England and devolved governments in Scotland and Wales. A small number of services such as Cross Country are through ‘open access’ operators who must obtain the appropriate licenses from the Office of Rail and Road (ORR) but take full commercial risk. The TOCs themselves are privately owned concerns parented my multinational multifunctional shareholdings operating on a profit for service basis..
The trains are built by International industrials such as Hitachi,
Siemens and Bombardier. They are supplied by private sector rolling stock leasing companies funded by banks and shareholdings, referred to as ROSCOs. The ROSCO’s were especially created during privatisation to lease trains to operators and also fund the purchases of new rolling stock.
However, it is not just a capitalist gravy train. As well as
the DfT and the ORR, there were two watchdogs created by Parliament to monitor performance and compile passenger surveys – they are Transport Focus and, for London, TravelWatch. In addition, the Rail Delivery Group (RGD) brings together the industry’s operators with DfT and Network Rail and is the “public face”. The Rail Safety and Standards
Board is an industry-funded body which researches safety issues.
Network Rail are responsible for the ownership, management
and maintenance of the physical network and has been wholly owned by the state since 2014. The ORR is the statutory regulator which monitors the budgets and performance of Network Rail. It also compiles statistics and enforces safety; the Rail Accident Investigation Branch issues reports on a ‘no blame’ basis.
The Department for Transport, as well as awarding and
managing the TOC franchises, sets railway policy and funding in England and is accountable to Parliament. The DfT also decides how much regulated fares (45% of total) rise each January.
“Present demand for passenger miles has not been seen since the 1920s, the railway carries over four million passengers on an average day.”
Is there a case for change?
The strengths of the U.K Railway are:
The railway industry makes an important annual contribution to the national economy which is valued at over £10 billion. Railways are vital to UK efficiency; getting people and freight to places to service growth, home consumption and exports. It is in surprising good shape though its criticality to the nation leads many to join the ‘We own it’ clamour for public ownership. Foreign involvement in our critical national infrastructure particular excites the critics especially in the toxic atmosphere of Brexit and Euroscepticism.
But what would be lost by public ownership? Firstly, the funding invested by the franchise holders over a typical five-year period; the railways have benefitted from the direct investment in new rolling stock on an average of £820 million over the five-year period. It is estimated that a further £3.1 billion is being spent by the ROSCOs. Renationalisation would wipe some £4 billion of investment away. There is also an argument that the private sector is less risk-averse on financial initiatives such as GWR investing in the Hitachi Class 802s to replace the old HSTs which would cost more to maintain – such investment under public ownership might be more constrained by public care and political constraint as well as macro-economic tendencies to avoid boom or bust inflation/deflation; travellers would wait longer for the advantages new technology and innovation delivers.
The present franchise contract system cannot however continue in its present guise. The contracts that have been offered involve appreciable risk for franchise holders and these now seem more than many parts of the market system seem willing to accept. Both Stagecoach/Virgin and Arriva attempted to reduce the risks associated with funding railway pensions and this led to four bids, (West Coast partnership, South Eastern and two for East Midlands) being rejected by the DfT in April. Other franchise bidders have walked away from competition, including Stagecoach (Greater Anglia 2015), MTR (West Midlands 2016), Trenitalia (South Eastern, 2017), Arriva (Wales & Borders, 2017) and Abellio (wales & Borders, 2018). National Express Group is no longer bidding for British franchises after it sold c2c to Trenitalia in 2017, although it is still running trains in Germany.
“The present franchise contract system cannot however continue in its present guise.”
The fundamental weakness of franchising, the question of DfT’s infallibility was seen back in 2012. The competition run by the DfT for the Intercity West Coast Franchise was challenged by Virgin who claimed the DfT’s calculations had been inconsistent. Although FirstGroup was named as the winning bidder, DfT were forced to admit to “significant technical flaws” in the way the franchise process was conducted. The cost to the taxpayer of the whole exercise and refunding the expenses to all four bidders was over £45 million. Since then, things have only got worse with many contracts being awarded with overrun buffers, and direct awards are being made to incumbents to avoid the hassle. The West Coast franchise has only now been put out to tender, the South Eastern competition has been cancelled and bidders are being ruled non-compliant due to pension arrangements.
There is no real prospect of breathing new life into the franchise schema unless the inherent risks involved in franchising are removed. This means that some risk must be re-assumed by the government – the taxpayer must ease the commercial risk. It is expected that the Williams report will recommend a half-way house, something like the “concession” contracts that exist for trams in Manchester, the DLR in London and metro services in Liverpool. These type of service contracts are underwritten by European Regulations (2016) defined as:
“the means by which one or more contracting authorities or utilities entrust the provision and the management of services to one or more economic operators, the consideration of which consists either solely in the right to exploit the services that are the subject of the contract or in that right together with payment”.
In essence the operating company is paid a fee for managing the delivery of the service without the commercial risk of meeting delivery costs from fares. An example of this is the Thameslink franchise which has an unusual structure: it is a management contract where fare income does not go to GTR. Under their original contract, Department for Transport will pay GTR £8.9 billion over the first seven years and receive all revenue. Consequently, the company carries less revenue risk. This form of franchise was chosen because of long-term engineering works anticipated around London, which would be a significant challenge to organise within the normal form of franchise.
So the Williams report is forecast to de-risk the operation of the railway so that ‘concessions’ replace franchises making it less risky to enter into the obligation of providing service, still attractive for private finance to invest in state-of-art rolling stock but will probably not say anything about cyber. But there is risk, real risk in ignoring cyber and why can’t re-aligning the industry to delivery at high quality, low risk enterprise not address the question of cyber? Why can’t how TOCs deal with cyber be written, contractually within their relationship with the regulator, the DfT, the Government? Just as Thameslink’s’ “significant engineering costs” were enveloped in the terms agreed with GTR?
There are two areas of cyber risk facing the TOCs today. The first is to do with the underlying IT infrastructure which supports the financial and personal systems that collect fares and pay staff. The networks and IT systems supported on those networks also provide station and platform management, rostering, managing and maintenance of trains and getting staff, drivers, guards and station support to the right place at the right time. The second cyber risk concerns the increasing in-flight reliance on IT, the on-board networks supporting Wi-Fi, CCTV, door operation, brakes and passenger information systems. With satellite, radar, cable, fibre optics and radio communications all supporting train movement and speed, stop and start, there are major concerns how an attack might cause delay and disruption, even loss-of-life.
To take the issue of support systems first, these are covered by the Security of Network and Information Systems (NIS) Regulations. These regulations define, amongst others, the train operating companies as Operators of Essential Services (OES) and the regulator, the DfT, as the “Competent Authority’. The latter is obliged to judge the TOCs’ compliance with the Regulations, just as they are in charge with awarding Franchises. In order to judge compliance, the DfT issued a spreadsheet, a Cyber Assurance Framework (CAF), to each TOC, that had been compiled by the technical authority, the National Cyber Security Centre (NCSC). The CAF was set out as 14 Principles under 4 main Objectives:
The CAF provides guidance and describes outcomes and indicators of good practice for achieving those outcomes. TOCs were asked to complete the CAF spreadsheet in order for DfT to gauge how close to the required outcomes their respective cyber defences were: i.e. how many indicators of good practice they had achieved, to what degree or to what outcome. Submissions were made in March this year and DfT returned comments, questions and requests for more information in mid-Summer. They also requested an outline plan to achieve these goals within eighteen months. The answers and plan are required back to DfT in the coming weeks.
The overall effect of the NIS/CAF exercise is to reduce the operational risk, potential delay and disruption caused to the delivery of essential services, critical national infrastructure, from a cyber attack to the underlying critical systems supporting delivery. It was not really about safety, the railways do that very well, but to UK PLC productivity. That is why it did not actually include Rolling Stock or the IT – really it is Operational Technology (OT) onboard the rolling stock, the latter being clearly the business risk owned by the franchise owner. There are as number of issues that arise from this: firstly, compliance with the NIS CAF was not written into the original or subsequent franchises; secondly while safety is a by-product of cyber resilience, so too is productivity and punctuality. Cyber resilience is therefore applicable to both support (on-shore) IT as well as that which is on-board. Both effect the productivity of the UK, both get the workers to work on time, and neither were covered by the franchise. It is a risk that is not de-coupled from operation and not included in the Williams report. There needs to be a NIS for OT.
Compliance with the NIS/CAF calls for major and unforeseen expense on behalf of the TOCs. Though cyber investment is major element in the planning of all businesses these days, all faced with financial and operational risk as well as compliance and reputational risk, these investments have to be paid for, either by increased efficiency or increased prices. It is not clear that increased efficiency is a product of cyber investment in rail; the adoption of more efficient systems more often leads to an increased cyber threat/risk. It seems unlikely that the current franchise system can address this – how many TOCs will engage in long-term commitments to cyber security controls such as expensive Security Incident & Event Management Systems (SIEMS) when the cost benefit cash flow extends beyond the franchise date? There is definitely scope for a more proportionate and equitable assumption of the risk between customer (HMG) and supplier (TOC) in this case.
Examination of the second issue, in-flight cyber defence will show that the four objectives of the NIS CAF (described above) – Manage, Protect, Detect and Minimise are equally required for on-board ICT as they are for those supporting Networks and Information Systems. A set of indicators of good practice – standards – are needed for OT. Threat sources can and will target insiders of both communities with phishing and ransomware, able to corrupt key personnel to channel privileged and administrator attacks from the inside.
“There is definitely scope for a more proportionate and equitable assumption of the risk between customer (HMG) and supplier (TOC) in this case.”
Increased efficiency will result from the roll out of the European Rail Train Management System (ERTMS). ERTMS was pronounced to be a major driver for economic growth early in its development. Passenger number forecasts are rising by 3% per annum, meaning that the current 1.6 billion journeys per year will have risen to three billion by 2035. Some examples of the predicted increase per route are WCML 201%, Thameslink 171%, GW Suburban 108%, South West Trains to Woking 154%, Southern Suburban to Caterham 149%. Handling this capacity is not just aligned to signalling but will need to embrace customer interfaces, ticketing, journey planning, infrastructure operations and the whole operational framework.
ERTMS (especially the ETCS – European Train Control System – element) is very much part of this and should yield around a 40% increase in capacity. Spin-offs include a 10% reduction in delay minutes through better reliability, an 80% reduction in SPADs (signals passed at danger), a 50% reduction in the need for lineside work, energy savings from better regulation of trains and improved utilisation of maximum line speed. Needing to go hand in hand with Traffic Management Systems (TMS), ETCS will be introduced on a route-by-route basis with the initial plan covering the period 2019 to 2029. And we will see, with anxiety, that all this efficiency needs to be protected.
The Threat Landscape contributes to this anxiety. The capability of Hacker Groups to target SCADA and their focus on CPNI (see http://www.il7security.com/threat landscape/) make them a primary threat source. While in the main era of competition between railway manufacturers, Franchisees and ROSCOs the threat has been industrial espionage or criminals. Today, the threat comes from unfriendly nation states and the potential of terrorism. Today the heads of the security services (MI5, MI6 and GCHQ) and armed forces readily admit they are at constant electronic war with Russia and China, whilst the risk of friendly fire (in electronic terms) from the USA has never been higher. The target is the UK Critical National Infrastructure and the Railway is included. The terrorism threat to European citizens has been constantly elevated for several years and concerns rail transportation and its associated infrastructure which provide mass transport. Both rail operation and its infrastructure are recognised as critical priorities because of the economic and security impacts of terrorist attacks (loss of service, destruction of vehicles, and destruction of infrastructure). Extended consequences on the surrounding businesses are also expected, as well as the impaired reputation of the railway as a safe and secure transport system. The railway must be recognised as an attractive target for security (cyber) attackers, because of its familiarity, ease of access and openness. Coordinated attacks that target different rail services simultaneously show that more subtle actions than bombings can be carried out by terrorists with limited resources and without major financial backing. Terrorists can base their action methods on the vulnerabilities of technologies employed. Equally, electromagnetic terrorism is based on failing equipment or devices which serve the efficiency and safety of railway systems. In the extreme case, threats that become escalated to safety and concerns may be just as terrible as those bombs or other attacks that lead to derailment, train crash and loss of life.
There is a myriad of potential dangers with regard to secure operation of Operational Technology. These include built-in obsolescence of diagnostic, maintenance and operating tools – often not upgraded from early Microsoft or proprietary, long defunct operating systems. This extends to networked connectivity between comfort and operational systems, lack of malware checking and shared usage and access to systems. However, while these are important and need to be addressed through a Code of Practice similar to the NIS CAF, this paper would like to concentrate on the current most talked about technological developments, GSM-R and ERTMS. These are the issues that require to be supported by central authority sponsorship and protection rather than being left to the mercy of competitive, profit-based implementation.
GSM-R is a standard communication platform for railways. It is a strategic communication system focused on the interoperability between European railway infrastructures. By the end of 2016, 56 countries in five continents should have operational GSM-R networks. Its specifications are widely disseminated. Europe is leading GSM-R implementation in 11 countries (Austria, Belgium, Czech Republic, France, Germany, Italy, the Netherlands, Norway, Spain, Sweden and Switzerland). In 2011, GSM-R deployment provided coverage of about 30% of the European railway network with 68,000 km in operation; 156,000 km are planned to be covered (70% of the European railway network). The main objectives of GSM-R are to replace analogical radio communication and to provide a unique data transmission solution for ERTMS/ETCS (both level 2 and level 3).
GSM-R is an evolution of public GSM dedicated to railway application. Therefore, GSM-R has similar characteristics to those of public GSM system. GSM-R functionality is built on standards and recommendations supported by mainly two organisations, ETSI (European Telecommunications Standards Institute) and UIC (Union Internationale des Chemins de fer, International Union of Railways). ETSI technical committee RT (Railway Telecommunications) is responsible for those aspects of Global System for Mobile communications standardization which are specific to Railway (GSM-R) and Private Mobile Radio (PMR) operations. UIC specifies through its EIRENE (European Integrated Railway Radio Enhanced Network) project, a digital radio standard for the European railways. It forms part of the specification for technical interoperability.
GSM-R performances are guaranteed for high-speed conditions (up to 500 km/h). A common European frequency band is allocated to GSM-R below the frequencies of the public GSM standard. The allocated frequency bands are for the uplink: 876 MHz – 880 MHz and for the downlink: 921 MHz – 925 MHz. GSM-R has its own cellular network installed along the track designed to provide a minimum level of received power > -95 dBm anywhere along the track. This is a mandatory requirement coming from the EIRENE specifications. This represents a limited level of power with the potential of being jammed.
The GSM-R band occupies the 4 MHz central part of this 10 MHz band. A single GSM-R beacon channel, providing strong radio coverage of the station, is received in the GSM-R band; Line of Sight (LOS) of the corresponding GSM-R BTS antenna is nearly possible from this measurement location. Another, weaker, GSM-R BTS signal is also discernible higher in frequency, corresponding to a farther GSM-R BTS. The upper part of the band is fairly busy due to the number of cellular phone users in the station and its surroundings. The lower part of the monitored band is free of activity.
The deployment of ERTMS not only homogenises the technologies to manage the trains over the European territory, but also the vulnerability points to EM interferences. Some examples can be set up in the context of the harmonisation of systems and rules due to interoperability requirements for all operational domains in the rail transportation in Europe (operation, control, management, maintenance…). These include the strategy to reduce the number of control centres of the track switches in Europe that will rely on interlocking remote-controlled systems in order to activate switches. Thus, if a terrorist is designing an intentional Electromagnetic (EM) emissions device capable of disrupting management systems for rail infrastructure in Berlin, for instance, the same device will have the same attack capacity in all European cities. This will cause immediate economic consequences and possibly more…. Harmonisation thus facilitates the implementation of organised and simultaneous EM attacks.
The easiness of implementation of an EM attack will notably depend on the accessibility of the required devices to generate a given EM attack signal. Today, with the proliferation of the telecommunication applications, it is really easy to obtain equipment providing relatively low-level power interference able to jam wireless communication signals. Consequently, in SECRET, the priority is given to the study of the potential impacts of low power interference sources, such as jammers, on wireless railway communication systems.
Meanwhile, the technologies and frequencies employed in the railway field can be similar to technologies and frequencies used for applications available to the general public. Indeed, the railway no longer develops technology “owners” but adapts general public technologies. This increases the vulnerability of the railway because it is easy to obtain emission devices capable of disrupting rail technologies. With a relatively low basic knowledge of electronics and the performance of electronic components and antennas available on the open market, these emission devices can be combined with amplifiers to increase the capacity of EM attacks. Given the potential vulnerability of the railway network and the ease of implementation of such EM attacks, we chose to work on an integrated solution to ERTMS offering the capability of detecting EM attack situations and engaging appropriate responses to maintain the security and capability of the railway network.
ERTMS and its implementation in the future is a shared responsibility of the TOCs, Network Rail and their respective supply chains. ERTMS is made of two main subsystems: ETCS, managing the movement authorities and GSM-R, used for both voice communication and for the transmission data of ETCS in ERTMS Level 2 and Level 3 between the infrastructure and the mobiles. For ERTMS Level 2 and Level 3, the movement authority is communicated directly from a Radio Block Centre (RBC) to the on-board unit through the GSM-R network. For the future of (mainline) signalling systems based on ERTMS Level 3, an accurate, continuous and safe position data will need to be supplied to the control centre directly by the train, rather than by track-based detection equipment. As the train continuously monitors its own position, there will be no need for ‘fixed blocks’; rather the train itself will be considered as a ‘moving block’. No more track circuits or axle counters will be necessary for the detection of the trains. These two levels have been designed to increase safety and capacity on the railway lines. The highly performant as well as resilient and secure communications is an important aspect of the future evolution. GSM-R, a circuit switched technology, as of today provides a low performance, compared to modern standards based on packet switched technology. The system is now reaching its limits and is facing a number of drawbacks, compared to the evolutions of the system: for instance, the long call procedure, the non-optimised use of available bandwidth which limit the number of trains capable of being controlled in certain areas or also the low bit rate are issues that are hindering the proper performance of the system.
“The system is now reaching its limits and is facing a number of drawbacks, compared to the evolutions of the system “
On the ETCS side, the vision is based on the exchange of information between the on-board and the trackside equipment through an IP network, independently of a specific bearer, providing that the essential performance requirements of ETCS are met. The performance of ERTMS Level 2 and Level 3 relies (in addition to parallel evolutions in ETCS) on transmission speed and quality. Indeed, for these levels, a continuous, secure and fast communication between the train and the track is essential and a prerequisite in order to guarantee an optimum performance level of the entire system. How to ensure that those requirements are guaranteed? How to ensure that the focus will be put on the performances of the data transfer and not on the type of bearer or the type of network (whether it is public or private)? The GSM-R technology, whose specifications were developed starting from the 1990s, is now showing its limits, especially taking into consideration the foreseen evolutions of ETCS and additional functions like Automatic Train Operation (ATO). A complete independence of ETCS from the communication bearer will allow for the use of more performant and modern standards. The introduction of packet switched technology, in a first step GPRS/Edge, will allow for an increased speed of data transmission. An IP-based communication wireless network, as imagined today, will be one key element to transmit additional information related to train position, maintenance data or ATO data. Further down the road, LTE (Long Term Evolution) or satellite applications are also expected to be used for ERTMS. In Europe, GSM-R is expected to become obsolete by 2025. Outside Europe, some customers cannot use GSM-R to deploy ERTMS Level 2 and are currently looking for alternatives. Indeed, some projects have already been developed with ERTMS using other communication standards, like Tetra for instance. The consequences to move to an IP-based communication system are the following: the on-board architecture will have to be adapted: the EVC (European Vital Computer) will get an IP port to communicate with a new ‘intelligent’ EDOR (ETCS Data only radio IC) which will be capable to choose continuously the best available bearer.
The European railway sector is currently preparing for a long-term evolution. This evolution has to be properly managed through the drafting and agreement on a roadmap for future European standard in order to ensure backward compatibility, a key element to preserve investments made by railways and suppliers. This evolution of ERTMS is also important for the implementation outside of Europe. Nowadays, modern telecom standards are all ‘IP-based’. ERTMS will have to adapt to these new standards in the future ensuring that investments already made will not be lost. The concept of backwards compatibility also has to be introduced in this context. This is imperative in the framework of the management of the evolutions of the system: adapting to a new environment and to customers’ needs whilst ensuring that already-made investments by others are taken into consideration.
There is a massive argument for Government intervention and support for this. From the research and development of technology, its supply chain to its through life support there needs to be rigour and regulation, even more so than the NIS style best endeavours and outcomes of the NCSC CAF. Security by Design is key throughout the implementation of ERTMS and its successors, engaging better encryption for GSM-R and its successors and for removing the common trick in the industry of in-built obsolescence in both software and hardware. The reach of the regulator, DfT must be long and thorough forcing quality standards throughout the lifecycle of a vehicle delivery. Rail Standards need teeth not the soft suck of quangos.
Conclusions drawn are that there are many challenges for the Rail Industry to meet in the adoption of new technology. The Private Rail Sector faces its biggest challenge from implementing ERTMS in an environment rife with cyber threat and the financial complexities, ambiguities and anomalies of franchising. Is it time for Franchising to go? A resounding yes follows from a realisation that the risks need to be shared in the national interest and cannot be trusted to the vagaries of the marketplace: one major cyber attack may lead to a mass exodus from the industry, both of entrepreneurs and the capital they need, leaving the government a massive headache to support a critical network and business enabler at possibly a critical time. The danger is the failure of franchising is seen merely as an excuse to re-nationalise the industry. This needs far deeper examination as investment needs to be spurred on by the promise of better returns for better technology and not be constrained by the peaks and troughs, the needs and wants of a macroeconomic political policy. Where Williams might recommend taking the risk out of private investment in the railways by granting commissions to private operators, these “commissions” can include Government funding for Cyber Defence, not just to operators but manufacturers and suppliers, ensuring security in design and in practice. It must also include support from the regulator as well as that other publicly owned body, Network Rail. Network Rail is committed to Cyber Security and this must include not just its IT networks, systems and infrastructure, but its trackside and Network Rail OT supporting onboard TOC OT. The Network Rail SOC can be linked to TOC SOCs both for NIS compliance and to support onboard network defences. For commissions to be given to the private sector, within this environment of support and shared risk, shareholders and profit seekers can still make reasonable profit while contributing to the safety, the security, the efficiency and the overall viability of the National Economy.