A report by The European Union Agency for Cybersecurity (ENISA) has outlined the growing threat of cyber-attacks to rail networks across the UK and Europe. As attackers have become more sophisticated in their approach, new and complex threats have emerged, ranging from malware to insider attacks and Dedicated Denial of Service (DDoS) attacks.
With rail passenger numbers rising again after the lifting of coronavirus restrictions, finding the right balance between physical security and digital safety is imperative for the future of the rail network.
The Evolving Nature of Cyber-Threats in the Rail Industry
Most trains have a working life of more than 25 years and will undergo significant changes during their lifespan with new connected systems added by every owner or operator. Vulnerabilities can appear as information systems are added, replaced and connected.
The modern railway is, in essence, now a network of connected devices processing and analyzing data. With up to one hundred digital systems onboard a single train - some of which are older and difficult to update – it represents a large attack surface for a determined attacker.
There are also the challenges that come with combining the old with the new. As the rail industry has evolved in recent decades, there have been large-scale increases in the number of digital systems onboard and in signaling networks. This has increased the number of potential cybersecurity vulnerabilities on the network.
New systems tend to be more complex than those found on older rolling stock and OT infrastructure, and as more of the network becomes connected, there is a greater potential vulnerability, particularly at the points where new and legacy systems meet. Where there used to be gaps between these systems, there is now a digital connection, so cyber-attacks can more easily move across the network as these legacy systems become accessible and, therefore, potentially vulnerable.
On a technical level, the priority is to identify all the connected systems on a network and understand the behavior and traffic flows between them. Only then can the industry implement monitoring systems to ensure that anything out of the ordinary is identified and stopped in real-time.
Building a Cybersecurity Culture
The primary objective is always to protect a system’s essential functions and maintain the safety and availability of the rail network. Traditionally, cybersecurity in the rail industry has focussed on developing and implementing technical products and solutions, often as a quick fix in response to specific vulnerabilities.
With long-term cyber-resilience key to a safe rail network, building an effective cybersecurity culture within the industry – one where everyone is security conscious and understands the role cybersecurity plays in digital safety – is the next step in the evolution of rail.
Encouragingly, the industry is already making positive strides to build a proactive cybersecurity culture in response to new standards and legislation to improve cyber-resilience across both the UK and Europe.
The Right Direction
The NIS Directive on the security of network and information systems now requires operators to boost levels of cybersecurity and develop a more effective cybersecurity culture. This has helped rail companies focus on implementing better cybersecurity programs to manage risk more effectively.
New technical specifications, including IEC62443 (global) and TS50701 (Europe), also give more straightforward guidance on cybersecurity requirements for rolling stock and signalling and helping those working in the industry develop a clear understanding of the numerous connected train and trackside systems.
As practices evolve, cybersecurity is being integrated into the design of critical transport systems, driving the industry into an era of increased collaboration as part of a new approach to managing all safety risks, including those of a digital origin.