Countering a dynamic threat such as a cyber-attack necessitates an approach that goes beyond technology.
In a paper presented to the CORE 2018 conference entitled Smart railways… or not so smart: a cyber security perspective, Raymond Frangie described what the proliferation of technologically complex railways could look like.
“A cyber-security professional would see such environments as a Pandora’s box of potential critical vulnerabilities and issues and wonder, no longer a matter of if, but a matter of when, this system will join the list of other systems around the world to be breached, causing all sorts of issues such as delays, derailments, and/or in some cases, even death.”
While Australia has fortunately been immune from significant cyber-attacks on transportation systems, serious incidents have occurred overseas, leading the rail industry to increasingly ask how safe and secure are the digital systems that are central to the operation of the rail network?
The rail industry has years of experience navigating safety risks, as Michael Powell, director, technical & engineering of Thales’s Ground Transportation Systems & Secure Communication and Information Systems, outlined. However, cyber attacks are also a new kind of threat.
“The rail industry is very familiar with security and safety and has developed standards, processes, and procedures to identify the hazard, understand what the likelihood or the risk of it occurring is, and what we do about that. One of the key differences for cyber is that it tends to be deliberate and also that it’s constantly changing.”
While known and predictable hazards are able to be solved through design, the dynamic nature of cyber threats poses a different challenge compared to static threats.
“For example, the risk of a train collision is something that’s known during the design phase of a project,” said Powell. “You design systems to specifically mitigate against the possibility of there being a train collision. It’s specified in the requirements and there’s tests to ensure that this doesn’t occur. Whereas with a cyber-attack there’s malware, and there’s intrusions that are changing from day to day. Things that didn’t exist in the design phase of a project exist today, which raises the question of how do you deal with those things?”
The other challenge that cyber security raises is an organisational one. With cyber security being a new area for the rail industry, it is not compartmentalised in an organisation like traditional threats. This requires a flexible approach.
“When going to a customer, do you talk to the security professional, the safety professional, or do you talk to the IT department? This is different for every customer,” said Powell.
To introduce a the cyber security topic, Thales will conduct a risk assessment with the customer, to identify where the vulnerabilities are and what the responses could be. In some cases, highlights Powell, the solution may not be a digital one at all.
“I don’t think you can have that discussion with the customer with a solution already in mind; you need to understand what the risk is and how to handle that risk. Don’t go to the customer assuming that you need to sell cyber products. That’s not the right starting point. The right starting point is to ask what are the security risks that exist in the organisation and then what are the mechanisms by which we can mitigate those particular risks, of which one or more of those solutions could be cyber related?”
Powell gives the example of a passenger information display on a train platform that has been compromised to show an unsafe message, perhaps indicating that people should stand on the tracks.
“A solution to that may be that if there is a compromise in the system you simply shut down the information displays and instead use public announcements. The solution is not necessarily to add cyber control, which could be part of it, but it’s not necessarily the only solution.”
THE BENEFITS AND RISKS OF DIGITALISATION
While the rail industry’s embrace of digitalisation has many benefits for passengers and operators alike, according to Waël Kanoun, head of cyber solutions at Thales Middle East, there are three consequences of digitalisation that can introduce new threats, the first being complexity.
“As part of digitalisation and creating new and/or enhanced features, transportation systems are getting more complex. Complexity is an enemy to security and especially cyber security.”
The second area is less isolation, with increased internal connectivity between transportation systems and external networks, that can create and facilitate the execution of cyber-attacks with higher potential spread and impact. Traditionally, rail networks were physically separated through the use of walls and fences to prevent intrusions onto the corridor. However the integration of rail digital systems with smart phones and mobile networks is creating new connections.
The final area is the technology itself.
“Rail is relying less on proprietary technology and more on IT technology including operating systems and networks, which are not always designed with security as a priority. As a consequence, digitised systems are inheriting any intrinsic vulnerabilities,” said Kanoun.
To put these consequences into context, Powell highlights how inseparable private mobiles phones are from the way that users interact with the rail network.
“For example, your mobile phone now could be considered part of the rail system because you’re using it for timetable information. It tells you where to go, and if you need to change, but what happens if that information is wrong?”
In the case of a transport app showing incorrect information, rather than attempting to revert the change, Powell suggests that in this case, it could be better to shut down the app altogether and rely on other methods of communicating information.
“This is why we need to talk about the risk profile, what are the mitigations, and quite often the mitigations are multiple things, of which cyber is one.”
To grapple with this issue, Thales leverages global expertise when it comes to countering cyber threats, developing systems that are cyber secure by design.
“One thing that we do is we try to use as much commercial off-the-shelf (COTS) equipment as possible, so we’re not using proprietary equipment. What we want is the marketplace to keep up to date for us because we don’t want to have to solve the same problem five times over if the market has solved it for us,” said Powell. “Of course, as a standard practice at Thales, we check everything that we deliver to our customers, – irrespective of its supply original. We’re checking that it doesn’t have any malware that has crept in through the supply chain.”
This is done through a verification and validation process, where Thales engineers attempt to hack into their own technology through injecting negative events. Proving that the system can withstand this makes it secure.
This methodology also enables solutions to be interoperable with existing or legacy systems and allows upgrades and updates to be installed in the future.
These approaches are being formalised in the development of standards for rail cyber security, however the dynamic nature of cyber security threats means that there is little value in being prescriptive. With malware changing from one day to the next, a comprehensive process of testing and validation is key.
LEVERAGING A GLOBAL NETWORK
Thales’s cyber security services have not only been a product of its involvement in the rail sector, as Kanoun noted, “At Thales, we have security in our DNA.”
This comes from Thales’s involvement in a variety of industries where cyber safety is a key concern, with developments in all these fields benefiting the rail sector, said Powell.
“Thales works on projects from satellites to naval ships. The first principles required for security have always existed in these domains, so it’s about applying these existing techniques and existing processes in Thales to a different domain.”
In addition, when a threat is countered at another location around the globe, the learnings can be applied locally.
“Thales is operating all over the world, in all parts of Europe, North and South America, Southeast Asia, and China. If a cyber threat for example occurs in one part of the world, we can integrate this into our solution and then Australia benefits from that,” said Powell.
“The scope and the scale of the company allows us to see a problem once in one location and then solve it once, and then apply this multilaterally so every customer benefits.”
Incorporating what Thales terms “secure by design” at the outset of any project avoids expensive bolt-on security, which can ultimately be less effective. Indeed, as Kanoun pointed out, cyber security should not be thought of as a product that is added on to a system.
“It can only be addressed with a comprehensive approach covering all phases from design, configuration, installation, and testing to deliver cyber-secure solutions with minimum residual risks. Cyber security must be integral part in long-term maintenance and services by ensuring effective vulnerability management and continuous monitoring.”
Rather than thinking about cyber security as a technical problem, like other approaches to safety, technology is one pillar, along with processes and governance, and the proper training of people. Such a holistic approach to security is needed as digital systems become ever more central to railways.