Operators terminate contracts with Transclean

Metro Trains Melbourne and Yarra Trams have terminated their contracts with services provider Transclean.

Transclean has been at the centre of the Independent Broad-Based Anti-Corruption Commission’s (IBAC) Operation Esperance, which has heard that Transclean boss George Haritos gave cash to V/Line CEO James Pinder and Metro Trains fleet operational manager Peter Bollas in return for favourable treatment.

There has been no allegations of any corrupt behaviour between Transclean and Yarra Trams.

On Friday, November 6, Metro Trains CEO Raymond O’Flaherty said that Transclean would no longer provide cleaning services to the Melbourne rail operator.

“A rigorous tender process is already underway to appoint a long-term cleaning supplier to provide the highest standard of daily cleaning for Metro’s train fleet,” he said.

“We will make further announcements regarding this ongoing tender process at the appropriate time.”

Metro Trains had already suspended and subsequently terminated the employment of Peter Bollas, with an auditor to review procurement and probity processes.

“Metro remains committed to the highest standards of integrity across our organisation.”

Transclean had been providing after-hours depot security services to Yarra Trams since 2017, however the operator will now be looking for a new contractor.

“Yarra Trams is terminating its contract with Transclean for after-hours depot security, and has provided the company 30 days’ notice,” said a Yarra Trams spokesperson.

A routine audit of Transclean found that there was procedure and performance issues with Transclean’s security services for Yarra Trams. These were raised with the company but were not responded to.

A separate company has provided cleaning services to Yarra Trams, including COVID-19 deep cleans.

O’Flaherty said that Metro was ensuring cleaning met community standards.

“I again want to reassure our passengers that we have a range of measures in place to ensure the daily cleaning and sanitisation of our trains meets the standards they expect. These measures include audit teams regularly checking the standard of this work.”

cyber attacks

Protecting critical infrastructure from cyber attacks

As Australia’s rail sector has not been immune from the risk of cyber attacks, industry bodies are joining with government agencies to mitigate the ongoing threat.

In November 2016, The San Francisco Municipal Transport Agency was hit by a cyber-attack. The HDDCryptor malware spread across over 2,000 computers, meaning that the Agency’s network was opened up free for the public.

While the agency’s ability to provide transport across its fleet of light rail vehicles, streetcars, trolley and hybrid buses was not compromised, ticket machines, payment services, and emails were affected.

The hackers demanded a ransom of 100 bitcoin, equivalent to $102,644 at the time. This type of attack, shutting down a network’s computer systems and demanding a payout, is known as ransomware, and can be caused by a person simply clicking on an infected link in an email or downloading an infected file. The networked nature of large transport authorities means that this can quickly spread throughout an organisation.

While San Francisco did not pay off the hacker and was able to restore its systems by the next Monday, the hack was one of the most visible instances of how cyber threats are coming to the rail transportation sector.

Earlier that year, cyber criminals struck the rail network in NSW, targeting regional train services provider NSW TrainLink. Hackers were able to infiltrate the booking service and capture customer credit and personal data.

Unlike the San Francisco hack, this breach targeted a rail organisation’s repository of customer details, including things like bank details and personal information. The opportunistic attack exposed how people using the same passwords for multiple accounts can make a system vulnerable, and in this case, with rail operators having data on large numbers of people, others could be seen as a honeypot for potential attackers.

Western Australia’s Public Transport Authority was also targeted in an attempted attack in 2016, leading the rail agency to shut down its own website and websites for specific services such as Transperth to prevent further intrusions.

More recently, the number of cyber- attacks has been increasing. In May 2020, Swiss rail manufacturer Stadler reported that hackers had targeted the company hoping to extort a large amount of money and threatening the publication of data to hurt Stadler and its employees. Although not impacting production lines, the hack came a week after Australian logistics operator Toll also suffered a ransomware attack, the second that company had suffered in 2020.

A spokesperson for the Australian Cyber Security Centre (ACSC) reiterated comments made by Minister for Defence Linda Reynolds that malicious cyber activity against Australia is increasing in frequency, scale, and sophistication.

“Rail, and the transport sector more broadly, is part of Australian critical infrastructure and provides essential services to Australians,” the spokesperson said.

Ransomware attacks are becoming more common for organisations across the rail sector. As these few examples demonstrate, the reliance of all parts of the rail industry on digital systems means that cyber-attacks are not targeting any one sector of the industry. Furthermore, as large, often widely distributed organisations that deal with personal and safety critical information, the rail sector has many facets of the organisation that are involved with cyber security, not only in operational roles.

“A cyber incident involving critical infrastructure can seriously impact the safety, social or economic wellbeing of Australians, due to the significant disruption it can cause if the systems are damaged or unavailable for extended periods of time,” said the ACSC spokesperson.

This is not to suggest that the rail sector has been blind to the risk posed by cyber- attacks. In the UK, in 2016, the Department for Transport published the Rail Cyber Security: reducing the risk of cyber attack guidelines. In the document, the increasing threat of cyber-attacks in the rail industry is clearly stated.

“Railway systems are becoming vulnerable to cyber-attack due to the move away from bespoke stand-alone systems to open-platform, standardised equipment built using Commercial Off-the-Shelf (COTS) components and increasing use of networked control and automation systems that can be accessed remotely via public and private networks.”

These vulnerabilities leave the rail sector open to impacts of cyber-attacks, from threats to safety, disruptions of the network, economic loss, and reputational damage. The guidelines outline how rail organisations should respond, from the level of governance, through to design, the integration of legacy and third-party systems, and staff training.

As the spokesperson for the ACSC outlined, as rail reaps the benefits of digitalisation, there are also challenges.

“The rail sector is continually modernising through the adoption of new operational technologies. However, with this, comes potential cyber security vulnerabilities,” said the spokesperson.

“The increased adoption of inter-connected technologies has the potential to increase the cyber threat ‘attack surface’.”

In the case of passenger networks, bespoke systems such as electronic signage, ticketing systems, electronic passenger gates, building management and public address systems are areas of concern. In the freight sector, the interconnectedness of the industry and its automation contributes to the vulnerabilities the sector faces.

The exposure of the rail sector was highlighted in a 2016 Victorian Auditor- General report into the security of critical infrastructure control systems for trains. After a 2010 report identified weaknesses, the 2016 report found little improvement since then.

The reasons for the lack of progress were poor governance arrangement, limited security frameworks for control systems, limited security controls for identifying, preventing, detecting, and responding to cyber security events, and a poor transfer of accountability and risk during machinery-of- government changes.

In the Auditor-General report, 10 recommendations were made, all of which were accepted by Public Transport Victoria and the Department of Economic Development, Jobs, Transport and Resources, which has since been broken up into the Department of Transport and the Department of Jobs, Precincts and Regions.

Since the Victorian Auditor General’s report, moves have been made to standardise and improve the Australian rail industry’s cyber security response. In 2018 the Rail Industry Safety and Standards Board (RISSB) published its Australian Rail Network Cyber Security Strategy. Identifying similar threats, the document outlined the vision for the industry of the elimination of cyber risk, resulting in zero cyber-attacks on the Australian rail network. To do this, the strategy follows the principles of understand, protect, detect, and respond.

In addition, also in 2018, RISSB published AS 7770 – Rail Cyber Security, the Australian standard for managing cyber security risk on the Australian railway network.

To improve the response of the rail sector to the cyber security threat, ACSC provides sector-specific resources and materials.

“The ACSC is working with all critical infrastructure sectors to help them increase their cyber defences as well as transport sector entities through the ACSC Partnership Program.”

The ongoing adoption of industry standards as well as the implementation of sector-wide strategies will ensure that the rail industry continues to be prepared to deal with cyber attacks as the threats morph and change.

Security ramp-up continues for Adelaide networks

The South Australian Government will roll out additional security measures across the state’s public transport system from July 1.

The plan is part of the phase three rollout of the three-year Wilson Security contract signed by the previous state government in 2017. (Phase one and phase two of the contract rolled out in October 2017 and February 2018.)

The measures will implement more guards and patrols across public transport routes, including an increase in roving guards from four to 16.

These guards will move between train, tram and bus stations, interchanges and stops in order to boost security presence across the network. Vehicle patrols will also be increased to six rapid response vehicles with two security guards each to check the network at night and respond to incidents.

On-board evening guards will also continue to operate on Gawler, Seaford and Outer Harbour line services.

The news follows the announcement of $2 million in safety spending by the South Australian Government to install CCTV cameras and lighting at several stations, including Woodville, Broadmeadows, and the Adelaide Entertainment Centre tram stop.

“By having more roving guards and more rapid response units, security can be dispatched faster to respond to any incidents across our public transport network,” said Minister for Transport Stephan Knoll.

“These ‘hopper’ or roving guards will operate between trains, trams, buses, stations, stops and interchanges to deter and to deal with serious incidents for staff and customers.

“We are also using smarter, evidence-based targeting of incident hotspots to better direct security resources where they are needed most.”