cyber attacks

Protecting critical infrastructure from cyber attacks

As Australia’s rail sector has not been immune from the risk of cyber attacks, industry bodies are joining with government agencies to mitigate the ongoing threat.

In November 2016, The San Francisco Municipal Transport Agency was hit by a cyber-attack. The HDDCryptor malware spread across over 2,000 computers, meaning that the Agency’s network was opened up free for the public.

While the agency’s ability to provide transport across its fleet of light rail vehicles, streetcars, trolley and hybrid buses was not compromised, ticket machines, payment services, and emails were affected.

The hackers demanded a ransom of 100 bitcoin, equivalent to $102,644 at the time. This type of attack, shutting down a network’s computer systems and demanding a payout, is known as ransomware, and can be caused by a person simply clicking on an infected link in an email or downloading an infected file. The networked nature of large transport authorities means that this can quickly spread throughout an organisation.

While San Francisco did not pay off the hacker and was able to restore its systems by the next Monday, the hack was one of the most visible instances of how cyber threats are coming to the rail transportation sector.

Earlier that year, cyber criminals struck the rail network in NSW, targeting regional train services provider NSW TrainLink. Hackers were able to infiltrate the booking service and capture customer credit and personal data.

Unlike the San Francisco hack, this breach targeted a rail organisation’s repository of customer details, including things like bank details and personal information. The opportunistic attack exposed how people using the same passwords for multiple accounts can make a system vulnerable, and in this case, with rail operators having data on large numbers of people, others could be seen as a honeypot for potential attackers.

Western Australia’s Public Transport Authority was also targeted in an attempted attack in 2016, leading the rail agency to shut down its own website and websites for specific services such as Transperth to prevent further intrusions.

More recently, the number of cyber- attacks has been increasing. In May 2020, Swiss rail manufacturer Stadler reported that hackers had targeted the company hoping to extort a large amount of money and threatening the publication of data to hurt Stadler and its employees. Although not impacting production lines, the hack came a week after Australian logistics operator Toll also suffered a ransomware attack, the second that company had suffered in 2020.

A spokesperson for the Australian Cyber Security Centre (ACSC) reiterated comments made by Minister for Defence Linda Reynolds that malicious cyber activity against Australia is increasing in frequency, scale, and sophistication.

“Rail, and the transport sector more broadly, is part of Australian critical infrastructure and provides essential services to Australians,” the spokesperson said.

Ransomware attacks are becoming more common for organisations across the rail sector. As these few examples demonstrate, the reliance of all parts of the rail industry on digital systems means that cyber-attacks are not targeting any one sector of the industry. Furthermore, as large, often widely distributed organisations that deal with personal and safety critical information, the rail sector has many facets of the organisation that are involved with cyber security, not only in operational roles.

“A cyber incident involving critical infrastructure can seriously impact the safety, social or economic wellbeing of Australians, due to the significant disruption it can cause if the systems are damaged or unavailable for extended periods of time,” said the ACSC spokesperson.

This is not to suggest that the rail sector has been blind to the risk posed by cyber- attacks. In the UK, in 2016, the Department for Transport published the Rail Cyber Security: reducing the risk of cyber attack guidelines. In the document, the increasing threat of cyber-attacks in the rail industry is clearly stated.

“Railway systems are becoming vulnerable to cyber-attack due to the move away from bespoke stand-alone systems to open-platform, standardised equipment built using Commercial Off-the-Shelf (COTS) components and increasing use of networked control and automation systems that can be accessed remotely via public and private networks.”

These vulnerabilities leave the rail sector open to impacts of cyber-attacks, from threats to safety, disruptions of the network, economic loss, and reputational damage. The guidelines outline how rail organisations should respond, from the level of governance, through to design, the integration of legacy and third-party systems, and staff training.

As the spokesperson for the ACSC outlined, as rail reaps the benefits of digitalisation, there are also challenges.

“The rail sector is continually modernising through the adoption of new operational technologies. However, with this, comes potential cyber security vulnerabilities,” said the spokesperson.

“The increased adoption of inter-connected technologies has the potential to increase the cyber threat ‘attack surface’.”

In the case of passenger networks, bespoke systems such as electronic signage, ticketing systems, electronic passenger gates, building management and public address systems are areas of concern. In the freight sector, the interconnectedness of the industry and its automation contributes to the vulnerabilities the sector faces.

The exposure of the rail sector was highlighted in a 2016 Victorian Auditor- General report into the security of critical infrastructure control systems for trains. After a 2010 report identified weaknesses, the 2016 report found little improvement since then.

The reasons for the lack of progress were poor governance arrangement, limited security frameworks for control systems, limited security controls for identifying, preventing, detecting, and responding to cyber security events, and a poor transfer of accountability and risk during machinery-of- government changes.

In the Auditor-General report, 10 recommendations were made, all of which were accepted by Public Transport Victoria and the Department of Economic Development, Jobs, Transport and Resources, which has since been broken up into the Department of Transport and the Department of Jobs, Precincts and Regions.

Since the Victorian Auditor General’s report, moves have been made to standardise and improve the Australian rail industry’s cyber security response. In 2018 the Rail Industry Safety and Standards Board (RISSB) published its Australian Rail Network Cyber Security Strategy. Identifying similar threats, the document outlined the vision for the industry of the elimination of cyber risk, resulting in zero cyber-attacks on the Australian rail network. To do this, the strategy follows the principles of understand, protect, detect, and respond.

In addition, also in 2018, RISSB published AS 7770 – Rail Cyber Security, the Australian standard for managing cyber security risk on the Australian railway network.

To improve the response of the rail sector to the cyber security threat, ACSC provides sector-specific resources and materials.

“The ACSC is working with all critical infrastructure sectors to help them increase their cyber defences as well as transport sector entities through the ACSC Partnership Program.”

The ongoing adoption of industry standards as well as the implementation of sector-wide strategies will ensure that the rail industry continues to be prepared to deal with cyber attacks as the threats morph and change.

V/Line

V/Line CEO stood down

Victorian Minister for Public Transport Ben Carroll has suspended V/Line CEO James Pinder.

Carroll made the decision due to advice from the Department of Transport that the Independent Broad-based Anti-Corruption Commission (IBAC) had launched an investigation.

“On the basis of that advice, I directed the V/Line Board to immediately suspend Mr Pinder, while IBAC carries out its investigation,” said Carroll in a statement.

Nick Foa, who is currently head of transport services at the Department of Transport will step into Pinder’s role.

According to reports, IBAC is investigating the Department of Transport but is not providing any further information.

V/Line previously came to the attention of IBAC in its investigation into TAFE qualifications for workers.

V/Line and the Department of Transport were also subject to criticism by the Victorian Auditor-General over their handling of the Murray Basin Rail Project, with the stalled project having “not met scope, time, cost or quality expectations”.

Review of rail freight project targets governance, planning for improvement

The Victorian Auditor-General has delivered a withering critique of the governance and delivery of the stalled Murray Basin Rail Project (MBRP) and the Freight-Passenger Rail Separation Project (FPRSP).

The MBRP, which promised to upgrade over 1,000km of rail track in regional Victoria to standard gauge, has been left unfinished as funds ran out and disputes between V/Line and the contractor, a McConnell Dowell and Martinus Rail joint venture, caused the project to spiral beyond its original budget.

The Victorian Auditor-General brought in V/Line and the Department of Transport for criticism, nothing that both projects “have not met scope, time, cost or quality expectations”.

Particularly concerning for the Auditor General was the way that the project had been handled.

“From a project and program management perspective we identified deficient project planning, cost estimation and scoping by the Department of Transport’s (DoT) predecessor agencies. V/Line Corporation’s (V/Line) inadequate contract and project management has also contributed to project delays and cost overruns for the MBRP Stage 2 works,” wrote the Auditor-General.

Rail industry figures have encouraged both the Victorian and federal governments to continue with the project, with the many benefits flowing to hard hit areas, said Pacific National CEO, Dean Dalla Valle.

“Governments of all political persuasions must be acutely aware how vital regional exports are to the overall health of the nation’s economy. With the current coronavirus outbreak, domestic and international trade are facing significant headwinds, now is not the time to neglect key transport supply chains in Australia,” he said.

Rail Futures Institute president, John Hearsch, echoed these statements.

“Until the project can be brought to a successful conclusion the rail industry and its operators are being disadvantaged in terms of service and cost and that impacts their competitiveness.”

The current works have left the network with extensive speed restrictions and roundabout routings, with the objective of improving axle loads not met. Rectifying this would see significant benefit for regional communities said Dalla Valle.

“Upgraded rail lines result in operators like Pacific National being able to run heavier freight trains at increased speeds. Upgraded lines also enhance safety across the network. This means safer, more cost-efficient and reliable rail haulage services to port; hence regional producers and exporters benefit. By extension a significant workforce in regional Australia benefits, including train crews, primary producers, farm workers – the list is long.”

The Rail Freight Alliance (RFA), a grouping of regional councils in Victoria, said that it is essential that the project is completed.

“With Victoria’s freight task estimated to treble by 2051 the Andrews government owes it to industry and Victorians to fix and complete the Murray Basin Rail Project to its original scope, as promised, and now is the time to do it.” RFA chair councillor Anita Rank said.

Currently, the Victorian government is finalising an updated business case for the remainder of the project, said Minister for Transport Infrastructure, Jacinta Allan. Once completed, the revised business case will be submitted to the federal government for consideration, which had contributed funding to the initial stages.

“We’ve been disappointed with the performance of the previous contractor and the management of the project previously by V/Line and that’s why some time ago the project has moved across to be delivered by Rail Projects Victoria,” said Allan.

According to the DoT, the MBRP remains a “priority project”.

“The Murray Basin Rail Project has already delivered benefits for the freight industry, but we know that there is more work to be done. That’s why the Victorian Government is working with the Commonwealth government to progress the business case,” said a DoT spokesperson.

In its report, the Auditor-General issued a number of recommendations, including recommending that V/Line expedite finalisation of all unfinished works in Stage 2 of the MBRP, improve its contract management of major infrastructure projects, and expedite assessment of the reason for temporary speed restrictions on the re-opened standard gauge line from Yelta to Ararat.

The Auditor-General also recommended that V/Line and the DoT both develop a sustainable funding approach for regional rail freight lines and improve network reliability and performance standards. The report also highlighted the need to identify regional rail freight needs, and ensure compliance with project risk management processes for all major capital projects.

Both the DoT and V/Line accepted all the recommendations, and in an action plan the Department of Transport noted that it would review the original MBRP business case by engaging with industry, and complete detailed modelling of the Murray Basin rail network. The Department pointed to the recently formed Rail Freight Working group as a method by which government and industry will work together on rail freight infrastructure projects.

Work completed on the rail network to date includes updating the Mildura and Murrayville to Ouyen lines to standard gauge, as well as the Maryborough to Ararat line. A junction near Ararat station will have its signalling upgraded in the coming months.

Dalla Valle highlighted that work to build a staging area for standard-gauge freight trains at Maryborough could act as a “pressure valve” for the network.

“The Murray Basin is the economic lifeblood of northwest Victoria, with regional rail veins pumping exports worth hundreds of millions into the state’s ports. Thousands of country and city jobs are supported by this freight and logistics ecosystem,” he said.