Safeguarding the Digital Railway – people, signals and cyberspace.
Written by Joe Del-Prado ACIRO
When I came to the UK more than 23 years ago, I was instantly fascinated by public transport.
I spent my first three months buying day travelcards, grabbing the tube map and travelling across all corners of the city. My father suggested that I should work for a train company and that’ s how my career began in 2004.
I have seen many changes and evolutions in all these years but nothing quite significant like the digitalisation of our railways.
The advance in technology changed the way we store information. Devices are smaller and paradoxically, bigger in storage capacity and the railway saw the benefits of this. We can store more information in less space and more importantly, access it from many different locations.
This advance also allowed us to share information more easily, almost instantly. For example, speed restrictions that were once pinned to a big noticeboard, are now available in the palm of our hands soon after they are published.
This advance in technology also improved daily operations. Digital tools replaced manual systems like track circuits with faster, more efficient alternatives like axle counters and communication-based train control( CBTC) balises.
The demands and expectations from our customers have also evolved. People now expect more frequent trains and more pleasant journeys, real-time information, improved security and greater safety.
As we became more efficient, people began to rely on us more and more and this led to technology increasingly, and silently, replacing the way we run our railways. Information started to take centre stage in daily activities.
As this shift to digitalisation accelerated, a new challenge emerged: how do we protect all this critical information in its new form? As digital systems grew, so did the risks. Cyber security in the railways was born.
Understanding Railway Information
The railways always required information to function. We need route knowledge, roster details, rule books, control manuals, standards, deviations, etc.
We need to know if the section ahead is clear, whether braking needs adjusting due to weather conditions, whether all trains doors are closed or not, and whether we have a green aspect signal to depart the station. We also need clear guidance on how to respond to faults or abnormal situations. This is critical for timely service recovery. In short, information is what keeps our trains moving.
But what exactly is“ information”? Put simply, it is data with context. Take the example of a red circle: it’ s just a shape and a colour. But if that red circle appears on a signal on a track, it suddenly has a meaning: it instructs the operator to stop. See Fig 1. below.
Railway professionals rely on accurate, available and trustworthy information to operate safely. Once we have a clear understanding of what information is, we can start looking at how to protect it, through what’ s known in information security as the CIA triad:
Confidentiality, Integrity and Availability
Let’ s return to the red signal example. We trust that:
• It’ s an instruction for our train( confidentiality only shown to the train operator),
• The red aspect is correct and hasn’ t been altered( integrity), and
• The signal is functioning properly when we approach( availability). See Fig 2. below.
Different organisations will have a different approach to this information security triad. For example, some would prioritise confidentiality over availability( if one printer is not working, I could use any of the others in the office).
There are also three other considerations that need to be
Fig 1. Fig 2.
Data
Data with context( information)
10 CIRO | Bulletin 56