included in this triad that are imperative for critical national infrastructure: safety, reliability and continuity.
Digital Systems, New Threats
Digitalisation has brought many benefits. Remote condition monitoring of assets from engineers in other countries, live timetable stream to customer’ s phones, CCTV cameras streaming constantly to the control rooms and security enforcement agencies.
It has also brought us new risk: every new digital benefit requires a doorway to the outside world, and this has got the attention of the cyber criminals that normally would never have considered our railways as their target before.
Computers needed to be secure and free from vulnerabilities before being exposed to the internet. Computers run all day, restarting one to apply a software update can delay dozens of trains and cost thousands of pounds in possessions and blockades. Safety, availability and continuity always came first, with security patching planned for when time allows.
This presents a new problem: how do we protect vulnerable systems while allowing them to be connected to the Internet 24 / 7?
We could think of solutions like robust firewalls and strict access control however on some occasions, that was not enough:
• Deutsche Bahn, 2017. Cyber criminals compromised the departure boards of the rail network demanding a payment in bitcoin( availability) 1
• DSB Denmark, 2022. A cyberattack affected DSB: Denmark’ s largest train operator. The attack targeted a system that provided critical train driver information like speed restrictions( integrity and availability). 2
• Trenitalia / Ferrovie, 2022. Italy’ s state railway operator Trenitalia and its parent company Ferrovie experienced a cyber-attack that disrupted ticket sales at stations, passenger information screens and mobile devices used by railway staff( availability) 3.
These three incidents have something in common: the initial breach originated through office, common IT systems or third-party tools, not the trackside equipment.
Protection of these systems focused on reducing or mitigating these possible risks with hardware solutions, staff training and wherever possible, complete isolation from the internet.
Regulations like EU’ s NIS 2( Network and Information Security Directive) and the forthcoming Cyber Security and Resilience Bill in UK are steps in the right direction, however we will need much more to keep our railways secure.
Incident Response: A Railway Strength
For nearly two centuries Britain’ s railways have demonstrated their resilience in getting trains running again and again when something interrupted the service. When a storm punched a 100-metre hole through Dawlish’ s sea wall in 2014, thousands of railway professionals rebuilt the line in time for Easter 4. When a flood dropped a bridge into the River Crane in Feltham in 2009, engineers laid a makeshift loop and had trains running eight days later 5. Even after the tragic accident in Clapham Junction in 1988, commuter services were restored within a week.
These three examples are textbook incident response plans. We notice something irregular; we alert the controller and start the incident machinery to keep things safe and moving again. The tools have changed: remote sensors, live passenger data, mobile tablets, GSM-R radios but the instinct is the same: keeping the trains moving, and restoring them when they stop, is within every railway professional.
We have become so accustomed to this routine that we have perfected a skill-set that is rare in the wider cybersecurity world. Railway professionals keep the service running every minute of the day, so stopping a system just for routine fixes is not really
an option. We are used to making splitsecond, safety critical decisions all the time and we always put our passengers first. That is 90 % of what it takes to be a cyber security professional.
As a signaller, a train operator, a maintainer, an engineer or a project manager, you already have the‘ incident response’ mindset that keeps a Friday night service running after a points failure or could keep the information boards displaying the next departures during a distributed denial of service attack.
Bridge damage near Feltham
Clapham Junction train crash
Dawlish sea wall damage in Devon
www. ciro. org
11