The railway industry is increasingly viewed as a viable target for cybercriminals. Signaling systems, traction systems, train control systems, passenger information systems, and station infrastructure are all potentially at risk. While the foundation of railways has always been safety, we must now consider a new paradigm: Cybersecurity.
Railway systems, which have been considered safe for decades, can now be compromised by newly introduced digital commands. The manipulation of such commands can cause collisions and other nightmare scenarios: Cyber-criminals may decide to attack ticket machines, passenger information displays, and passenger Wi-Fi systems. These systems are becoming vulnerable to cyber-attacks because they have moved away from bespoke stand-alone systems to open-platform, standardized equipment built using commercial off-the-shelf (COTS) components and an increasing use of networked control and automation systems that can be accessed remotely via public and private networks.
Why?
There are many reasons as to why railway systems are targets for cyber-attacks: distributed architecture; long lifecycle of equipment; diversity of supply chain and technology; and increased connectivity with the digital systems. The more digitized rail networks become, the more vulnerable critical signaling systems are to cyber sabotage.
Increased signaling network connectivity and digitalization enable the adoption of modern signaling systems like the European Rail Train Management System (ERTMS), positive train control (PTC) systems, cloud analytics, enterprise visibility into signaling operations, and vendor-monitored predictive maintenance systems. At the same time, these systems introduce threats to safe, reliable, and cost-effective operations.
The biggest risk to railway networks occurs when there is a connection to an external network. Peripheral components, like signals and point machines, are being deployed with an increasing number of sensors, allowing the interlocking and related systems to receive far more field data than is the case with traditional systems.
How IoT Comes into Play
The growth of the Internet of Things (IoT) has led to a proliferation of connected devices aboard a train, some even as basic as a “smart coffee pot” in the buffet car. These are often very cheap systems, with little or no security. In these cases, where the signaling network can be accessed through the passenger network, the “smart coffee pot” network access becomes an entry point for hackers.
What is most concerning is when the mission-critical control systems are connected to the same networks used by the passengers or the business networks opening control system to the hackers, who needn’t even be onboard the train to find a way into the control system. Train-to-ground communication is often based on wireless local area network (WLAN) technology to perform train control. The bad news is that vulnerabilities in critical technologies such as authentication, encryption, and transmission expose WLAN to an array of risks.
Furthermore, older implementations employ old Wi-Fi technologies with weak cyber protection. As a result, they may suffer from attacks such as sniffing, rogue access point (AP), man-in-the-middle (MitM), and denial of service (DoS). Since the systems include proprietary protocols and applications, using cybersecurity solutions designed for IT systems alone may not be effective against cyber threats to these OT systems and might even cause problems on OT networks.
Solutions
As cyber-attacks become increasingly sophisticated, the rail industry needs to implement appropriate proactive, rather than reactive, security practices. While preventative cybersecurity technology is capable of known signature-based threats, cybersecurity threat monitoring is required to identify more sophisticated threats and zero day hacks for which there may not be a known signature that evade these controls.
An effective cybersecurity solution for rail systems should provide real-time alerts and constant monitoring, offering rail operators full visibility into their systems and the ability to address potential threats quickly. Continuous threat detection must be complemented by actionable insights, allowing rail operators, who are not necessarily native speakers of cybersecurity, to review alerts and implement next steps.
Cyber threat protection is usually based on the principle of layered defenses, diversity in those defenses and the ability to “retreat, regroup and recover.” A successful defense-in-depth (DiD) approach requires segmenting the rail systems into clearly differentiated zones based on specific security requirements. Cybersecurity derived from informational technology (IT) system practices are capable of being applied to rail system architectures such as ERTMS, communications-based train control (CBTC), and IP-based and/or cloud-based emerging signaling designs.
Protective measures should be in place on communications systems; train control and signaling interfaces; power and traction control signaling; and business/corporate systems to identify and bar unauthorized transmissions and limit the data travelling over links other than those which are specifically intended for transmission. Systems should also be monitored and underlying architecture should be analyzed for failure and abnormal performance.
Network monitoring solutions should be considered, which provides a complete and real-time view of the entire network with detailed information that covers all levels—from the network’s entire topology down to the granular level of each asset, including trackside devices, interlockings, management workstations and more. This in-depth visibility into the network eliminates blind spots, revealing asset connections and classifying redundant ones. These systems determine the network’s real-time cybersecurity status by analyzing data that is captured passively, using deep packet inspection techniques without requiring prior information about the network.
Hardwired safety system shall be employed in the system architecture so that there is no dependence on software for safety features. This is currently an absolute requirement for rolling stock emergency brake requests. On-train networks for passengers and networks used for train control and railway signaling shall be physically and electronically separate, particularly where Wi-Fi is used (i.e., there should be an “air-gap” preventing direct passenger access to a train’s control and command systems).
Firewall has been the first line of defense in network security for over 25 years, but is it the right cybersecurity solution for a rails system? A firewall is essentially a router with a set of rules with the security provided by the software. Every software in the world has bugs and vulnerabilities, and any line of code can be exploited. The security that is provided is considerable, but you can easily manipulate and reconfigure it, making it possible to acquire access to the rails signaling network.
To maintain the highest level of safety and reliability, signaling network perimeters must be protected by unidirectional security gateways. Many international standards like the French National Agency for the Security of Information Systems (ANSSI) encourages the use of unidirectional gateways rather than firewalls for connecting railway switching systems to corporate networks. These unidirectional security gateways provide absolute protection to signaling systems and locomotive controls from attacks emanating from external, less-trusted networks.
Conclusion
As rail systems go through a modernization process, we need people who understand both the railway business, IT, operational technology (OT), and how cybersecurity needs to be integrated into all those worlds. Exceptionally safe, efficient, and environmentally friendly trains will be invaluable to intelligent mobility ecosystems. Without digital transformation and uncompromising levels of cybersecurity, railways risk losing out on a vital opportunity to shape the future of mobility. By investing in cybersecurity today, the railway industry will move toward safeguarding its future for decades to come.
Editor's Note: The European Union Agency for Cybersecurity (ENISA) recently delivered a joint report with the European Rail Information Sharing and Analysis Center (ISAC) to support the sectorial implementation of the NIS Directive. See here to learn more.