ON May 13 2017, passengers at mainline stations in Germany glanced up at the information screens and saw something unusual. Obscuring the lists of departures and arrivals, a ransomware notice demands a $US 300 payment in Bitcoin.
The WannaCry virus had infected 450 German Rail (DB) computers, bringing down passenger information systems, ticket machines, and CCTV networks.
This was a very public demonstration of rail’s vulnerability to cyberattack, and while the target in this case was the company’s business systems, the attack also highlighted the need to secure operational systems against hackers.
Until recently, Industrial Automated Control Systems (IACS) were considered relatively well-insulated against external influence with a high degree of immunity to security threats and attacks. However, the threat landscape has altered significantly in recent years with the proliferation of digital technologies and the increasing interconnectivity between the business and operational functions of companies.
Research by IBM shows cyberattacks on ICAS increased by more than 600% between 2012 and 2014, while according to Dell’s 2015 cybersecurity report, attacks on supervisory control and data acquisition (Scada) systems surged from 91,676 in January 2012 to 675,186 in January 2014.
Mr François Hausman, mainline cybersecurity manager for Alstom and leader of Shift2Rail’s cybersecurity work package, told delegates at Railtech’s recent Intelligent Rail Summit in Vienna that the characteristics of railway networks make them a potential cyberattack target. These include:
- distributed architecture - electronic components spread along a section of line or a train
- long lifecycles for equipment
- high level of certification for safety-related systems
- diversity of supply chain and technology, and
- small-medium volume production of components.
Mr Domenico Raguseo, technical sales manager, Europe, for IBM says systems are vulnerable to hackers when there is a high degree of integration between IT and operational technology (OT). “The railway industry is very secure from a cybersecurity point-of-view - hackers would have a lot of difficulty getting into your systems,” he says. “With high standards and tonnes of security control, a hacker needs to invest a lot of time if he wants to create a problem for you. Unfortunately, the good news stops here. The safety-first philosophy of rail - that the train stops to protect the lives of the passengers - is good for hackers, because they don’t want to kill people, they want to get money. So it would be fantastic for a hacker to stop a train.”
As senior managers seek ever more data on the day-to-day performance of the railway, business and operational systems are increasingly interconnected, and wherever there are interfaces, there are potential points of attack.
The mitigation of cybersecurity threats starts at the top of an organisation. This is a challenge because until relatively recently, cybersecurity was rarely, if ever, a topic for discussion in most boardrooms. However, a number of high-profile attacks have changed corporate attitudes to the risk of cybercrime, and today the boards of most companies are actively pursuing measures to protect the assets and the reputation of their organisation. Furthermore, the breadth of the threat, which can reach into all corners of the business, demands a co-ordinated top-down approach to risk management.
“Cybersecurity has to be driven all the way from the top of the organisation,” explains Mr Sharvind Appiah, lead engineer, cyber security, for the ERTMS Users Group. “When you put cybersecurity measures in place, the process is resource intensive, it is time consuming, and you have to have money to do
it. Cybersecurity can be up to 50% of a company’s IT budget, because cybersecurity has mainly been driven by IT. But it’s all about protecting the assets of the organisation - that’s the core role of cybersecurity - so cybersecurity must be aligned with the business to justify the investment. Boards are increasingly getting cybersecurity people in - they may not sit on the board, but their input is taken into consideration.”
Appiah identifies six key challenges that any railway cybersecurity strategy will need to consider:
- lack of awareness of the criticality of cybersecurity in the Industrial Control System (ICS) environment
- employee mindset, and the belief that ICS has no relation to ICT
- poor availability of professionals with the ability to cover automation control engineering and ICT disciplines to deal with CS management and compliance in ICS
- failure of businesses to recognise the importance of cybersecurity assurance for their ICS environments
- lack of a systemic framework, with standards, policies, procedures and manuals either absent or inadequate, and
- organisational culture and the belief that security should be developed from behaviour at a personal level.
“You need to have people who understand the railway business and cybersecurity and can relate to both sides,” Appiah explains. “You don’t want a cybersecurity expert coming in and telling you what to do in your business. Traditionally the rail business has been very safety-orientated and there’s a difficulty interrelating into how you build security-related safety cases.”
Appiah also highlights the cyclical nature of cybersecurity, and the need for security strategies that are capable of evolving alongside the threats they are intended to mitigate. “Your threat environment is changing, and it changes as your ICS environment changes,” he says. “If you change a single component in your ICS, you have to go through the whole process again because you have to evaluate the impact of that change and whether security levels have changed. It’s an ecosystem.”
“The whole organisation has to engage in the programme, and top management buy-in is key, because they have to drive the approach. There’s also no one-size-fits-all approach to IACS cybersecurity because every organisation is different, and has different business processes.”
Mr Lovan Pushparatnam, head of tramway systems and telecoms with Systra, says any cybersecurity strategy must consider people as well as technology. “The best results are achieved when cybersecurity is treated as part of an overall security policy addressing technical aspects and operational procedures, with continuous assessment and measurement,” he says. “It’s not about protection, it’s about process and preparation, monitoring both your assets and your organisation.”
Pushparatnam makes four recommendations for managing cybersecurity in the design of greenfield rail projects:
- Integrate information system security right at the beginning of the project - the organisation needs to be clearly defined, outlining roles of stakeholders and the limits of their scope. A security advisor should be nominated who is independent of the project team. This is followed by a risk assessment, and high-level security requirements for stakeholders. All of this is integrated into the technical requirements
- Carry out a technical audit to verify that all requirements of the project sponsor, designer and maintainer have been met - poor password security, the presence of unnecessary software applications, use of obsolete and unsupported operating systems, and lack of physical security such as unlocked equipment cabinets on trains are common issues that can easily be solved
- Identify residual risks and list them - maintainers may not be willing to constantly apply security patches to their equipment, and
- Develop a final security case - this is based on the same principles as a safety case, and needs to be approved by relevant authorities. The security case encompasses residual risks and how they can be dealt with, and considers any outstanding maintenance requirements which may have an impact on the system.
Testing the vulnerability of railway systems to cyberattack is a particular challenge because of the difficultly of simulating attacks under realistic operating conditions. “When we model attack patterns, we need to understand how it is possible to attack,” Raguseo says. “It’s not easy to do penetration testing in a real environment, so you need to create a test environment. Developing a test environment is complicated for IT - I’d say it’s impossible for a complex environment like rail.”
This issue can be addressed through prototyping. For example, IBM created a prototype called Scada Bag and adapted practices from other industries for the railway environment to test the vulnerability of Scada power management systems.
Changes in cybersecurity legislation at both a national and European level mean rail industry stakeholders increasingly face legal obligations to ensure their systems are protected. In 2015, the German federal government passed a law which requires the owners and operators of critical national infrastructure (including railways) to implement minimum IT security standards to protect their systems from cyberattacks.
The European Union (EU) Directive on security of network and information systems (NIS Directive) came into force in August 2016, and is intended to boost the overall level of cybersecurity in member states. The NIS Directive is due to be transposed into the legal systems of the member states by next month and specifically identifies train operators and railway infrastructure managers as entities that could be considered “operators of essential services.” Businesses in this category will be required to implement risk management practices, taking “appropriate and proportional technical and organisational measures to manage the risks posed to the security of networks and information systems which they use in their operations.” Significant cyber attacks must be reported to a “competent national NIS authority.”
All of this leaves railway industry stakeholders with the challenge of securing assets which can have a lifespan of several decades against a threat that is constantly evolving. System architecture is therefore a crucial consideration in safeguarding next-generation rail technologies against attack.
In 2010, German infrastructure manager DB Network launched a project to develop a next-generation interlocking which would employ standardised IP networks, communication interfaces, protocols for data transfer, and telecommunications equipment to reduce lifecycle costs and drive the transition to a multi-vendor, plug-and-play ecosystem.
However, alongside opportunities, the use of standard technologies also brings challenges. “Hackers are used to infiltrating IP networks,” explains Mr Christian Schlehuber, DB Network manager of IT security for operational technologies. “Standard communication interfaces should be open source if you want an open market, but hackers could attack us this way.”
The system architecture also had to ensure freedom of interference between safety and security, and compliance with the NIS Directive and the German IT Security Act.
DB Network adopted IEC 62443 as its security standard for the new-generation interlocking, using an architecture based on zones and conduits to ensure each element of the overall system is secure. “We had to define physical assets and interfaces for each zone, which system communicates with other systems, and apply measures based on the identified risk and security level for each zone,” Schlehuber says. “Conduits connect these zones. If a conduit connects zones with differing IT security requirements, it has to provide adequate security measures for this connection.”
This architecture places security outside the core safety function of the interlocking. “With safety in the core shell, and security measures in the outer shell, we can change security measures without affecting safety systems,” Schlehuber says. “This means the safety system can remain constant for decades, with the security element being updated at short intervals. Security is uncoupled from safety homologation. However, you need to clearly define the interface between the two parts in terms of latency, bandwidth and quality of service.”
Cybersecurity considerations also apply to rolling stock. A modern train is effectively a mobile data centre, communicating with the lineside equipment, the depot, the operational control centre, traincrew, and the passengers. These information flows offer the hacker several potential points of entry, all of which need to be carefully managed to mitigate the security threat.
Netherlands Railways (NS) has developed a train security architecture to guard rolling stock against the threat of attack, and this takes into account the variation in train types within the fleet. “We did risk assessments throughout the train to test every new thing,” says NS information security officer, Mr Gertjan Tamis. “We hire the hackers and let them do their thing, and act on their findings to try to solve problems.”
NS began its assessment by determining the security baseline, which uses the Information Security Forum (ISF) threat list. Where applicable, countermeasures were adopted, and interviews were conducted with experts such as engineers, and system architects to identify security weaknesses and develop solutions. A risk consolidation exercise was also carried out at workshops.
“There’s a need for integral security governance on trains,” Tamis says. “Hackers don’t care about artificial boundaries - their goal is to hack a train. So we need an integral governance model and we’re working hard to build this.”
The governance model follows on from the train domain risk inventory already completed by NS, and identifies possible risk owners, asking if they understand their ownerships and responsibilities. NS is focussing on software asset management together with threat and vulnerability management. Projects include investigating attack paths and security risks, defining acceptable risks, investigating existing security measures, and implementing necessary risk reduction.
“In a mixed environment you will have several levels of risk, and you have to act on that,” Tamis explains. “Is the asset management in place for your train automation technology? The best way to deal with it is to take a project-based approach.”
Digitalisation is bringing the rail industry into close contact with an ever-evolving world of cyberthreats, and companies will quickly need to develop comprehensive strategies to secure their assets. The challenge is as human as it is technical, and it touches virtually every part of every organisation in the railway sector. A coordinated response will be needed to ensure the benefits of digitalisation can be delivered in a secure environment.
CYRail: harmonising rail’s response to cyberthreats
THE Shift2Rail research and innovation programme is focussing on achieving a coordinated industry response to cybersecurity challenges through the two-year CYRail project, which brings together train operators, infrastructure managers, suppliers and systems integrators.
CYRail comprises seven work packages which seek to address six core technical objectives:
- an exhaustive cyber security assessment of railway systems, focusing on the most critical services, zones and communications
- a taxonomy of threats targeting rail management and control systems capable of classifying, describing and analysing cyberattack threats
- assessment and selection of innovative techniques for attack detection
- specification of countermeasures and mitigation strategies for improved quality levels
- describe resilience mechanisms for operational safety, and
- specify protection profiles with evaluation of assurance levels.
After assessing various standards, Shift2Rail has adopted IEC 62443 as its preferred cybersecurity framework for rail applications because it offers a set of standards dedicated to IACS, addresses product and system lifecycles, covers risk assessment processes, and is also used for critical infrastructure in other industries.
IEC 62443 sets out security assurance responsibilities for the asset owner, system integrator and product supplier. IEC 62443 3-2 risk assessments will allow the asset owners to understand the criticality of specific assets and the appropriate protection measures that need to be applied. There are three steps to these assessments:
- define the System under Consideration (SuC)
- high-level risk assessment (identifies worst-case unmitigated risk, defines reference architecture, and sets security level targets), and
- detailed risk assessment (analyses the impact of each threat and identifies potential mitigation measures).
Shift2Rail will develop a common threat landscape, allowing a standardised classification of threats that will be used as a baseline reference. This will be based on ISO 27005 - 2011, the EU Agency for Network and Information Security (Enisa) threat landscape and the German Federal Authority for IT Security (BSI) threat catalogue.
A framework of good design principles and processes will be used to ensure security is implicitly considered at each stage of development with the aim of making the product secure by design. This will improve the overall security footprint of a system and increases robustness against threats.