THE trend towards the full digitalisation of the railway industry is bringing with it wide- ranging benefits. Predictive maintenance, advanced signalling systems and innovations that improve the customer experience are all enhancing the way networks are managed and services are operated.

But the more these technologies become imbedded into the everyday cycle of running a railway, the more susceptible to cyberattacks they become. Sensors and equipment are also generally distributed across large geographical areas, often in remote locations, compounding the difficulty of ensuring they are secure. This threat grows more serious as digital technology becomes more prevalent in safety-critical systems.

In the Rail Cyber Security Strategy published in January 2017, Britain’s Rail Delivery Group (RDG) noted the potential for cyberattacks on the railway, which could result in a number of potential impacts, including:

  • threat to safety of the workforce, passengers or the public resulting in harm
  • disruption to services
  • financial loss, including to the wider economy
  • the loss of commercial or sensitive information
  • criminal damage
  • reputational damage, and
  • a failure to comply with the law.

The serious ramifications that could result from a cyberattack mean it is an issue that must be taken seriously across the industry.

While large companies may have more resources to prepare against attacks, they are still susceptible.

“Missing awareness is one of the biggest issues in the railway domain.”

Christian Schlehuber, DB Network IT-security management

As the WannaCry ransomware swept around the world in May 2017, German Rail (DB) was caught up by the cryptoworm that targeted the Windows operating system, encrypting data and demanding ransom payments in Bitcoin.

DB Network IT-security management, Mr Christian Schlehuber, says the incident hit DB hard from a public-relations point-of-view due to the highly-visible nature of the attack, but didn’t result in a breach of its secure systems, with quick thinking from station staff reducing the disruption to services.

Triple-layer network

DB has a triple-layer network, and WannaCry only penetrated level three, not coming close to level one which includes safety critical systems such as signalling. However, the resulting media attention led to a large increase in the importance given to cybersecurity in the company.

Speaking at the Rise of IoT and Big Data in Rail conference in Munich in May, Schlehuber said that while the company currently has the multiple layers of defence in place, it isn’t in a position to sit back and rest easy.

“We have several layers of defence, between those things like data files and firewalls and so on, and in general it looks quite good,” he says. “We think this part, the signalling section, is quite secure because we have isolated systems, but if you look at a system from an attacker’s point of view, you look for the weakest link. This is not the signalling system but this is something coming from the office IT network, where most of the people have access.”

He says that while researching vulnerabilities in one of DB’s systems, they were able to access a manual version of the setup programme that still had administrative privileges, which allowed access to parts of the network that should have been blocked.

Schlehuber said hackers would not start an attack by directly targeting the main systems, instead looking for small vulnerabilities and gaps in the defence such as this system, which they could then exploit to gain deeper access into the network.

“They explore what infrastructure is there, search for websites, and find credentials, then build a system with administrative privileges, a new home base from which they begin operating,” he explained. “This is what could have happened had we not found this ourselves.”

Sometimes, it is not a lack of processes and safeguards that can cause vulnerabilities, but a lax attitude towards following them.

As an example, Schlehuber says he was once on a visit to an operator outside of Germany, where the server passwords were listed out and easily available. The cabinets were also locked, but the keys were kept inside the locks.

“If I, as an attacker, enter this building I would think ‘nice work,’ take the keys from the cabinets and do whatever I want,” he says. “I’ve seen this several times. Missing awareness is one of the biggest issues in the railway domain.”

“You want to deploy a new solution like a diagnostics solution or an interlocking system.”

Christian Schlehuber

Another mistake often overlooked by some in the rail industry was leaving set-up programmes installed after a system had been initialised, leaving it open to attack.

“You want to deploy a new solution like a diagnostics solution or an interlocking system,” Schlehuber says. “Somebody needs access to it because they do not want to drive out to the middle of nowhere every day to maintain it. So you deploy some sort of initial setup programme, which is good for the setup, but after it is running think about whether you need them and whether you can remove them because otherwise someone will find it.”

While having security against complex attacks is imperative, Schlehuber also highlighted the importance of ensuring that basic tasks are done properly.

“You might have several layers of defence in your control system, but think about what happens if someone can bypass it,” he says. “Don’t think only about the complex modern things, like sophisticated attacks that are in the media. These are relevant but normally we have another issue and that’s the basics.”

These basic risks can include storing passwords on easily accessible file shares, not changing default passwords, missing updates and software patches, and using the same passwords across multiple systems and applications.

Network infrastructure

While processes and software can go a long way towards defining the security of a network, the basic design of a network setup can also play a critical part in ensuring it remains secure.

One issue facing operators is finding ways to share valuable data from mission-critical, safety-critical and reliability-critical systems with as many staff as possible, without opening these systems to attack.

A sensor mounted beside the track may not seem like a likely target for hackers, but attacks in the past have shown that creative hackers have devised innovative ways to access networks.

British-based cybersecurity firm Darktrace identified two separate cases where casinos in the United States were targeted through IoT-connected fish tanks.

In the first case, reported in 2017, the tank was equipped with a state-of-the-art system that allowed the temperature, food and cleanliness of the tank to be monitored and changed remotely. However, this same system also provided an opening for hackers to gain access to the rest of the network, with Darktrace finding 10GB of information was taken from the casino’s network and sent to a device in Finland.

“There were a number of different architectures that could be built into a network to ensure the data from the sensor is readily available while the network itself remains secure.”

Jesus Molina, Waterfall director of business development

In a similar event reported in 2018, an IoT-connected thermostat in a fish tank was used to gain access to another casino’s network, allowing the hackers to make off with a list of high-roller customers.

At the Rise of IoT and Big Data in Rail conference, Waterfall director of business development, Mr Jesus Molina, said there were a number of different architectures that could be built into a network to ensure the data from the sensor is readily available while the network itself remains secure.

The first is the use of a demilitarised zone (DMZ), which uses an isolated network that acts as a buffer between a front-facing website or network and an internal secure network, replicating the data from the secure server onto a non-secure server in real time where it can be safely accessed without compromising the secure network. While this can be useful for low- and medium-security systems, it doesn’t always provide the level required by some high-security systems.

The second process is similar and also uses a DMZ, but adds distinct security protocols to transfer the data through the zone. Data is collected within the secure network and stored or transmitted to the DMZ, where it is then transferred to the non-secured side with encryption on both streams.

The third, and most secure system, uses unidirectional security gateways, which create an impassable physical barrier preventing all external attacks entering through the gateway.

The industrial systems and servers are ‘exported’ to the corporate network over a fibre optic cable in real time using server-replication and device-emulation which retains the data and functionality of the original network. As it is only fitted with a fibre-optic transmitter at one end and a receiver at the other end, the device is physically incapable of sending information and data back to a secure network, preventing unwanted access.

In an effort to improve the security of European operators, DB Network and Infrabel have worked with the EU Agency for Railways (ERA) and European Union Agency for Cybersecurity (ENISA) to develop a European Railway Information Sharing and Analysis Centre (ER-ISAC). Working with operators and other organisations such as DG Move, the goal to create a secure and confidential platform for information exchange across the railway sector about incidents, threats and concepts to improve security.

Schlehuber says ER-ISAC is progressing well, and is starting the first cybersecurity working groups and sharing works between the participants. ER-ISAC has also become one of the main partners for several EU institutions for addressing cybersecurity in the railway industry across Europe.

“Most of the other operators will have the same issues because we have the same suppliers and the same processes for operation and maintenance,” he says. “We need to join forces to ensure safe and secure rail operations.”