NEWS of cyberattacks disrupting all areas of everyday life are almost a daily occurrence. No industry has been spared the pain of a data breach or security compromise in recent years and the number of attacks is increasing.
The global cost of cybercrime is predicted to hit $US 8 trillion in 2023 and grow to $US 10.5 trillion in 2025 according to a report by US-based cybersecurity market researchers Cybersecurity Ventures. This is equivalent to the size of the world’s third largest economy, emphasising the scale of the challenge.
These costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to normal business activities, forensic investigation, restoring and deleting hacked data and systems, and reputational harm.
Cyber criminals range from lone wolves to organised criminal gangs, hactivists, and hostile nation states. Many use the dark web to sell the data they have retrieved as well as the tools to carry out the task.
Any computer with an internet connection is a potential entry point. The attacks themselves come in a variety of forms: malware, social engineering, phishing, credential theft and distributed denial-of service (DDoS) are among the most common. Ransomware, a malware that restricts access to files and often threatens permanent data destruction unless a ransom is paid, is of particular concern, accounting for 47% of European railway cyberattacks. The criminals are also becoming more sophisticated, increasing the challenge for businesses and security firms.
The office environment is rail’s biggest Achilles’ heel, potentially offering access to financial and customer data.
Inevitably, there is debate within the railway industry about how best to address this challenge, which we reflect on in this issue of IRJ.
Rail is unusual in that it offers cyber criminals two possible attack surfaces. The office environment is an obvious entry point for hackers. However, rail infrastructure and assets, which increasingly have data connections and links to the Internet of Things, are similarly vulnerable. Although rarer, these attacks are more likely to be the work of international terror groups, or even sponsored by hostile states, the malicious activities of which have grown in the currently strained geopolitical environment.
Much of the discussion in railway industry circles is led by cybersecurity firms offering sophisticated strategies for network protection. Major manufacturers have also vowed to introduce cybersecurity by design in their products, as Mr Henri Poupart-Lafarge, president and CEO of Alstom, revealed during an interview for the March edition of IRJ. Indeed, Alstom has made notable recent investments to improve its cybersecurity capabilities.
These are welcome interventions. Rail, like many other sectors, lacks the in-house expertise to address all cybersecurity concerns - Europe is reportedly currently lacking 200,000 cybersecurity professionals. Poupart-Lafarge’s comments also echo the European Commission’s plans to introduce cybersecurity as a standard in product certification, although the European Rail Industry Association (Unife) is questioning this approach.
There is much work to do, and crucially, to continue doing. Future proofing is essential, but as Mr Louie Augarde, lead penetration tester, and Mr Jack Button, penetration tester, at British cybersecurity consultancy OmniCyber Security, state there are simple steps that companies can take to immediately improve protection.
Physical wayside infrastructure is a particular weakness. Lineside huts in secluded locations offer a potential entry point for hackers to compromise signalling systems. Railways should endeavour to protect these assets as best they can by installing sophisticated locks, alarms and CCTV. “There is a reason that competent companies have their servers locked behind at least two forms of physical protection,” Augarde says. Infrastructure managers should adopt a similar attitude for their wayside assets.
Trains are another potential entry point. All system panels should be locked and secured with only one person on the train having a unique key to gain entry. Alarms should notify people if a breach occurs.
The office environment is rail’s biggest Achilles’ heel, potentially offering access to financial information and customer data. The human element is the most common threat vector. Opening illicit emails is the source of most phishing attacks where people are tricked into clicking a link or providing information that can lead to exploitation.
Tighter security at company property is likewise encouraged. It is important to monitor exactly who is entering a building and for what purpose. Hackers have been known to impersonate employees or claim to have lost their pass to get past the security guard or receptionist and gain access to computers on the other side of the barrier.
The prevalence of people working from home has increased the risk. Firms should take the security of these off-site computers as seriously as those on their own property. This includes offering two-stage authentication of identification for employees, the use of sophisticated passwords, and automatic locking of a computer after a period of inactivity.
Regular training of employees should be central to any strategy, including encouraging people to download software updates as soon as they are available. Many of these practices are covered by national and international standards for cybersecurity, which Button says rail firms should pursue.
They range from Cyber Essential Plus, which offers a very basic introduction, to IASME, and ultimately ISO 27001 and NIST compliance in the United States, the highest level of protection, which requires annual accreditation including passing vulnerability tests performed by penetration testers.
As well as guidelines for introducing the highest level of protection, certification requires the introduction of contingency strategies and procedures for when a breach does occur. The prevalence of cybercrime means that an attack is almost inevitable. But being prepared offers firms the best possible chance of limiting the hacker’s ability to extort money or disrupt services. The importance of this cannot be understated. Now really is the time to take cybersecurity seriously.
