Four Siemens Mobility cybersecurity experts explain what the rail industry can do to keep the trains running as cyber risks multiply.
Digital transformation of the railways offers the industry a chance to enrich the passenger experience, improve logistics, increase availability and energy efficiency, streamline operations, and better maintain critical assets.
This is all good news. But digitalization means connecting once-isolated operational technology (OT) to new technologies such as the Internet of Things (IoT) and the cloud, and that could expose rail systems to serious cyber threats.
Ransomware is on the rise
The rail industry is becoming increasingly aware of these threats. In a recent Siemens Mobility survey, 49% of the global sample of 108 executives across the transport sector believe that cybersecurity will represent an increasing difficulty for their organization over the next two years.
“The first discussions I had with customers in 2016 were very hesitant – it was not easy to talk to them about cybersecurity,” says Swantje Weiss, Product Manager Digital Services. “But this has changed completely, and nearly every tender now has cybersecurity requirements.”
Among the most high-profile threats are ransomware attacks, and they are growing in frequency. Bitdefender’s 2020 Consumer Threat Landscape Report estimates that ransomware attacks increased by 485% in 2020 from the previous year.
The rail industry is not immune. In July this year, for instance, one of the UK’s local railway systems had its new self-service ticketing machines taken offline following a ransomware attack.
Cybersecurity and safety are linked
Siemens Mobility experts agree that the industry needs to start treating cybersecurity similar to how it treats safety. Over time, rail has developed a strong record of safety, resilience and security, and is one of the safest modes of transport.
“Our industry places safety at the highest level, and we would never do anything that compromises that,” says Andres G. Guilarte, Global Product Manager – IoT and Secure Connectivity. “Giving cybersecurity a similar priority as safety would be correct, since while it may not impact safety today, there will come a time when that lack of security will compromise your systems. We need to go for security informed safety cases.”
So what can the industry do to mitigate these evolving threats? For Siemens Mobility’s experts, their approach should hinge on security governance, a holistic approach, and standardization.
1. Security governance
To protect against cyberattacks, the rail industry needs to develop strong security governance by establishing processes that will keep systems running securely.
“We are still a very reactionary industry – we do things because there is a law or regulation that requires it,” says Guilarte. “This has built up issues of transparency and understanding of how the networks look and operate, and at times a lack of procedures for how staff should work. The biggest threat is not always a bad guy on the outside who means to do harm; they are sometimes unwillingly supported by someone on the inside who was watching something on their work computer at home, clicked the wrong thing, and then goes to work and plugs it into the system.”
These small, limited external entries into the system are like small water leaks in buildings that eventually damage the foundations if they are not fixed in time. “In our experience, this is what can really cause downtime to operations,” says Weiss.
Zoran Memic, Cybersecurity Business Developer, says that companies often lack security governance, which is where Siemens Mobility comes in. “We can help customers to build a level of security governance that establishes the processes to identify and fix those small leakages which might otherwise cause damage in the future.”
2. A holistic approach
This security governance fits into the holistic approach that our experts stress is essential to cyber-proof modern rail systems.
Rail manufacturers and their supply chains, operators, and stations form a complex infrastructure that must be protected both as a whole and in each of the individual parts. The way to do that is with a single strategy that encompasses all the elements of railway systems, including corporate and safety operations, and throughout their entire lifecycles.
“It is not like a smartphone that, after some years, you replace with a newer one,” says Christian Paulsen, Product and Solutions Security Officer. “It is interlocking systems and train sets that are operated for years – decades, even – and our customers need to manage that.”
This long lifecycle means that relevant customer systems have to be security managed, updated and patched. “It is not just about one system, because you need to treat all systems together,” says Guilarte. “Otherwise, a cyber threat will find the weakest link – the entry point. That is the biggest challenge today, but it is also the biggest opportunity.”
Standardization helps this holistic approach, and a lack of it in rail systems has created an artificial level of complexity. Standardized, system-wide regimes enable rail operators and companies to better manage the operating risks while operating in more efficient and sustainable ways.
Experience has shown the Siemens Mobility experts the cost and complexity of supporting thousands of different systems running a multitude of different operating systems, different lines of codes and different standards for development.
“One of the biggest challenges in cyber, which is a bit underrated at the moment, is how we can standardize things in a way that makes them easier to support over time,” says Guilarte. “But also, how can we have policies and procedures that transcend borders?”