Two years after the UK’s railway network announced that it had fallen victim to multiple cyber attacks, the industry is still trying to assess the wider implications of rail networks’ vulnerabilities in the digital age. The havoc that hackers could wreak from carrying out an even more wide-reaching cyber-attack on the rails, ranging from massive service disruptions, significant economic damage, even derailments and lost lives, underscores the stakes as railways seek to build their cybersecurity defenses moving forward.
As industry stakeholders in various countries continue to implement their own plans to secure their railway and metro systems from such malicious attacks, the railway cybersecurity strategies of various nations may offer instructive examples for reference towards adopting best practices. Among the vital elements of these strategies is an emphasis on the importance of awareness-building around cyber threats, promoting channels of effective collaboration between railways and relevant authorities, and emphasizing the deployment of advanced technological solutions suited to the unique, connected technologies that power the rails.
Here’s a look at how a few leading countries are moving to secure their rail systems in the digital age.
Brexit notwithstanding, the UK has made clear to uphold its commitment to the guidelines laid out in the European Union’s Network and Information Security (NIS) Directive. The Directive, which took effect in May, requires EU member states to implement rigorous cybersecurity protections for critical infrastructure. The UK’s approach in implementing regulations to meet the Directive’s requirements facilitates robust cross-stakeholder collaboration.
The Rail Delivery Group, the NIS member association for British railway bodies, has articulated five core objectives guiding rail operators actions on the cyber front. Structured around the mantra of Understand, Protect, Detect, Respond, the group’s recommendations drive home the importance of multi-stakeholder collaboration, monitoring and threat detection at every stage of a system’s life cycle, and strong cybersecurity governance. UK’s regulations will have a bite: rail operators which will fail to implement essential cybersecurity measures against cyber-attacks will risk facing hefty fines, with penalties reaching up to £17 million.
Down under, the Rail Industry Safety and Standards Board (RISSB) has released an ambitious, 44-page cybersecurity strategy drawing on many of the best practices for securing critical systems.
The full-spectrum strategy notes the need for a tailored cybersecurity approach that addresses the significant risks to life, commerce, infrastructure, and operational systems – including signaling systems and rolling stocks -- stemming from cyber-attacks, as well as from the long lifecycle of control and rail systems. The strategy notes the many unique vulnerabilities embedded in the cyber infrastructure of rail systems, including their WiFi-connected OT environments, the joining of IT and OT, and inadequate mechanisms for detecting hackers in the OT environment.
In terms of governance, the strategy requires at least annual meetings of rail transport operators to review policies, procedures, and management structures for cyber management, ensuring that accountability and responsibility for cybersecurity are incorporated into organizational roles and functions. It also sets out the requirement for ongoing cooperation between internal and external stakeholders.
Technologically, the RISSB calls for ongoing monitoring of operational states, regular stress-testing to ensure that rail systems are implementing security measures in their systems, vigorous response protocols, and information-sharing with law enforcement and relevant authorities regarding risks and vulnerabilities.
In keeping with the cybersecurity vision delineated by the federal government, the American Public Transportation Association (APTA) has laid out its guidelines for cybersecurity in public transportation in general. Although these guidelines are only recommendations for cyber policy, they represent an excellent start for securing railway systems nationwide.
Emphasizing multi-layer fortification, the integrity of operational, enterprise, and subscribed systems, as well as the importance of cybersecurity education and risk awareness, the APTA’s guidelines drive home an important point: In the 21st century, cyber-security isn’t merely a technical function but rather an indispensable part of managing critical systems. To that end, the APTA has also published a study on the importance of attack modeling based on railway topologies, with an eye toward developing systems and protocols for safeguarding the rails in multiple scenarios.
The sooner all countries and rail systems implement standards that acknowledge this basic fact – while learning from one another regarding best practices in this swiftly developing industry – the more secure our rails throughout the globe will be.
*This post was originally published in this link