Many railway information security executives think of cybersecurity purely in terms of the number of IT-focused cyber-attacks or security incidents prevented. The common belief among most information security and IT professionals is that if cyber risks are systematically mitigated, and security incidents are kept in check, the organization’s cybersecurity programs are performing well. However, a closer examination of this notion may lead us to another conclusion altogether.
When railway information security executives measure the performance or ROI of their cybersecurity stack and programs, success is typically measured by metrics related to operational continuity of IT systems, such as internal networks, ticketing systems, and online passenger services. At railway companies that are less advanced, executives may even follow a “no news, is good news” approach to cybersecurity and invest the bare minimum or an infinitesimal percentage of their overall budget.
This approach is flawed because it drastically underestimates the importance of protecting critical assets, networks, and devices within the railway operational technology (OT) layer, or what we call ROSs (rail operational systems) because even the slightest micro-failure within this layer can result in macro-effects with grave safety and economic implications.
The Wider Impact of Rail Cyber-Attacks
Risks associated with cyber-attacks on railway systems are still unclear to industry leaders, yet broadly recognized as threats that can cause multiple negative consequences. Consequences that may result in direct and immediate physical damages and long-term ramifications with a wider impact on the rail network. These effects, in turn, can lead to astronomical indirect economic losses for all types of rail undertakings. The following taxonomy delineates the main types of costs associated with rail cybersecurity incidents:
At the pinnacle of all concerns in the rail industry are heightened safety risks due to cyber-attacks launched against critical systems such as interlocking, point machines, light signals, braking systems, to mention a few. Safety incidents can result in various adverse outcomes, which ultimately will have a detrimental effect on a rail company’s top and bottom lines:
- Fatalities and Injuries: Loss of life and physical harm to passengers or train personnel is, without question, the worst possible aftermath of a rail cyber-attack. Beyond the personal tragedy involved, such events come with long-term implications such as insurance and compensation claims, reputational damages, loss of customer confidence, and increased legal/crisis management fees.
- Physical Damage: Rail cybersecurity incidents may inflict direct damage to ROSs and peripheral subsystems. In severe cases, equipment may have to be replaced, inflating procurement spending and upkeep costs for the rail company. Moreover, the company may have to hire external experts or contractors to support the railway’s operational teams -- leading to even greater spending.
- Near Misses: “Close calls” that don’t actually result in injury or physical damage are also costly for rail companies. Typically, near misses require reactive measures such as reporting, root-cause-analysis, training, and continuous improvement. These activities may also have a cumulative impact on safety-related costs.
Service Disruptions and Downtime
Imagine this: It’s rush hour in a major metropolitan area. People are grabbing their belongings and rushing to the subway or train station to catch a train to work. But what they encounter is total chaos: Trains come to a halt on the tracks, while the words “Canceled” and “Delayed” flash on massive train schedule boards, and a series of service disruptions shut down the city’s subway system while security teams try to contain the threat.
It sounds like a horror movie, but it’s just one nightmare scenario that today’s governments and rail companies must consider. The financial implications of such a shutdown could amount to tens of millions of dollars per hour, based on the following (partial) breakdown:
- Lost Income: Direct revenue loss from unsold tickets and freight charges that were not collected. Probably the most significant losses would be in this category.
- Reputational Damages: A tarnished brand, especially in the railway industry, will almost certainly result in loss of passenger confidence and diminished customer lifetime value (CLTV). Furthermore, there may also be additional direct costs due to damage control fees like public relations, crisis management, and legal services.
- Increased Operational Costs: As with safety incidents, a massive shutdown may require extensive repair and maintenance. Increased mechanical or equipment costs will likely be supplemented with direct cybersecurity costs for an in-depth forensic investigation, patching/remediation, and additional SOC (security operations center) services.
In recent years, cybersecurity compliance has become a cardinal concern for rail companies, and more so since the introduction of new mandatory regulations like the TSA Directives and advisory standards like IEC-62443 and TS-50701. The expenses incurred by railways to adhere to new government regulations have increased significantly and now require a more systematic approach. Railways with a weak security posture will be forced to invest more to comply with regulations. This problem usually derives from the significant knowledge gap in this area and the near-total reliance on external compliance experts. It’s important to note that non-compliance with mandatory directives like the NIS Directive or the new TSA Directives may also result in fines or other regulatory sanctions.
Stifled Business and Operational Growth
Rail companies that have experienced serious cybersecurity incidents and heightened risk to their service continuity will most definitely be reluctant to adopt new rail technologies like Automatic Train Operation (ATO), Communications-Based Train Control, and the European Train Control System (ETCS). Rail companies may also be reluctant to expand their rail network and fleet, compete in new tenders, and offer more services to passengers. Without cyber protection for all operational layers, both onboard and trackside, business growth may be held back. With time, this apprehensive approach may also lead to stagnation and underdevelopment.
Rail Cybersecurity as an Economic Enabler
With overall losses from rail cybersecurity incidents estimated at billions of dollars every year, these events should not be considered solely as an operational or information security problem but also as a long-term economic challenge. It’s high time for railway executives to better understand the cost structure of cyber incidents and view advanced rail cybersecurity solutions as an economic enabler. The benefits of adopting a comprehensive solution go far beyond increased safety and operational excellence. Once decision-makers adopt this type of thinking, the value of a specialized strategy for rail-centric cybersecurity becomes crystal clear.
To learn more about how Cylus effectively combats rail cyber-threats, please visit our Resource center.