Like all areas in the modern world, the rail industry is becoming more digitized every day. With more sophisticated systems and more software involved, public transport operators are becoming increasingly vulnerable to cyberattacks. That said, the field of rail cybersecurity requires specific knowledge and experience that, unfortunately, most cybersecurity experts don't have.
Onboarding these cyber professionals and getting them up to speed on railway technologies and standards can have a serious learning curve. As you and your colleagues embark on the path to becoming rail cybersecurity mavens, there are three primary areas to focus on. These concepts can give you a significant leg up in the industry and help get your new career on track.
- Basic rail principles and terms
Every rail system includes various core elements such as signaling, rolling stock, and operational systems. You’ll need to understand these elements in depth, and the best way to do that is to start with the basics. Keep in mind that similar to exploring other types of new information, once you begin to use the terms on a practical level and see the systems in action, the ideas will make more sense, and you’ll easily be able to retain the new information.
A great resource to begin with is the material created by the FRA (Federal Railroad Administration). They released a series of videos called Railroad 101, which, as the name implies, is great for anyone looking to understand the basic functions of rail, including an overview of train types and performance and locomotive emergency response operations. They also provide webinars and tutorials.
We also highly recommend this document published by railwaysignalling.eu. It provides an overall introduction to traffic management systems focusing on the ERTMS (European Rail Traffic Management System). While that specific system may not be used in your company, the document covers the evolution of principles in rail signaling and how ERTMS was developed. You’ll read about ATP (Automatic Train Protection), the use of braking curves, movement authorities, radio commands, and more. This document also lists important acronyms you will want to familiarize yourself with. Similar concepts will apply to other train control and signaling systems such as CBTC (Communication-Based Train Control) and PTC (Positive Train Control).
- Rail safety and security standards and practices
The rail industry is highly regulated. The advancements that railway technologies have made over the past few decades have all been built onto the framework of industry standards, which serve as best practices and are sometimes even mandatory. Standards such as EN 50129 keep railways safe by providing guidelines for railway operators, engineers, and suppliers.
While some changes are created for security reasons (like in the latest EN 50129), these standards will remain the foundation. That means they can help ensure that business logic isn’t compromised as adjustments are made. Although practices vary between countries, the principles remain similar. New security dedicated standards and practices have been published, such as the IEC 62443 and TS50701. You can get the information from sources such as our webinar about TS 50701 (The Impact of TS-50701 on Cybersecurity in Rail Networks) and our blog post about IEC 62443 (Don’t Lose Sleep Over Railway Zoning Compliance).
- Rail architecture, protocols, and technologies
In the past, rail operators generally used proprietary technologies and methodologies to operate and manage their tracks and fleets. Implementation styles varied widely and looked different across operators and countries. This caused all sorts of challenges which is why railway operators agreed on developing common and interoperable protocols and architectures. Technologies were standardized to the point that they could meet the requirements of a wide range of rail companies and regulators, which also allowed for greater competition between operators and manufacturers as well as removing this technical barrier to cross-border passenger and freight movement, optimized maintenance costs, improved safety and increased traffic capacity.
Some of these initiatives, like ERTMS, OCORA, and EULYNX, are developing manuals, online directories, and even Github repositories to ensure transparency and validation for those who implement them. They’ve made this information easily accessible, as it is just a Google search away.
Applying the info
One of the biggest differences between rail and other cybersecurity fields is access to the hardware involved. Unlike many other OT systems, PLCs are not necessarily the base element. You'll probably want to test your code in the real world, but finding a spare train hanging around can prove difficult. The industry has tackled this issue by creating specialized testing tools and sandboxes for your QA and validation exercises.
With a better grasp of the system and the unique challenges of rail cybersecurity, you'll be able to apply the same broad principles and skills that serve cybersecurity experts in any industry. Although every rail system is different, the basic components are the same. It won’t save you from learning the details of your own system, but understanding the basic principles is the first step to finding your footing in rail.
Are you a rail expert looking to get into cybersecurity? Stay tuned for our next blog post which will cover what you need to know to get started.