back arrow
Back to Resources

Rails & Resilience: the Convergence of Safety and Cybersecurity | Eddy Thesee | S1E6

Rails & Resilience: the Convergence of Safety and Cybersecurity | Eddy Thesee | S1E6

Eddy Thesee, VP of Products and Solutions Cybersecurity, Alstom, delves into the critical relationship between safety and security in the rail industry. Thesee discusses how safety has been the cornerstone of rail operations but highlights the emerging need to consider cybersecurity as a vital aspect of protecting rail tech environments from increasing cyber threats. Drawing parallels with safety practices, he and host Roark Pollock explore how cybersecurity is now becoming an integral part of the industry's DNA through standardization, skill development, and product advancements.

About our guest:

Since 2018, Eddy Thesee has served as Vice President of Products and Solutions Cybersecurity, Alstom, where he initially joined in 1999. The role encompasses defining cybersecurity strategy throughout the company, overseeing cybersecurity activities in projects and new products, and establishing a dedicated cybersecurity business to meet railway's expanding demands. Eddy pursued master's degrees in Mathematics, Telecommunication, Information Technologies, and Psychology at the University Renee Descartes in Paris.


Roark Pollock: Hi, I'm Roark Pollock. And this is the first season of the Secure Tracks podcast, where we host rail industry leaders to talk about operational rail technologies and cybersecurity. In this episode, we'll be talking about getting cybersecurity embedded into operational rail tech environments. I'm really excited about today's conversation because we're talking to one of the big names in rail cybersecurity. Mr. Eddy Thesee from Alstom. Eddy is the current Vice President of cybersecurity at Alstom. He is based out of Paris, France. And he has been in his current cybersecurity role for the last five years, and has been in Alstom for almost 24 years. In his current role, Eddy is responsible for defining and executing the cybersecurity strategy and positioning for all of Alstom's products and solutions. Eddy, welcome to the show. And thank you for joining us today.

Eddy Thesee: Thank you.

Roark: We're excited to have you here, Eddy. So I think it'd be a great conversation. So one of the things that I'm always curious about is how people get into cybersecurity space. And for you, for instance, you have quite a diverse background, if I'm correct, that you have an educational background in math, literature, and psychology. So how did you go from that background into IT cybersecurity, and what got you into the rail industry?

Eddy: In fact, it came in two-fold. So I started the mathematics and one of my activity was to implement algorithm. So when you want to implement the algorithm, you have to do programming, so start to program to develop, I suppose in the end of 80s  the beginning of 90s. So at the time, you had to do a lot of thing by yourself and Linux was my best friend. So you know, to create your own computing. And that's where I learned a little bit, the way to manage your system to be close to it. So it's well you have the kind of values of, of being understanding how things are working. That was really initial word of a hacker. And then I started to realize your security things and understanding things. And I move in my in my career, to the point where I joined Alstom to take care of IT, but I like rail lot. And I managed to do processes in our store man to take care of how do we develop how do we implement, How do we do system engineering, compassion, and a good opportunity came up to come back to my first I would say initial passion, which was the technology, IT, and cybersecurity, and then I came to be the VP of Products Cybersecurity, Alstom 

Roark: Got it. Yeah, we all take a little bit of a roundabout way to get to where we're at, but appreciate your viewpoints today. So let's let's dive into our first topic and talk a little bit about the state of rail tech security. I've heard you state in the past that safety is the protection of passengers and systems from unintended harm, while cybersecurity is the protection of people and infrastructure from intended harm. And for me, that statement is kind of the most concise and probably best distinction I've heard to describe the difference between safety and cyber.

Eddy: Yeah, I would say it's fair to recognize that safety is the cornerstone of whatever we do anyway. But the nature of what is happening in front of us when it comes to cyber is totally different. Basically, when in safety, we protect ourselves more or less against ourselves. So a lot of design a lot of implementation, misconfiguration when you do cyber security, it's not at all this cybersecurity, you primarily try to protect yourself against external threats, intelligence, with willingness, with objectives. And that's make a huge difference compared to when you do safety. And one of the major difference on based on the nature itself of what you are trying to protect against what you are defending is the fact that when you do safety, you define your protection, like you say, you implement it, you validate it and then it’s there for the next 1,000 years. Whereas when you do cybersecurity, because you address moving threats, intelligence threats, in this case, you are no choice but to reassess and reevaluate or maybe to upgrade your defenses on a regular basis. So that's a visual difference when you think about cybersecurity and safety.

Roark: Yeah, I think that's what people think. I think that's why most of us like working in cybersecurity. It's protecting systems from threats from external threats and even more so and the operational parts of industries, like the rail industry that is critical to all of our economies. And so I think we all enjoy the work for that reason. Yeah, so anyway, not too long ago, safety wasn't part of the rail design process. Probably before our time to be fair of both. We both have a little bit of gray hair, but we're not that old. But it's now embedded throughout the entire industry. And if you think about safety as an analogy, where do you think we're getting with cybersecurity and embedding cybersecurity into these operational rail tech environments?

Eddy: So I think that the thing is a couple of comparisons, we take a couple of examples from what is happening in safety. But as I said before, there is major differences. And we know that the landing zone will be very similar for both I mean, today, you don't think about really worrying about thinking about safety. Tomorrow we will not think about will we will think about cyber, and on the other basic reasons for that is the basic components that we are using to build our system and to set up the rail tech environments are naturally exposed to cybersecurity threats. This is one of the reasons why, as a consequence, cybersecurity will become, and is becoming one part of the DNA, it will start by standardization, to have a clear I would say, a way to exchange common language and common objective between all the stakeholders of the of the railway system, and then it will continue with skills, development of skills, specific products, specific learning paths, career goals, all of that will come to consolidate the fact that now cyber is in the DNA of the railway activity.

Roark: Right. Right. Well, and if you look back, let's say we look back two years or so, how much progress Do you think the industry is making over the last few years relative to cybersecurity, especially in the operational rail technology environments that we're talking about?

Eddy: I would say that to see progress, we need to have some kind of indicators. The first indicator is, when you have events connected to railway, when you have conferences, when you have a forum you have, you now have always a corner for cybersecurity, that was not two years ago, today, everything that is major or events in cybersecurity, I notice it can whatever the thing is a corner for cybersecurity, and that's good. So one important point is that you see that your CEO within this industry, so they can be asset owners, asset operators, technology providers OEMs. All those CEOs, they start to have that in their agenda is their board with their executive committees on this sometime speak about it. So it's not now rare to have a CEO of an operator mentioning that fact, the fact that cybersecurity is becoming or is now one of the key topics that they look at the management level. right just seem in OEM and I will take the example of Alstom you can take on profiles, Henri Poupart-Lafarge, the CEO, and the key who's the president of the company, those guys, they can speak about the strategy of Alstom and cybersecurity, that was not true a couple of years ago, and you go down in all the scales, all the levers that you have in the company, you will find people who are now they understand better what they have to do, what is your contribution? What are your challenges? So the if you want to see the progress made by Henri when it comes to cyber security, you will see that nowadays standards. So this means that the whole industry has embraced the fact that we need to do it, we start to have skills, we start to have communication,working groups, and within also company, all the stakeholders. You have people now that are that have a mission to make sure that cybersecurity is becoming the DNA of rail. 

Roark: Right, right. I know Alstom has been doing this for a while and you've made some big investments in cybersecurity, what kind of are you seeing significant growth over the last few years in this space, especially being requested from operators?

Eddy: So today is one indicator if it gets company one, we started to structure our journey around 2018 with a small group of people like 20-25 people, today we are more than 350 people. So it shows just the scale-up that we had to do in the middle of the pandemic to address the request coming from our customers. If I look now, anytime the issued on signaling, rolling stock, turnkey project maintenance services, or whatever is coming with, I'm unsure of cybersecurity. So, the evolution is visible, you can touch it, you can measure it, the expectation coming from the customers is also there. The point that we have to keep in mind and I have to put both in the same sentence is that we are thinking long term business. So means that the products that we are delivering today have been designed a couple of years ago. So systems that are ongoing operation now, the project have started five years ago, six years ago, 10 years ago. So the real challenge for us is to really embrace cybersecurity for the future of meaning that any new designs that we do for the future product must include the basic of good design and good principles of cybersecurity. But we absolutely need to make sure that we can protect our existing designs that we have already sold a couple of years ago or that we are putting in production now are sitting. Because they will constitute the big part of the critical infrastructure of countries. states or cities.

Roark: Right, right. Yeah, great. Certainly the technology, product life cycles are different between rail systems and cyber systems. So that's one challenge. Eddy, what do you see as the biggest driver today getting cyber built into new infrastructure and rollingstock projects and not just new projects, but even brownfield projects?

Eddy: I think that too elements are pushing now, to pay much more attention to cybersecurity. The first element is something which is intrinsic to the railway product on to the next natural evolution of our product, they are becoming more and more connected, made with more and more software. So, you will not see any piece of a railway system without a certain level of software interconnectivity. The digitalization is creating the right context for us to increase openness to have more connectivity. So meaning to expose ourselves more so by internally within the railways, the nature you have what we are selling is changing the complexity of what we are selling is changing. So you must start to embrace the cybersecurity journey. So that's for the internal path. And externally more than before, railway is becoming a major factor in social economic life of any country, city or a group of cities. We talk about when we talk about rail, we talk about sustainable developments, we talk about safety of passenger rail is and will remain for a long time, the safest and greener way of transportation that you have in the world. So all of those factors, external and internal. External, we need more and more railway more and more city are going more and more people to be moved from A to B, the nature of what we are selling is now made of more and more components, which I suppose it's multitrack data directly driving the fact that you need more and more cybersecurity.

Roark: Yeah, I can certainly say I wish we had more high-speed trains in the US and instead of air travel. So any one of the things you didn't mention that surprised me is the role of the regulatory bodies. You know, I'm interested in your take on some of the new requirements, like the TSA security directives here in the US and the NIST security directives in Europe, you know, what do you how do you see them playing, and have they had a big impact or an immediate impact like the regulators, I think want?

Eddy: So, rail is a highly regulated environments, since it has been created, because you have life of people in your experience, or you must be in a position to to ensure and to secure these lives. So this means that regulations in all countries play a critical role. And they are playing a critical role because they set the rules. And we as OEM need to because we are most of us international companies, we need to make sure that for the good the industry, we are able to replicate these everywhere. So we expect from regulator to do two things. First, an understanding of our system of ongoing amount of the concerns. And second, I will say your time adjustments to understand the by the nature itself of our of our activity or our business, that sometimes we need time to implement transformation. So if you look at what is happening currently, so you have the big evolution or evolution in Europe, with NIST directive, and standardization at the Cybersecurity Act. So those two are coming now to a certain level of maturity. There is some topic which are okay, some are less okay, but we will have to address them going forward. So regulation in Europe is really pushing quite heavily. And it will we'll see the regualtros towards European bodies, giving some instruction in laws, by the way. We see the same arriving starting by USA. Well, USA you you mentioned the TSA regulations with the two directives that you had over the over the last few years and the federal rules that is under occupation. And we are seeing also the agencies railway agenncies, and more generally railway companies trying to organize themselves want to see regulation, and make sure that they can anticipate or compete there themselves. So that's, that's good in the rest of the world, if you look at what is happening in, in APAC, in Asia Pacific, uses a major countries, having already seen sometimes one decade, some regulation in place on the outside to announce those regulations, you look in Middle East, you will see in North Africa, uses the same trend to by regulators taking over or making sure that they have described on defines the right level of criticality of the infrastructure, and then the level of security that they expect. So I will say globally, you will see everywhere the trend, pushing towards a better understanding of the system, pushing to some time the shift of responsibility between the operator to the technology provider, in terms of reliability, obviously, long term on the security of the system. So we see that also, but you see is also more obviously appetites, more willingness to embrace this journey from the operator an , to organize themselves to to do the right job. One of the points I have to mention is that you don't do cybersecurity, and you don't protect yourself without having a certain level of investment. Meaning that you need to dedicate resources so you have people who have to be trained in specific skills, you may need to dedicate specific means. So specific, I will say your computer networks, systems, but also you need to have a little bit of investment in terms of a money in this environment to make sure that it will be set at the right level and maintained over time I discovered.

Roark: Yeah, a great investment is certainly required on all parties, frankly. Eddy, this may be an unfair question, because I might be asking you to criticize your customers. But are there things that from a rail operator perspective that today you think you'd like to see them asking more of in tenders and RFPs or things that perhaps they're not asking for that you'd like to see?

Eddy: I'd say that and not being a criticism is that most of the operators, they also start their journey. So they were used to receive from Alstom, Siemens, Thales, and CAF, we will see the very electromechanical systems delivered from long-term projects. Whereas the quote-unquote, IT-connectivity software paths were very minimal. So they build organizations, they build skills to manage the delivery and to manage the delivery and operations of that systems was there as decades, we and because of I have said before because they wanted to have more efficient, they wanted to have more personnel system, we've introduced more and more new technologies in the system, they need now to embrace that also. So on their side, we are pushing a lot effort, and we are a part of UITP, a working group on cybersecurity, where we have even drafted a document which is a guideline, how do you how do you do a template In this new age of cybersecurity, what do you need to ask? So we need operators to become a little bit more accurate in what they expect. To have facts in there is a request to avoid to have saying you have to be compliant to all of that because it is not helping to protect the system. And we would like we expect that the industry will take a direction where we'll really will be more risk-based rather than compliance based means that we don't want to have people in front of us asking to tick boxes, you need to be compliant with all of that ticking the boxes, we would like to have more discussions related to risk. What is the level of risk today? Can I make reductions of risk? And what is the level of risk I'm able I'm ready to accept and to take in my operations tomorrow? So that debates this is if we need to have something that has to be promoted and pushed is really to have this culture of risk management instead of being too much. And you say compliance, compliance-based will help a lot move forward onto the course. 

Roark: Right. Yeah, we're seeing that with the more sophisticated organizations today. They're already there as far as a risk-based approach to a lot of this, but the compliance ideas are pushing them or pushing everybody as well. So Eddy, let's move on to our second topic and talk about how rail systems are different and how we're starting to see some verticalization in this market space, I read somewhere that you expressed an opinion that operational rail tech systems are really unique, especially when compared to other industries. So, I guess first is that statement accurate and second, maybe you can explain why you think the rail tech systems are so very different than then some of the other industries? 

Eddy: So, if I say this its probably accurate, Seriously, if you step back a little bit, and you look at what we talk about one we will take, so, we are facing systems, which have been made over decades. So, meaning that any railway somewhere has been built for during a certain number of years. So, accumulation of layers of technologies, which are of different material, different ages on different compositions, I will say, you see the geographical spread. So meaning that when you are take a train from A to B, any single inch between A and B needs to be protected. It's not like you take from airport A to airport B, any single institution connected and you have equipment or along the line, meaning that you can add equipment spreading over 1000s of kilometers. So you have a show graphical spread, you have a mix of technology, of course, you have the safety-related activity. So meaning that it exists in your system like aviation ensembles, and so you don't have the same issues that we have. But that's, that's an important point on the physical aspects, the fact that we are geographically spread is is creating a big issue from the physical access. If you take plane bus, car, or a train, you will see some differences. So when you take when you take a plane, it's very complex for you to be able to have access to the critical system of the plane, in general you go you go to your seat and you are not authorized to go into the pilot cabin or to go into the in under the plans, the physical access is easy to think easy. So you can have access to all the critical components of the twin easily I mean, because they have the physical proximity, you are not far from them? So on the  rail stations are very open environemtss, nobody will put you in jail if you touch a train, having access to the tarmac have also one way of having access to the to the plane in several countries on things that you finish in relation to that. So we have, I would say, very specific environment based, on the regulation based, on the geographical spread, based on the mix of technologies that we are seeing, based on the criticality of the system. The idea here is not the government's, which is created deficiencies compared to civic environments. And we took time when I'm saying that to to have a very in-depth conversation with our colleagues from Airbus or protect or people who are doing the seas or cars. In order to understand what was exactly the challenges that you're facing, as long as they don't have the same kind of relationship with a customer issue are in automotive, generally you have a customer is an individual, the power of influencers, those people are not the same as the big operators that are in line. So so we have a very, very specific environment. So this is why every time we repeat that we need to create the cybersecurity that will be adjusted to your rail tech, it will be based on the existing field because we are very happy to be producing that exists, that there is a dimension of it that we have to create for the future.

Roark: Yeah, great. And we're actually seeing this I know that Gartner has been publishing lately and talking about the fact that cybersecurity in some industries is becoming much more verticalized, rail industry being one of those. And so, they basically said that some of the cybersecurity solutions that are in the market, or even the combined solutions that like a Alstom would put together are very verticalized for the rail industry. And given what you've just said about the uniqueness of these systems, how does this verticalization of solutions impact kind of your thinking about cybersecurity and what should the operators the rail operators be thinking about when it comes to cyber for these operational rail tech systems?

Eddy: We come back to the nature of what we are doing so, railway is an industry of integration. So whatever is sold in a real way is an integration or something. Because of this nature, we have very complex system. So if we want to be efficient in cyber security applied to railways it has to added value for the people who are running the system. So which are mainly operators, one chance to, to execute the activity and make sure that things are running well, know while in charge maintains a level of security of the other systems. So meaning that if you come with a serious cyber solution, you will go nowhere because in fact, you will lack the constellation of there is a cyber problem to there is an operational problem. So what will be solver managed by the railway industry is the operational problem. So I think there is a need for verticalization of whatever we cooperate on in terms of this cyber, it is because at one point in time, you want to have efficiency, you want to be able to detect something that speaks to the operators that allows them to react, there is no point to say, alert, say something which is red somewhere, but you have to do it to defend what you will earlier this is read on, you need to stop the train or you can continue your journey, or you need to evacuate the passenger. So this is a thing that will be an added value for the operation, people who are operating away, we're already willing to do that we say we value and managing crises on a daily basis, they need to you need to have something in their language. And that's why the verticalization is something that is happening. And that will continue to happen, where you will need to have solutions which are as specialized as possible, giving us a visibility on your technology. And that's where the rail tech makes sense in the sense that it's not only it is not only IT, it’s not only OT, it's anything that you need to make your system say behave properly. So, this will be made of classical I will say all personnel technologies or embedded systems plus thing classical IT components that you use for some other functions, which are absolutely necessary or do for diverse material, whatever you may have a couple of information that you need to capture you to process that coming from equipment which are very close to IT. And user and you have a system which are rail tech system safety quality making your technology and this is what you have to protect. And then you need to have the right vertical to protect this kind of system.

Roark: Do you think the rail industry is big enough to support that kind of verticalization?

Eddy: Yeah, it's a fair question. But yes, because we have already supported some user verticalization for safety or for some other things. So when it comes to securing the railway system, I believe that there is no reason that it is not possible. 

Roark: Yeah, it's a good, good analogy to the safety systems. Got it? All right. Well, I know you recently were on a panel at Cyber Senate, the rail cybersecurity conference in Chicago. I know because I was there. But you spoke about fostering strategic partnerships in the rail industry. And I think some of your points, there's kind of dealt with this idea of rail cybersecurity specialization. Was there anything in that discussion about the vertical ecosystem you would want to summarize as part of this conversation?

Eddy: I think that it's it's common sense. But nobody will succeed alone, especially in cyber on the railway and cybersecurity. That will be very complex, we have one company or one solution, being able to solve this issue. So once you have made this, this, these findings, and you realize that you need to rely on some of the people, then you need to define what are those people on the fence, where's the notion of partnership is coming, you don't need to have a new supplier, you need to have a partner that will be able to share risk with you make some bet on the future. And not just it's technology to your need. And that's where partnerships are so important. And then that will enable verticalization because as an OEM in railway, we don't master all technologies necessary for this virtualization. So we need absolutely to have partners and not only suppliers will be able to help us in terms of developing what we are calling the raill tech cybersecurity.

Roark: Right. Yeah, certainly the whole industry needs to move forward in lockstep. But one company or one part of the business can't drive the entire industry forward. Now, let's move on to our last topic and talk a little bit about kind of where you see things going as we move forward. And if you think about the level of sophistication that rail operators are asking for today, it could be freight, passenger rail, public transport operators, or transit operators. How do you expect to see operators kind of up their game even more in the coming years? Let's talk to three five-year window, whatever you think is realistic.

Eddy: I will say is that when we when we project ourselves into the future, we have always to keep in mind two things, there will be the new demons that will appear in two to three years and then we have the operation of the systems which are under construction today. So the one that are under construction today they will be delivered in two to tree years, and we know exactly what is in the systems. So we know what exactly they will be the demons on the operation mode, in order to be able run them and operate them, then there is whatever will be requested in two to three years. In terms of a new feature new security controls, the lesson learns by the operator, installer, by the EOM is enormous. Over the last couple of years, we've learned a lot. Now we need to transform those lessons in specifications in new procedure, operational procedures, new, maybe new new or new standards, in order to make sure that we are paving the way for the smooth development or smooth integration of cybersecurity. So as of today, what we are seeing is that the maturity coming from all the chains, so not only is the asset owner, but also is up to regulators, third party has learned which means that for the next generation of photos that we are building, the level of specification on the level of accuracy of cybersecurity will be very good, much better than today. Right. And that also means that for the systems that will start to operate now and next year, we were being designed a couple of years ago, there will be a huge work to be done in terms of adjusting the system to the expectation of the new expectations. And that's where we are, we are thinking strongly that the install base with the capability to enhance the security reduce the level of risk, having regular assessment reassessment evaluation, then adjust the mitigation plan is something that will be a very important activity for the industry in the next two to three to four years.

Roark: Yeah, you see, the bigger challenge is how to keep up the installed base infrastructure with current cyber requirements.

Eddy: Correct, because we know that some of us will reassess our system regularly because contrary to safety, cyber is never set in stone. We have to revisit it on a regular basis, meaning that we may have to adjust our mitigation plan. Concretely, it means that we may have to modify some software, to embed some new appliances, to add some zones or some controls. So this is something that we have to learn to do. Because today in railway is not at all the way we are working. So this has to be developed this we need to have the right level of standards for that level of ways of working, the services, allocation of tasks and responsibility between asset owner, installer operator, or technology provider, although that is still in front of us in terms of detailed definition and description. So far, we say efficient ways of working. So a lot to be done, a lot to be done, that we start to have a lot of examples, you start to have concrete examples of what is happening. So we need also to talk and make sure that working grouping ourself in committees and workgroups and so on, to identify the priorities and then to be proposals that we can move forward together.

Roark: Yeah, it sounds like from your perspective, Eddy, what I'm hearing is this is an area you think the rail integrators can take the lead in the industry and help more so probably than the operators themselves because you're looking across all of these customers.

Eddy: I think that we both have a role to play but it’s true that when you are an individual working across the world. Now across the globe. You have you see different postures a different situation you see different threats, you see different solutions. So it's part of our duty is a part of our responsibility to make sure that we leverage that. And we bring back to the industry something because if you step back on the situation Alstom is one of the leader and so in some cases the of this industry on this is really. For the next decades, and so we have, it's good for us. But on the other end, we feel that there is a need for us to, you know, industries or to put something in the industry. And we believe that the fastest we can see things across the globe, on all the dimensions of railway on all the various market segments, is an added value that we have on we can share with our colleagues or competitors, or, of course, specific working group and so on. But it's something that will help us get to go on, it's our best interests, our best interests, as well as one of the players in the industry is to have an industry material in cybersecurity, where people can understand what means asking, well, people can understand that there solutions that are working well, and some solutions that are maybe not working well. And there is some effort of transformation that has to be shared between all the stakeholders, and starting by the regulators and ending to the installer that we have the systems.

Roark: Right. Yeah, completely agree. And I know one of the topics that you're passionate about, and you kind of started talking about it a bit earlier, is the need to move towards more of a cybersecurity-focused culture across the entire industry, the entire ecosystem. Now, where are we today in that regard? And how do you see that playing out over the next several years?

Eddy: So you know, railway has never been like, some other industry was they were more exposed like aircraft and you see, very, I will say, open or very exposed to the defensive activity. Our main defensive activity was safety. Right? That's very challenging context, in terms of aggression, we have a little bit of vandalism that was cybersecurity is creating a new, kind of it's a new nature of threats, more or less invisible, because you don't see it like that isn't you see it immediately. So we need to learn how to do that. There is a huge transformation, which has started, which is touching everyone, all of the stakeholders. I think that the good news is, we did a lot, if I really compare what was the situation in 2015. And what is the solution today really is a culture of cyber security, within a railway, has really started to be deployed. Now we still have a big challenge in front of us is to make sure that the relationship between cybersecurity and safety is well well defined on that there is no ambiguity, we need to make sure also that a couple of responsibilities when it comes to maintaining the security, assessing the security over time, and then seeing the differences. So the responsibilities for existing systems, from time quite old, is also obviously drafted and put into metrics that we can use on a regular basis to allocate tasks and to define a way forward. 

Roark: Right, right. Yeah, certainly becomes everybody's job, not just the cybersecurity personnel. Speaking of people, let's talk about talent for a minute. I don't know for a fact, but I can pretty much suppose that the rail industry is not seen by young tech-savvy workers as an attractive industry. How do you think we change that? How do we bring more talent into the rail and, more specifically, into securing these operational rail tech environments?

Eddy: I think that's one of the issue is that we have this image of steam trains with fairways to Western. So, we see that this image and if you go in some countries, you will see that the signal to announce that there is a railway in front of you is sometimes seem to end so we need to go beyond that. And one of the simplest way to go beyond that is simply to show what we are doing. So today, we in this industry are quite shy when it comes to explaining to people what we are doing. Nobody knows that since more than 20 years we have automatic trains so meaning that trains that can drive themselves alone, and they are transporting millions of passengers every year. It's a couple of years that there is a car that can do a couple of Metro alone and it's another we have trains that are doing that since decades and nobody knows nobody knows that there is from 100 to 500 computers on board have one thing with 3,4,5 networks with switches with antenna now, WiFi, GSM that we have sometimes called in our system to localize our skeins, braking system of the very complex image means that you have to make a system which is running at 400 kilometers by our team document of ours, which is a weight of phone read or See under the phone leptons This is a very complex system to break out things to accelerate out gains, you take a high-speed train, it is a small wheel metal on a small rail in metal, and you put on that 1000 tonne of, of equipment. And you put people on that and then you notice that kilometers are our meaning to stop that in less than two kilometers. So, it is something which are very, very challenging, we need very scalable design, we have people who are doing artificial intelligence we are we are people who are implementing machine learning in our system to ease the deployment. So technology is there, we will a little bit shy to talk about it. The industry is arriving everywhere helpers to help us to show off focus on things that we are doing. One of of the elements is to make sure that it is understood what exactly we are doing on the tech natural force we are doing. So suddenly demand is if we want to have to address the challenge of cyber security, when it comes to resources, we absolutely need to have the scaling factor. So we need to be able to rescale people who are already going away. Because we were talking about a rail about rail tech, it means that there is a dimension of real way to be efficient in your job. If you're a cybersecurity person. So then that schools that it's become the duty of the railway company on the OEM to make sure that we have the right level of training exposure of people, which are coming from IT, coming from new cybersecurity coming from other industry that they can become tomorrow, the railway cybersecurity engineers that we need to potentially.

Roark: Yeah, yeah. I love the idea of promoting the high-tech nature of what's going on in the industry. I think sometimes we're not proud enough of what we're doing, and we don't promote it nearly enough. I love your examples. So very much appreciated. So Eddy, let's, let's try to wrap things up, you know, as somebody that is basically responsible for helping build rail tech systems, working with Alstom, you know, what last bit of advice would you give somebody in a rail operator that could be a CISO? Or somebody that's responsible for cybersecurity? What last bit of advice would you want to leave them with their listening?

Eddy: I’ll that keep in mind that we do first railway. So even if I'm a cyber person, in a way, my job first is to make sure that the railway will work. So we need to get it to think about the objective. Why do we do that and not what we do, because if we focus too much on the technology on the solution, we may lose the objectives that we have. I said to my team recently that I read that somewhere I forgot where we feel that we must feel that we have a mission, which is to protect society, protect our way of life, not to do cybersecurity, and will we protect a way of what a way of living people are using trains, are using some ways are using people mover on that day, that is defining the way of living. So we are our mission is to protect that. So then once we have that in mind, if you have as a CISO of an operator, okay, you will start to make your key on prioritize your problems. And again, think about the risk. We talked about people transporting or goods transported, we need to have the risk in mind when we try to address those keys. If I am a CISO of a company, navigator or regulator and I want to be to make a point to make a difference. The best thing is to keep in mind what exactly we are trying to do and what we're trying to regulate, or what we're trying to protect. And then you will see that things will become much more simple to understand.

Roark: Yeah, I think that's a fantastic way to wrap things up, Eddy, which is our job as an industry is to support and protect a way of life, that people rely on trains every single day. And it's our job to continue to protect that.

Eddy: And when you are thinking saying we have this skill gap, how do we attract talent? Obviously, we don't really propose a cybersecurity job we propose to propose a mission which is not the same so people need to embrace that they need to feel that what we do is not as simple as okay I'm the CISO of whatever company. No, you are the CISO of an operator, with transporting people you are a cybersecurity engineer in a company with making trains or making signalling system you are part of a third-party partner with developing a solution to protect railways that's not a simple job. That's a real mission that you have to feel if you want to understand it better go on take the metro, see the metro, to see people who are happy to be in the metro. I don't know people who have a phobia of transport of railway transportation. They can be seen in a plane, car, or boot but that you feel security when you’re on a train you feel okay, that's okay. I will be I will arrive at this nation. And we put people in train without drivers for 20 years, and people are still happy. So I think that our mission is that and if we think about it like that, yes, we will be able to overcome the order of, new people are joining the order of a he order of skill development. Because when you have an issuance, it's much more simple for you to live it.

Roark: Hallelujah Eddy selling a mission, it's a lot easier than selling people on a job. But completely agree. I think that's the way people think these days. 100% agree with it. So keep preaching. I'm right behind you. Eddy, if somebody wanted to get in contact with you or follow you, or the social media platforms you're active on, or what's the best way for somebody to get in contact with you?

Eddy: Several ways, so I am posting from time to time on LinkedIn or Twitter. So I like some time to post or to share some articles and following Alstom, or some accounts on Instagram a bit less than on social media. And of course, we have an email address. So don't hesitate if you have an email to action or discussion. I like discussing and exchanging on the railway. So I'm always open to answering questions or to having conversations with with regulators or with operators or whatever is interested in understanding what is happening in a way more than to get in touch. 

Roark: Awesome. Perfect, Eddy. Well, Eddy, thank you so much for joining us today. I think it was a great conversation. I'm sure people may want to follow up with you. We appreciate your time. And for our audience that is listening today. Thank you for listening. That's the end of our show today. And until next time, keep those tracks secure. 

Share this post


Rails & Resilience: the Convergence of Safety and Cybersecurity | Eddy Thesee | S1E6

icon location
customer icon

The Customer

challenges icon

The Challenges

solution icon

The Solution

Let’s Talk About Securing Your Rail

Our experts will get you back on track

Schedule a Call
Blue right arrowWhite right arrow