The railways sector has in recent years been plagued with mounting cybersecurity risks following the adoption of digital technologies. The interconnected information and operational technology-based networks of physical devices come embedded with sensors and software that have the capability to connect with each other, and other devices, over the internet.
Airbus Cybersecurity identifies the rising digital transformation in the railways as ‘an increasing source of concern for train operating company (TOC) executives as these risks affect businesses directly,’ it said in a blog post.
Railways have been identified as one of the critical national infrastructure sectors, while the TOCs are classified as ‘operators of essential services’ (OES) under the NIS Directive. This has led to appropriate and proportionate organizational and technical measures, which can be done by managing cyber and business risks to ensure the essential service they supply is resilient to incidents.
The NIS Directive covers both undertakings responsible for the transport of goods and passengers by rail and the infrastructure managers, who are responsible for the operation and maintenance of the railway infrastructure including traffic management, control and signaling, station operation, and train power supply.
Rail operators should start building their cybersecurity risk strategy and choose a roadmap that could vary from months to years depending on the organization’s size and scale, according to Airbus. Moreover, rail operators need to create a platform for information sharing about cybersecurity and create a committee to involve different stakeholders from across the industry to be part of implementing cybersecurity, in order to achieve the overall targets for the rail sector within the nation or the region, it added.
Railroads are essential for the national economy and its connected framework introduces higher potentials for financial loss, operational disruption, or damage, from the technology failures employed for railroad informational and/or operational functions, according to a ‘Cyber Security Risk Management for Connected Railroads’ report conducted by the U.S. Department of Transportation Federal Railroad Administration. These risks arise from unauthorized access, use, disclosure, disruption, modification, or destruction of such technologies, it added.
Each ‘rail internet of things’ (RIoT) application may have its own security loopholes and breach points, which require specific risk management strategies, the report pointed out. It selects three representative use cases, including Advanced Train Control System (ATCS), remote-controlled movable rail bridges, and Positive Train Control (PTC) systems.
General cybersecurity risk mitigation objectives are confidentiality, integrity, and availability, the report said. It is practically impossible to draw a universal conclusion over cybersecurity vulnerability and profile for all possible systems in the U.S. Instead, use-case-specific risk analysis built upon a consistent methodological framework could be helpful for government, academia, and industry to work collaboratively to manage the cybersecurity risks associated with connected railroad technologies, the report concluded.
The increasing degree of connectivity of the infrastructure and rolling stock is creating a significant increase of their attack surface, according to the French rail safety authority, l’établissement public de sécurité ferroviaire (the EPSF) in a white paper.
“Nevertheless, this connectivity offers higher levels of performance in terms of supervision and updating, but must be perfectly controlled and cyber-secured by the manufacturers, equipment manufacturers and operators,” it added.
The European Commission has proposed the revision of the Network Information Security Directive (NIS2) to strengthen the cybersecurity measures to be adopted by the Member States and applied, among others, by European railway undertakings (RU) and infrastructure managers (IM).
The European Commission’s Directorate-General for Mobility and Transport (DG MOVE) also encourages raising the awareness of railway stakeholders by promoting the use of its Land Transport Security platform. A cybersecurity toolkit was also developed and shared with the participants.
Cybersecurity is now a major concern for National Safety Authorities. The Working Group 26 of the European Committee for Electrotechnical Standardisation (CENELEC) delivered the Technical Specification 50701 on cybersecurity for railways, now under review by the National Committees. A published version of the technical specification is expected before the summer. A voluntary reference to this standard will be made through the application guides developed by ERA.
An open call by Shift2Rail, namely the 4SECURERAIL project, is developing a proposal for a European Computer Security Incident Response Team, allowing for identified threats to be instantly shared with targeted railway stakeholders. Shift2Rail is a joint undertaking that works to deliver, through railway research and innovation, the capabilities to bring about sustainable, cost-efficient, high-performing, time-driven, digital, and competitive customer-centered rail transport for Europe.
The supply chain is another key area that TOCs need to be aware of, as vulnerabilities are introduced in the railways framework. The supply chain is typically made up of IMs, rolling stock leasing companies (ROSCOs), entities in charge of maintenance (ECMs), train builders, and TOCs’ vendors. A security vulnerability in one entity within the supply chain can be transmitted up the supply chain and lead to a risk that operators will be responsible for.
The adoption of new IP-enabled devices within rail systems and the need to run these new technologies alongside the existing legacy systems adds a new level of infrastructure complexity, according to Airbus, in a whitepaper focused on the information and operational technology (IT and OT) domains within the rail industry. . Therefore, IT and OT networks within the rail sector could be made more vulnerable to cyberattacks, and multiple types of cyberattacks can be initiated by exploiting these vulnerabilities.
The likely impact of cyberattacks on the railways include delays in service and timetables that have high-cost implications. Hackers could also hijack the control systems to result in loss of train operation monitoring, malfunction of the signaling or SCADA (supervisory control and data acquisition) systems, and other wayside devices such as switch controllers.
The main threat actors targeting the railway sector are either criminals with a financial motivation using ransomware as their main attack vector or hackers seeking to disrupt or damage operations, such as disgruntled employees or politically motivated groups, according to Saif Shariff in an Orignix blog post. In addition to cybersecurity risks, attacks against the physical security of railway infrastructure should also be considered, he added.