Technological and cultural change
Railway systems form an integral part of the transport system and as such are seen as part of the critical infrastructure in many countries. Cyber threats to railway networks are assuming increased importance as the digitization of railway control systems grows.
Signalling and train control systems have relied on various types of switches for a long time. These are essentially closed proprietary systems protected by so-called air gaps.
The traditional air-gap protected systems are not immune to attacks. In 2008, a 14-year old Polish teenager used a modified TV remote control to interfere with the tram track and point system in the city of Lodz. Four vehicles were derailed and 12 people injured in the process.
The railway sector is now introducing open systems that are based on technologies such as general packet radio service (GPRS) and long-term evolution (LTE) for mobile communications, and IP. These systems, being open, represent a technological and a cultural shift.
However, computer-based systems have introduced the additional dimension of cyber threats. This means that cyber security becomes a concern and must be integrated from the beginning.
In November 2016, the San Francisco Municipal Transportation Authority (SFMTA) was the target of a ransomware attack. Its information systems were encrypted and the operator was forced to disconnect its fare gates and ticket vending machines, resulting in financial losses.
In May 2017, German rail operator Deutsche Bahn was affected by the WannaCry ransomware attack. While this resulted in its electronic boards being switched off in some stations, its train services were not disrupted.
Growing awareness of cyber threats to the railway sector has been highlighted by a range of international initiatives and conferences. A special session on Cyber Security in Rail within the framework of the Intelligent Rail Summit 2017 organized in Vienna in November 2017 by RailTech, a global platform for rail professionals, looked at a range of aspects. This session, attended by e-tech, listed issues in the cyber threat sphere and measures to address them, among them the use of IEC Standards.
Wide range of potential attackers
The main threat to railway (and other transport) systems does not come from the so-called script-kiddies, like the Polish teenager who hacked the Lodz tram system, but from four different groups of perpetrators in two categories:
- Criminals who try to extort money, with ransomware being the main tool. This has become a business model with different types of malware being developed and either sold or rented.
- Others who are determined to disrupt or damage operations. They include:
- Disgruntled or sacked employees with access (including physical) to computer systems
- Terrorists and politically-motivated groups
- Possible state actors
Physical attacks should not be discounted. In September 2016, the Chicago air traffic control centre was closed by a massive fire set by a disgruntled contractor. Thousands of flights were disrupted across the US. Attacks can take a hybrid form that combines physical and cyber attacks.
Prevention of physical attacks, which are often carried out through unauthorized access, can be ensured by applying International Standards developed by IEC Technical Committee (TC) 79: Alarm and electronic security systems, and by ISO/IEC Joint Technical Committee (JTC) 1/Subcommittee (SC) 17: Cards and personal identification.
Enclosures containing electronic and control equipment installed in remote places along tracks present physical and cyber vulnerabilities.
Protecting railway infrastructure from cyber threats
The digitization of the railway sector and the move from electromechanical to digital IP-enabled technology is being encouraged by the European Union in the form of the European Rail Traffic Management System (ERTMS).
ERTMS is a system of standards for the management and interoperation of signalling for railways, which is being adopted not just in Europe, but beyond: in several African countries, in Brazil, Mexico, many Middle Eastern and Asian countries including China and India, and Australia.
Industrial automated control systems (IACS), are no longer isolated from the outside, and railway systems are increasingly interconnected thanks to automatic train operation (ATO) and as part of intelligent transport systems, François Hausman, Alstom Main Line cyber defence manager and Shift2Rail cyber security WP leader told the conference. Cyber attacks on industrial control systems increased by more than 600% between 2012 and 2014, he said, bringing with them severe financial and safety concerns.
Railway specifics, such as electronic components scattered along tracks or trains, a very long life cycle (in excess of 25 years), diversity both of supply chain and technology and other characteristics make this a complex domain.
IEC TC 9: Electrical equipment and systems for railways, established in 1924, develops International Standards for the railway sector which includes rolling stock, fixed installations, management systems (including communication, signalling and processing systems) for railway operation.
IEC TC 9 is a member of the IEC Advisory Committee on Information security and data privacy (ACSEC). In support of its activity in ACSEC, it set up an ad hoc group (TC 9/AHG 20), to "Study ACSEC Guide 120 in view of implications on the work of TC 9."
CENELEC TC 9X, the IEC TC 9 mirror committee in the European Committee for Electrotechnical Standardization (CENELEC), has a dedicated Working Group, CLC/TC 9X/WG 26: IT-Security / Cybersecurity in the railway sector.”
Automated, wireless signals more efficient, but open to new threats
“The automotive sector has woken up to the critical need for cyber protection. It’s time the railway industry got on board as well,” says Amir Levintal, CEO of Israel-based specialized rail cyber security company Cylus. “The current approaches to cybersecurity do not fit the architecture of railway networks today,” Levintal told the Global Railway Review.
Levintal sees new signalling systems as especially vulnerable to hackers. These systems “are the heart of safety-critical train operations. They have also become more and more automated over the past few years – and are now operated wirelessly,” he explains.
“In the worst-case scenario, hackers could send commands to the train causing them to slow down, stop completely, or even accelerate on curves so that the train would be unable to align itself with the switches on the track. All of these scenarios could lead to disaster,” Levintal warns.
IEC Standards for IACS central to railways
Shift2Rail, an initiative that brings together key European railway stakeholders to achieve a single European railway area, is looking at defining how different aspects of cyber security should be applied to the railway sector. It has assessed applicable standards and selected the IEC 62443 series for the following reasons (and others):
- it is a set of Standards dedicated to IACS
- it addresses product and system life cycles
- it covers security risk assessment processes
- it defines security levels based on functional security requirements
- it is used by other critical infrastructures
The choice of IEC 62443 was also highlighted by ERTMS Cyber Security Lead Engineer Sharvind Appiah at a workshop organized by the Railway Gazette. "There’s no reason to develop new standards for railways. There are already many standards for cyber security, whether they are NIST [the US National Institute of Standards and Technology] or ISO/IEC standards (…). The challenge is to see which of these fit in the railway context. That’s what we’re doing in Shift2Rail; we’re looking at industry standards, which means IEC 62443, a complete set of Standards designed for IACS, but we apply them in the railway context."
"For me this is a smart way to bridge the gap. It avoids forcing us to go through the R&D phase, where we have to rewrite the standards. We have standards there; it’s a matter of adopting them and learning how to use them."
The fact that IEC 62443 is emerging as a core set of Standards for the railway sector was highlighted by other speakers at the Vienna conference, in particular by David Rogers of Siemens in his presentation: "IEC 62443: A cyber security Standard approaching the Rail IoT."
The set of Standards involves the three major stakeholders in the protection of plants against cyber attacks: asset owners, system integrators and product suppliers, Rogers said. A key concept of IEC 62443 is that security requires a set of coordinated measures to be taken, an approach generally described as defence-in-depth.
The fact that IEC 62443 is being widely adopted is illustrated by the German standard DIN VDE V 0831-104; VDE V 0831-104:2015-10: Electric signalling systems for railways – Part 104: IT Security Guideline based on IEC 62443 (62443-3-3:2013)
All countries are introducing cyber security measures in the rail sector
The UK Department for Transport has issued a guidance document which is designed to support the rail industry in reducing its vulnerability to cyber attack. It is designed to be high-level and sets out the principles and general approach to cyber security as good practice. It does not provide detailed instructions.
Standards mentioned in a recent public consultation document by the Australian Standard Rail Industry Safety and Standards Board (RISSB) include, in addition to IEC 62443, the ISO/IEC 27000 family of Standards on IT Security Techniques, as well as ISO/IEC Technical Reference (TR) 15443-1:2012 and ISO/IEC TR 15443-2:2012, Information technology – Security techniques – Security assurance framework.
As railway systems will rely increasingly on mobile communication, connected devices and IP networks, the incidence of cyber attacks from a variety of actors is likely to increase.
International standards, in particular IEC Standards such as the IEC 62443 series, will provide an all-inclusive approach to information technology (IT) and operational technology (OT) security and will be central to protecting IACS from cyber threats.