Technology is playing an increasingly important role in enabling advancements in railway operations and safety. The introduction of digital solutions has helped the railways increase efficiency and reliability and enhance the customer experience. Besides the apparent benefits and opportunities, technology also introduces novel challenges, risks, and vulnerabilities. Critical railway infrastructure is now accessible through the internet and can be targeted by cybercriminals. Hence, the demand for robust cybersecurity solutions to safeguard critical railways infrastructure against cyber threats is growing. A recent report notes, “the railway cybersecurity market was valued at US$ 5,916.6 million in 2019 and is expected to reach US$ 11,001.4 million by 2027.”
Cybersecurity is essential for a safe digital railway sector
Railways are an integral part of national and global transportation systems. It is no wonder that they are considered as critical infrastructure in many countries. For example, in the European Union, the railway sector is identified as an Operator of Essential Services (OES) following the EU NIS Directive. The NIS Directive covers both the undertakings responsible for the transport of goods and passengers by rail and the infrastructure managers, who are responsible for the operation and maintenance of the railway infrastructure, including traffic management, control and signaling, station operation, and train power supply. To address the cyber-enabled challenges and be compliant with the requirements of the NIS Directive, these entities need to establish cybersecurity measures.
In fact, cybersecurity is becoming an essential topic for railway operators. The number of cybersecurity incidents during the past five years indicate that criminals are taking advantage of the sector’s digital transformation and are exploiting the new vulnerabilities:
- In November of 2016, the San Francisco Municipal Transportation Authority (SFMTA) was targeted by a ransomware attack, which resulted in the encryption of their information systems and the disruption of ticketing services.
- In October of 2017, the Swedish Transport Administration suffered a DDoS attack which affected the I.T. system that monitors trains’ locations. As a result, train traffic and other services had to be managed manually, using back-up processes.
- In May of 2017, German rail operator Deutsche Bahn was affected by the WannaCry ransomware
- In May 2020, the Swiss rail vehicle manufacturer Stadler was hit by a malware attack that may have allowed attackers to steal sensitive company data.
- In July 2020, the Spanish Infrastructure Manager ADIF was hit by a ransomware attack exposing gigabytes of personal and business data.
The main threat actors targeting the railway sector are either criminals with a financial motivation using ransomware as their main attack vector or actors seeking to disrupt or damage operations, such as disgruntled employees or politically motivated groups. In addition to cybersecurity attacks, attacks against the physical security of railway infrastructure should also be considered. For example, in September 2016, the Chicago air traffic control center was closed by a fire set by a disgruntled contractor, resulting in thousands of flights being canceled across the U.S.
Impact of cyber-attacks on railways
Recent research by the U.S. Federal Railroad Association notes that digital signaling systems seem to be the most vulnerable to cyber-attacks. In Europe, the digitization of signaling for railways is implemented by the European Rail Traffic Management System (ERTMS), which harmonized all the different protocols used throughout the various European railway operators. In North America, the Advanced Train Control System (ATCS) is a radio code line system used to control the railway traffic to prevent unsafe train movements and catastrophic collisions.
Despite the fail-safe design of these systems, there are potential risk scenarios that attackers can exploit to disrupt safety-critical train operations. Criminals could hijack these mission-critical control systems to result in:
- Loss of train operation monitoring
- Malfunction of the signaling/SCADA systems
- Malfunction of wayside devices (e.g., switch controllers) due to cyber attacks
In any case, disrupting the operation of signaling systems could lead to disaster.
Challenges to railway cybersecurity
As with any effort to secure Operational Technology (OT) against cyber-enabled risks and consequences, the establishment and enforcement of adequate cybersecurity measures face various challenges. A recent report by the EU Cybersecurity Agency (ENISA) notes that “railway stakeholders must strike a balance between operational requirements, business competitiveness, and cybersecurity, while the sector is undergoing digital transformation.”
The same report highlights the key cybersecurity challenges faced by the sector, including:
- Low level of staff cybersecurity awareness
- Conflicts between safety and cybersecurity requirements
- Procurement of cyber-enabled components in support of critical services
- Supply chain risks
- Support and integration of legacy systems
- Complex cybersecurity requirements
Towards an effective cybersecurity posture
To address these challenges and secure the railway sector against emerging cyber threats, railway organizations need to adopt a proactive, risk-based approach to identify threats and implement appropriate measures. Shift2Rail, a European Union initiative of all European railway stakeholders, has identified the best practice is to leverage the benefits of the ISA/IEC 62443 standard.
CYRail, a project under the European Union’s Horizon 2020 research and innovation program, has proposed “a methodology for assessing the risks, adapted to the rail system environment, based on IEC 62443 standard complemented with many concepts from ETSI TVRA.” The scope of the assessment is to analyze past and current threats, including those arising due to increased system interconnection and openness.
While early threat and anomaly detection is important for safeguarding against imminent attacks, railway organizations should implement a series of mitigation strategies that focus on six themes:
- System Administration
- Application Security
- Network Security
- Data Protection
- Device Security (includes cyber-physical: sensors, actuators, etc)
Figure 1: Cybersecurity Mitigation Strategies. Source: CYRail
However, the implementation of cybersecurity measures will not be sufficient if it is not backed by cybersecurity aware people. Therefore, railway operators should provide regular cybersecurity training and awareness programs to their employees to ensure that they are aware of their roles and responsibilities.
Giannis Kostakis, ICT Security Consultant at European Union Agency for Railways (ERA), says that “Strong security culture and top-down support from the management can always help to outperform. A tailored security improvement program based on recognized standards has to be developed and maintained to enhance proactive controls.”
How ORIGNIX helps
ORIGNIX delivers bespoke cybersecurity engineering services for inherently safer design and operation of industrial and rail systems. We utilize systematic cyber and operational risk assessment using well-established techniques and templates. Our cyber Process Risk Assessment (cyberPRA) methodology is based on ISA/IEC 62443 and IEC 61511 industry standards, and includes cyber Hazard and Operability (cyberHAZOP) analysis. The assessment identifies potential gaps, hazards, vulnerabilities, independent protection layers associated with engineered industrial processes at plant facilities. The identified cyber risks are prioritized based on realistic cost-benefit analysis.
To learn how our customers benefit, visit our website.
Authors note: This blog was co-authored between Saif Shariff and Anastasios Arampatzis.