"I predict the next challenge is how we protect our systems from the new and unfolding threat of aggressive cyber-attacks from some very unsavoury characters.”
National governments, all over the world, are now acutely aware of the threat that cyber-attacks pose to their country’s infrastructures and are taking steps to protect their citizens. Many have already introduced new standards and guidelines for both rolling stock and infrastructure; the US has issued an Executive Order for the Enhancement of National Cybersecurity and, in the UK, a new mandatory framework will come into force in May 2018. SmartRail World found out more about what changes are needed to protect rail operators according to the Transport Cybersecurity Specialist, RazorSecure. Ahead of the introduction of these regulations, changes are already being seen with more stringent cyber-requirements being included in tenders for new trains. Train operators understand that they must comply with the laws but they also see the huge threat to brand value that would result from a successful attack.
"The new cyber-guidelines coming into play have a common theme; namely, that ‘walls don’t work’."
The broadening of on-board services beyond passenger Wi-Fi to more complex systems involving Infotainment, CCTV and real-time Information is also increasing the need for enhanced security solutions to deal with the myriad threats. With security protocols already in place within other aspects of organisations, adequately safeguarding the vehicle fleet itself is a timely demand.
The new cyber-guidelines coming into play have a common theme; namely, that ‘walls don’t work’. Throughout the industry, there is a tacit admission that the protection of critical assets will need more than just using traditional methods such as firewalls, Virtual Private Networks (VPNs) and authentication. A single line of defence is often not enough because if one back-door is found, an intruder can exploit it to enter the whole system. It’s also widely accepted that cybersecurity is a process, rather than a binary on/off state; for rail operators, becoming secure is an ongoing development of testing, evaluating and deploying new defences. This layered approach, known as ‘Defence in Depth’, provides active protection and is recognised as the best way to secure the core of the systems, especially when outer layers (such as firewalls) have been breached.
In this framework, a variety of methods and tools are used together in synchronisation to form a more powerful protective web around a network. Active protection that will ‘Monitor, Detect, Report and Protect’ (MDRP) is agreed to be the gold standard defence when supported by regular auditing and a security operations centre (SOC). The transport industry is increasingly viewed as a viable target for cybercriminals; traction systems, train control systems, passenger information systems and station infrastructure are all potentially at risk. Cyber-criminals may decide to attack ticket machines, passenger information displays and passenger Wi-Fi systems.
To download the full Cyber Security Guide please click here.
However, providers of these systems face a dilemma; how to comply with the new standards without replacing or adding more hardware? Trains can’t be updated like data centres and have a unique set of requirements that can’t be met with traditional solutions alone. RazorSecure, the Transport Cybersecurity Specialist, has developed a purely software-based, MDRP solution called RazorSecure Delta. RazorSecure Delta protects the core when the wall has been breached. The software uses sophisticated machine-learning to actively protect the systems on trains and many other forms of transport, whether they are connected or not. RazorSecure work with existing system suppliers, such as Icomera, to implement active security at a fraction of the cost of hardware-based versions.
To address the need for regular auditing, RazorSecure ( @razorsecure ) will be launching RazorSecure Edge, a remote penetration testing unit which removes the need for a pen test consultant to visit the train or the site. Robert Brown, RazorSecure Executive Chairman, commented that “from working on the first passenger Wi-Fi systems a decade ago, the focus has moved from passengers to other applications that can exploit the use of the bandwidth. I predict the next challenge is how we protect our systems from the new and unfolding threat of aggressive cyber-attacks from some very unsavoury characters.”
Icomera has installed systems on thousands of trains around the globe and their networks carry more than 37 TB per day, primarily from more than half a million passengers using on-board Wi-Fi – naturally, cybersecurity is an extremely important consideration and Icomera systems already have a high degree of protection built into them. However, they too see the merit in the Defence in-depth approach. As Daniel Jaeggi, Head of Business Development at Icomera ( @icomera ) , explains, “The world is changing quite rapidly: cybersecurity threats are becoming extremely sophisticated and more and more systems are being connected to our on-board networks, increasing the attack footprint. At the same time, customers are putting in place more robust cybersecurity processes, mostly in response to a greater awareness of the risks and financial impact from cyber-attacks. So, we’re seeing strong demand for higher levels of assurance and monitoring, and we’re working closely with customers and providers such as RazorSecure to meet this need.”
At the heart of the Defence in Depth approach is the assumption that any system, no matter how well engineered or secured, may be vulnerable to a cyber-attack. Better engineering can only take you so far; active monitoring and second-line protection is needed to enhance network security. This can be a hard concept to fully grasp. However, as Daniel Jaeggi points out, this assumption of fallibility is common in many other areas where security and safety are paramount: “When you board a flight, your pilot can be the best in the world, but all the safety systems and processes are designed around the idea that he or she will make mistakes or systems fail that shouldn’t. Things go wrong, that shouldn’t be a problem in itself, it’s how you deal with them and what backup you have. That’s what keeps you safe!”
This shift in thinking is required to bring on-board networks up to the next level of security, and both RazorSecure and Icomera are already jointly offering rail operators enhanced, software-based protection which integrates seamlessly with existing on-board hardware. Through deploying additional protective tools and actively monitoring a system, businesses will benefit from increased Defence in Depth and become better equipped to detect and respond to cyber-attacks in the future.
For more about Razor Secure's work and how they can help keep you safe please visit: www.razorsecure.com
To read more about cyber security and the rail industry: