Right now, somebody, somewhere could be trying to hack your railway network. And if they are, the chances are you won’t know anything about it until it’s too late.
Cyber-attacks on critical infrastructure are on the rise. They are also becoming more sophisticated. An attack last year on Ukraine’s power grid, believed to be the first of its kind, highlights the dangers. Nearly a quarter of a million people were plunged into darkness after hackers seized control of electricity substations.
No railway network has, yet, been the target of an attack on this scale. But there are worrying signs that hackers now have railways in their sights. At least five major rail networks have fallen prey to cyber-attacks over the last year. In most cases, breaches were exploratory and disruption minimal. But the fear is that a determined attacker could cause real harm.
Identifying who the hackers are can prove almost impossible. Hacking covers an enormous spectrum of criminal activity: at one end of the scale there are recreational hackers – thrill-seekers driven by a desire to win prestige among their peers. At the other end, shadowy networks of professional hackers capable of planning and launching persistent, sophisticated attacks.
Between these extremes lies an ocean of potential cyber assailants. Motivations vary. These include everything from blackmail to intellectual property theft, revenge by disgruntled employees and industrial espionage. And there’s growing evidence of politically-motivated attacks carried out by state-sponsored actors.
Defending railway networks against cyber-attacks presents big challenges. The problem is amplified by the rapid shift from analogue to digital technologies. While the efficiency gains of digitalisation are enormous, there are new risks to be managed. Digital systems adopted in recent years often have little in-built security and a growing number are connected to the internet.
“Operators are now using third-party telecoms infrastructure, sometimes for their main business, sometimes as back-up,” says Alexander Szoenyi, Cybersecurity Authority, Thales. “Some systems are linked to the internet via portals. This opens up the risk of hacking.”
Distributed denial-of-service (DDoS) attacks are an example of what can happen when vital resources are linked using public networks. In a DDoS attack, an attempt is made to prevent legitimate users from getting access to a machine or network resource by bombarding it with spurious requests.
“DDoS attacks on network infrastructure are possible because rail providers use the same systems that telcos use and we know that some providers have been hacked in the past,” says Szoenyi.
New networks, new risks
Emerging technologies present an increasing dilemma, particularly in the sphere of communications. On one hand, operators need to minimise the risk of cyber-attacks. On the other, they urgently need to maintain a competitive edge. To do this, they need to be able to take advantage of high-capacity public networks, both fixed and mobile.
This trend is accelerating with the rise of new 4G/LTE mobile networks, which are seen as pivotal in delivering the next generation of train control and passenger information systems. “Customers increasingly ask: can we use LTE for safety-critical infrastructure? This is a big issue,” says Szoenyi.
The interconnected nature of critical systems is also a cause for concern. A DDoS attack, for example, can be used to paralyse an entire communications network, not just the individual resources connected to it. A railway could therefore become a casualty of a DDoS attack even if it was not the intended target.
Human factors add yet another layer of complexity. The rail industry is a major employer: in Europe alone, more than one million people work for rail operators. Many employees now depend on access to operational systems to do their jobs.
As user numbers rise, so do the risks of deliberate or accidental infection of systems. Malware may be introduced via USB sticks or CD-ROMs. But more often than not, it’s lurking in an email attachment waiting to be opened by an unwary user.
The sheer number of employees also increases the opportunities for social engineering attacks – breaches in which users are duped into revealing security details to hackers. The risk is magnified by low levels of cyber awareness among staff in many organisations.
Then there’s the question of controlling access to systems themselves. “There is often no centralised user and group management,” says Szoenyi. “Most of the time, people use the same user name and the same password.”
The current situation is exacerbated by an inability to visualise threats. “If you’re not monitoring your systems, you have a problem because you have no idea what’s going on in your system,” notes Szoenyi.
The ability to tackle all of these challenges is becoming vital as railways seek to maintain their reputation for safety and reliability. On top of this, operators face increasing regulatory pressure to boost cybersecurity standards.
In Europe, for example, the Network and Information Security Directive (NISD) will place an obligation on critical infrastructure providers, railways included, to manage cyber risks and report breaches. The ability to track, log and monitor flows of data is therefore going to become increasingly important.
Cybersecurity is a multifaceted discipline and countermeasures need to be applied across multiple fronts. Thales is drawing on its security expertise to assist the industry in the fight against cyber-attacks.
Cross-industry initiatives play a vital role in building a safer railway. Thales is working with CENELEC, the European Committee for Electrotechnical Standardisation, on cybersecurity benchmarks. Thales is also participating in the creation of Computer Emergency Response Teams (CERTs) as part of the European Commission’s Shift2Rail programme. “The idea is to build a CERT programme with providers and manufacturers who will be able to share information in future,” says Szoenyi.
New products and solutions are also needed to help rail operators make the most of new technologies while minimising the risk of attacks. Application firewalls are a case in point. “These work by allowing only specific protocols where we recognise the signatures,” explains Szoenyi. “Everything else is blocked.”
In addition to this, monitoring solutions are needed to detect, analyse and visualise attacks on systems. These allow operators to identify the type and location of incidents. Pre-defined countermeasures can then be initiated.
Data diodes are a vital component of monitoring systems. “Data diodes make it possible to gather log data from critical systems while preventing anybody from coming back and attacking you,” says Szoenyi.
Communications between critical systems need to remain secure at all times. Point-to-point encryption plays a vital part in making this possible. This solution is attractive because implementation is rapid and causes little disruption. “This approach can be used to encrypt communications between a control centre and an interlocking, for example,” says Szoenyi. “It also logs what’s happening.”
Above all, there’s a need to build awareness with simulation exercises. These help crisis teams to better understand the risks they face and fine tune their response to cyber-attacks. “Railway networks and operators have a deeply ingrained culture of safety,” concludes Szoenyi. “But often they do not fully realise where the new risks lie.”