Protecting railway networks from cyber threats

Rail networks, as integral parts of critical infrastructure, continue to come under cyber attack

By Morand Fachot

Railways and metro systems have been the subject of a spate of cyber attacks in recent years. Although no major accidents or casualties have been reported so far, it is likely that the problem will get worse and affect safety. As train signalling and control systems move from what were essentially closed systems to open ones based on mobile communication and IP (internet protocol) technologies, cyber security becomes ever more important. IEC International Standards will play a major role in this sector.

Shinkansen driver cabin Inside the drive cabin of a Shinkansen

Technological and cultural change

Railway systems form an integral part of the transport system and as such are seen as part of the critical infrastructure in many countries. Cyber threats to railway networks are assuming increased importance as the digitization of railway control systems grows.

Signalling and train control systems have relied on various types of switches for a long time. These are essentially closed proprietary systems protected by so-called air gaps.

The traditional air-gap protected systems are not immune to attacks. In 2008, a 14-year old Polish teenager used a modified TV remote control to interfere with the tram track and point system in the city of Lodz. Four vehicles were derailed and 12 people injured in the process.

The railway sector is now introducing open systems that are based on technologies such as general packet radio service (GPRS) and long-term evolution (LTE) for mobile communications, and IP. These systems, being open, represent a technological and a cultural shift. 

However, computer-based systems have introduced the additional dimension of cyber threats. This means that cyber security becomes a concern and must be integrated from the beginning.

In November 2016, the San Francisco Municipal Transportation Authority (SFMTA) was the target of a ransomware attack. Its information systems were encrypted and the operator was forced to disconnect its fare gates and ticket vending machines, resulting in financial losses.

In May 2017, German rail operator Deutsche Bahn was affected by the WannaCry ransomware attack. While this resulted in its electronic boards being switched off in some stations, its train services were not disrupted.

Growing awareness of cyber threats to the railway sector has been highlighted by a range of international initiatives and conferences. A special session on Cyber Security in Rail within the framework of the Intelligent Rail Summit 2017 organized in Vienna in November 2017 by RailTech, a global platform for rail professionals, looked at a range of aspects. This session, attended by e-tech, listed issues in the cyber threat sphere and measures to address them, among them the use of IEC Standards.

Wide range of potential attackers

The main threat to railway (and other transport) systems does not come from the so-called script-kiddies, like the Polish teenager who hacked the Lodz tram system, but from four different groups of perpetrators in two categories:

  1. Criminals who try to extort money, with ransomware being the main tool. This has become a business model with different types of malware being developed and either sold or rented.
  2. Others who are determined to disrupt or damage operations. They include:
  • Disgruntled or sacked employees with access (including physical) to computer systems
  • Terrorists and politically-motivated groups
  • Possible state actors

Physical attacks should not be discounted. In September 2016, the Chicago air traffic control centre was closed by a massive fire set by a disgruntled contractor. Thousands of flights were disrupted across the US. Attacks can take a hybrid form that combines physical and cyber attacks.

Prevention of physical attacks, which are often carried out through unauthorized access, can be ensured by applying International Standards developed by IEC Technical Committee (TC) 79: Alarm and electronic security systems, and by ISO/IEC Joint Technical Committee (JTC) 1/Subcommittee (SC) 17: Cards and personal identification.

Enclosures containing electronic and control equipment installed in remote places along tracks present physical and cyber vulnerabilities.

Protecting railway infrastructure from cyber threats

The digitization of the railway sector and the move from electromechanical to digital IP-enabled technology is being encouraged by the European Union in the form of the European Rail Traffic Management System (ERTMS).

ERTMS is a system of standards for the management and interoperation of signalling for railways, which is being adopted not just in Europe, but beyond: in several African countries, in Brazil, Mexico, many Middle Eastern and Asian countries including China and India, and Australia.

Industrial automated control systems (IACS), are no longer isolated from the outside, and railway systems are increasingly interconnected thanks to automatic train operation (ATO) and as part of intelligent transport systems, François Hausman, Alstom Main Line cyber defence manager and Shift2Rail cyber security WP leader told the conference. Cyber attacks on industrial control systems increased by more than 600% between 2012 and 2014, he said, bringing with them severe financial and safety concerns.

Railway specifics, such as electronic components scattered along tracks or trains, a very long life cycle (in excess of 25 years), diversity both of supply chain and technology and other characteristics make this a complex domain.

Automated, wireless signals more efficient, but open to new threats

“The automotive sector has woken up to the critical need for cyber protection. It’s time the railway industry got on board as well,” says Amir Levintal, CEO of Israel-based specialized rail cyber security company Cylus. “The current approaches to cybersecurity do not fit the architecture of railway networks today,” Levintal told the Global Railway Review.

Levintal sees new signalling systems as especially vulnerable to hackers. These systems “are the heart of safety-critical train operations. They have also become more and more automated over the past few years – and are now operated wirelessly,” he explains.

“In the worst-case scenario, hackers could send commands to the train causing them to slow down, stop completely, or even accelerate on curves so that the train would be unable to align itself with the switches on the track. All of these scenarios could lead to disaster,” Levintal warns.

IEC Standards for IACS central to railways

Shift2Rail, an initiative that brings together key European railway stakeholders to achieve a single European railway area, is looking at defining how different aspects of cyber security should be applied to the railway sector. It has assessed applicable standards and selected the IEC 62443 series for the following reasons (and others):

  • it is a set of Standards dedicated to IACS
  • it addresses product and system life cycles
  • it covers security risk assessment processes
  • it defines security levels based on functional security requirements
  • it is used by other critical infrastructures

The choice of IEC 62443 was also highlighted by ERTMS Cyber Security Lead Engineer Sharvind Appiah at a workshop organized by the Railway Gazette. "There’s no reason to develop new standards for railways. There are already many standards for cyber security, whether they are NIST [the US National Institute of Standards and Technology] or ISO/IEC standards (…). The challenge is to see which of these fit in the railway context. That’s what we’re doing in Shift2Rail; we’re looking at industry standards, which means IEC 62443, a complete set of Standards designed for IACS, but we apply them in the railway context."

"For me this is a smart way to bridge the gap. It avoids forcing us to go through the R&D phase, where we have to rewrite the standards. We have standards there; it’s a matter of adopting them and learning how to use them."

The fact that IEC 62443 is emerging as a core set of Standards for the railway sector was highlighted by other speakers at the Vienna conference, in particular by David Rogers of Siemens in his presentation: "IEC 62443: A cyber security Standard approaching the Rail IoT."

The set of Standards involves the three major stakeholders in the protection of plants against cyber attacks: asset owners, system integrators and product suppliers, Rogers said. A key concept of IEC 62443 is that security requires a set of coordinated measures to be taken, an approach generally described as defence-in-depth.

The fact that IEC 62443 is being widely adopted is illustrated by the German standard DIN VDE V 0831-104; VDE V 0831-104:2015-10: Electric signalling systems for railways – Part 104: IT Security Guideline based on IEC 62443 (62443-3-3:2013)

All countries are introducing cyber security measures in the rail sector

The UK Department for Transport has issued a guidance document which is designed to support the rail industry in reducing its vulnerability to cyber attack.  It is designed to be high-level and sets out the principles and general approach to cyber security as good practice. It does not provide detailed instructions.

Standards mentioned in a recent public consultation document by the Australian Standard Rail Industry Safety and Standards Board (RISSB) include, in addition to IEC 62443, the ISO/IEC 27000 family of Standards on IT Security Techniques, as well as ISO/IEC Technical Reference (TR) 15443-1:2012 and ISO/IEC TR 15443-2:2012, Information technology – Security techniques – Security assurance framework.

In the US, NIST has published a paper on the performance evaluation of secure industrial control system design for a railway control system.

As railway systems will rely increasingly on mobile communication, connected devices and IP networks, the incidence of cyber attacks from a variety of actors is likely to increase.

International standards, in particular IEC Standards such as the IEC 62443 series, will provide an all-inclusive approach to information technology (IT) and operational technology (OT) security and will be central to protecting IACS from cyber threats.

Gallery
Shinkansen driver cabin Inside the drive cabin of a Shinkansen (Photo: Kazumiki Miura)
Railway signals controlled by manual levers Mechanical levers are still used in many countries to control railway signals and the movement of trains over the points (Eastgates signal box, Colchester, UK, Photo: Sir Ross BA)
Railway companies must ensure safety from cyber attacks Railways and metro systems must take measures to protect themselves from cyber attacks (Photo: ©SBB CFF FFS)