Cyber security is an increasingly frequent topic in the discourse on the future of the rail industry around the world.
The digitisation of modern life has spawned innumerable innovations, improvements, and efficiencies across industries. But this hyper-connected age has also given rise to a proliferation of cyber security threats jeopardising personal data, critical infrastructure, economic institutions, and even our physical safety. Given the range of attack vectors, it only goes to show that there is no one-size-fits-all cyber security solution for these growing cyber-threats.
The railway industry is no exception. While mainline train and metro systems have in recent years begun to deploy mechanisms enhancing cyber security for the general network, they have lacked access to solutions tailored particularly to their unique industry.
Moving massive numbers of people and goods over vast distances, trains are essential to the economy — making them highly attractive targets for threats from malicious actors seeking to wreak social and economic havoc. Security breaches risk a wide range of negative consequences, from disrupted services to collisions and derailments, which may even result in human casualties. The collateral impact is no less important, including damage to productivity and the wider economy, reputational harm to affected railways, potential harm to passengers’ wellbeing and more.
Compounding the inherent incentives for threat actors to target the rails are the unique — and uniquely vulnerable — technologies that currently underpin the railway industry. Trains operate on fixed tracks and shared infrastructure, relying on signalling technologies to facilitate orderly and efficient operations on shared tracks. This sets trains apart from other means of mobility. Operators of other forms of transportation like cars, ships, and aircraft are able to manoeuvre individually within the space they share, but trains operate according to a collective steering wheel: the switches on tracks.
The Unique Challenges for the Rail Industry
Over the past 200 years of railway history, a variety of safety technologies have been developed and deployed to ensure the safe operation of trains on this shared infrastructure. Technological advances can be seen in every area of the railway. From mechanical interlocking to computer-based interlocking, from semaphore signals to remote traffic control signalling, and from air braking on trains to electronically controlled pneumatic brakes. These examples are only part of a range of new technologies that improve service availability, reduce costs and enhance safety.
Trains’ on-board systems also contain many connected components: braking systems, door systems, HVAC, passenger information systems, and more. These individual components are all connected through an on-board communication network between the rolling stock. In modern railway systems, this network is also connected to the signalling system and other wayside sub-systems.
Though these connected systems utilise advanced technology, the critical infrastructure supporting today’s railway systems is largely comprised of legacy components and communication protocols, integrated with those new technologies.
These legacy components boast long life-cycles of up to 30 years. For better or worse, these seemingly timeless components were never designed with cyber security solutions in mind. The result: shared networks wholly unequipped to combat the cyber-threats of the 21st century. That is exactly why our railways are now in critical need of solutions constructed precisely for the industry’s needs and specifications in the digital age.
Unfortunately, established cyber-solutions created for other industries will not suffice. Normally, critical data centres are located in highly secured environments, protected by physical mechanisms with only authorised personnel permitted to approach them. In the case of railways, however, passengers are an integral part of the system and are therefore ubiquitous — on trains, near the tracks, and travelling long distances.
It is next to impossible to keep any area free from throngs of people. Hackers may seek to leverage this effortless ability to gain proximity to wireless communication and key physical components to lay their malicious traps. In short, as high-value targets reliant on specialised connected technologies, railways demand protective mechanisms suited to the industry’s specific needs.
Addressing these vulnerabilities will require stakeholders to formulate cyber security strategies that consider the full range of threats facing rail and metro systems. This will mean robust engagement on the part of railway executives, transportation agencies, governments and regulatory bodies as well as cyber security professionals.
Given the evolving nature of threats in the cyber age, vigilance is of the essence. For cyber innovators, there are new opportunities to be seized as the railway industry moves toward the adoption of advanced technologies so prevalent in other industries.
The rail industry may not be alone in its vulnerability to cyber-threats, but its infrastructure and technology do indeed stand apart when creating solutions for safety and security. The automotive industry has geared up for this growing threat. It’s time for our railways to get on board as well.