The safety of our railways is paramount. Yet as digital technologies transform our networks, our concept of safety must evolve to include cybersecurity at its core. To maintain cybersecurity, it’s not enough to have well-designed technologies with state-of-the-art defences. Engineers must be trained, educated, and equipped across the industry so that the entire railway ecosystem is secure and safe.
At first it was a futuristic innovation, then it became a bonus, a nice-to-have extra, and now, digital connectivity is a fundamental aspect of our transport system. Yet as the technology races ahead, our thinking lags behind. We’re increasingly dependent on innovation, yet it’s still treated as something separate to the core functionality of our networks. Even as our railway is transformed by technologies such as digital signalling, it is still thought of as one issue, and its cybersecurity as another. In fact, they’re indivisible; when it comes to maintaining services, cybersecurity is just as crucial as the safeguarding of physical infrastructure. As our transport system becomes ever more interconnected, the bigger the potential impact of a cybersecurity event, and the more vulnerable, our entire railway network becomes.
Simply designing cyber-safe railway systems is no longer enough; the right equipment isn’t sufficient to provide security. As digital technology grows more integral, our focus must shift towards processes and the people who maintain it. Having a robust, cyber-secure railway doesn’t help if too few staff understand how such a system is best operated, maintained, and updated. That’s why we need to devote more attention to the people who will be running the railway well after the cybersecurity consultants have left.
Digital vs. dispersal
Since 2018, the Network and Information Systems Regulation (NISR) has placed more responsibility on railway operators for the smooth operation of the network. As the sister regulation of GDPR, the NISR gives authorities the power to fine operators who fail to maintain services as a result of a cyber event. Should lax cybersecurity lead to a disruption on the railway, for example through a denial of service attack, the train operators on that network will be liable. Yet many train operators are small. On any given UK mainline route, there are hundreds of individual operators, some of whom can count their total trains on a single hand. For such SMEs, the cost of becoming cyber-secure is prohibitive; the investment needed to bring cyber defences up to date could well be the difference between making a profit or a loss, or even surviving or going under.
The dispersed nature of the UK’s railway network makes achieving improved cyber security more difficult. In an age of increasing connectivity, where trains, operators, and infrastructure systems communicate on seamlessly interconnected networks, a single gap in our cyber security defences could breach the entire digital ecosystem. Ultimately, in a connected world, you’re only as strong as your weakest link. It’s not enough for the top operators and stock owners to have impressive cyber security – we need to help the whole industry to evolve, for everyone’s sake. A lopsided approach to security could invalidate the efforts of the more advanced operators, leaving the entire industry vulnerable – including passengers. While the vast majority of cybersecurity scenarios won’t result in an unsafe railway, they could render it temporarily unavailable. Railway designs will always endeavour to ensure that trains fail safe, but if a service is stopped due to a cybersecurity event, operators may be liable under NISR, as well as being fined and with angry passengers on their hands. These cases also tend to make headlines, which has a knock-on effect of reputational damage – all from just one cybersecurity event.
Significant consequences like these can be triggered by minor causes: a personal laptop plugged into the main system, or a corrupted memory stick innocently inserted into a secure computer. With hundreds of contractors working on railway assets, it’s easy to see how a lack of awareness among a large and dispersed body of staff could lead to a cybersecurity event. Unless cybersecurity skills and awareness can be spread across the industry, these types of incidents will always be a threat.
The word ‘cybersecurity’ tends to conjure up images of espionage, counterintelligence, and futuristic scenarios of intelligent computers wreaking havoc – but the reality is often far simpler. For most companies, worrying about malicious international hacking is irrelevant; much more pressing are the innocent mistakes resulting in the railway’s digital ecosystem being shut down by malware. Focusing on people, rather than just technology, can help mitigate this risk. That’s why Atkins Cyber Academy was founded to increase cyber capability through the upskilling of graduates and apprentices and to cross-skill existing engineers into Cyber Security practitioners. The industry needs engineers who understand the technical aspects of cyber security as well as the strategic impact of risk.
Tech no more
Even the most robust and cybersecure technologies must be operated and maintained. No matter how secure its design, the ever-changing digital space means that we need to be continuously maintaining cybersecurity controls. In a world where these systems are interconnected, who exactly is responsible for their maintenance? Who will pay for it? As an industry, we need to explore these questions together. Digital signalling systems, for example, should always be built cyber-secure first and foremost, but their continuing security depends on the operators and train companies using the digital ecosystem. They are the ones who will monitor, maintain, and operate it, and with digital systems spanning across the boundaries of the railway industry, those organisations must communicate effectively about who’s accountable.
We can’t treat technology and people in isolation. You can’t maintain a secure railway without people who understand how this is done. As a discipline, cybersecurity is still in its infancy, and as of yet there are simply too few professionals with the understanding of both railway engineering and cybersecurity. This dearth of skills has prompted many operators to buy in cybersecurity consultants, to make up for this knowledge gap within their organisation. This might be effective in the short term, but cybersecurity isn’t a one-off that can be addressed with a temporary expedient. Instead, we need to work collaboratively to train railway engineers so that they become conversant in cybersecurity. Their experience of designing safe railways is invaluable, as is their comprehensive understanding of risk management. Working with cybersecurity experts can help engineers to develop a better understanding of cybersecurity, enabling them to mitigate cybersecurity risks in their designs and processes, and ultimately helping their organisations become more independent in future. All the railway academies, apprenticeships, and graduate schemes need to be teaching cybersecurity not as a separate consideration but as a core engineering skill, so that our railway engineers intrinsically understand cybersecurity as part of their basic competency.
The shift to cyber
What we need is nothing short of a major shift in the culture of railway engineering. The world has been transformed by digital technologies, and we must recognise how fundamentally we now rely upon them. Our concept of safety must expand in order to be fit for the new world that is rapidly emerging. That means we need more than just a handful of clued-up cybersecurity specialists – we need the vast majority of engineers to have a solid grasp of the core tenets of cybersecurity, so that competency spreads throughout our industry.
Hiring experts might be a good short-term solution, but it implies that cybersecurity is something you can do once and then forget about – the nature of digital connectivity means that cybersecurity isn’t a one-off event. It’s a continuous process, and it’s not going away, and in fact, it will become more and more critical. There’s no going back to the world of the 1990s, or even the early 21st century. Rather than clinging onto old concepts of safety, which treat digital security as an afterthought, we must update it so that the primacy of digital connectivity is taken fully into account. Building up cybersecurity capabilities, even if that just means having the basics, is more valuable than simply paying someone else to make the problem go away for a while.
In English, the word ‘safety’ is often used synonymously to mean ‘security’. Although they’re not identical, their closeness recognises a fundamental truth: you can’t be safe without addressing security, because safety is underpinned by security. Security is the umbrella; safety is being underneath it. Without proper security, there’s a higher likelihood of a safety event. Without cybersecurity, a railway could be hacked, or be susceptible to malware which compromises its software. When software is changed by outside influences, its safety can no longer be assured, because the software is no longer the same as when it was tested and approved. In a railway safety environment, modified software is unacceptable because such modifications change how it works, potentially compromising the safety of the whole network. Such knock-on effects are made more likely by the interconnectivity of systems, increasing the likelihood and severity of the ensuing safety event.
The more sophisticated our technology, the more of a threat this poses. If we continue to adopt driverless trains, which connect to railway systems, operators, and passengers, from a cybersecurity perspective there is no boundary between train, infrastructure owners, and passengers. Without proper cybersecurity measures opening the door to one of these components gives you access to the whole network. Such measures must be actively upheld if they are to last. That’s why we need cybersecurity, embedded not only in our designs but also in our people and the processes they employ to operate, maintain, and update them. Otherwise, our railway’s availability will always be vulnerable.
Whole and holistic
Becoming cyber-secure is a big challenge. There aren’t enough skilled cybersecurity professionals, change is happening fast, and the dispersed nature of the UK’s rail ecosystem hinders rapid evolution. The biggest companies and operators must help the whole industry to evolve. Otherwise, we face a ‘tragedy of the commons’ scenario, whereby a precious resource shared by all (in this case, our railway’s security) is improperly protected because no one can agree upon whose responsibility it is. Everyone knows that safety is paramount; but few have realised just how much safe operational performance depends on cybersecurity. To safeguard our passengers, the industry as a whole must be at a comparative maturity, so that there are no weak points for a virus to exploit – or to make tempting targets for hackers or general malware.
So cybersecurity must be considered holistically, as an integral element of the railway’s safety. Only then can we rapidly equip engineers throughout the sector with the skills they need to uphold cybersecurity after the implementation of new technologies. Things move fast, and so we must use the time we have wisely: upskilling our engineers and enabling them to design railways that are fully safe, secure – and fit for the future.
We want to help the whole industry become more secure – if you’d like our help, please get in touch.
Author: Matt Simpson – Technical Director, Cyber Resilience, Atkins
Matt works as the Professional Head of Cyber Security, and brings over 20 years’ experience in Systems Engineering, Technical Assurance and Cyber Security to Atkins clients, on a variety of topics including industrial cyber security, transport security, security cases within safety system assurance, secure SCADA architecture and the Internet of Things.
Featured photo credit: iStockphoto.com