While 5G can be created with security in mind, hackers will always find the weakest link to penetrate
The risks of digitalisation
While it’s a necessity to modernise the rail sector’s typically aging infrastructure with the latest digital technologies to remain efficient and competitive, the industry must be acutely aware of the potential risks digitisation brings.
Today, rail operators tend to use separate systems to manage daily operations. These include a Global System for Mobile Communications-Railway (GSM-R) network - a very narrow-band technology used only for sending messages and replies - and the European Rail Traffic Management System (ERTMS), or an equivalent, to control the trains, as well as another system for passengers.
However, increasingly, rail operators are looking at ways to converge all three network services on the same infrastructure and are exploring the potential of 5G, says Amir Levintal, CEO and co-founder Cylus, a cyber security firm specialising in the rail industry.
Image: maoyunping | Shutterstock
“When the 5G network is deployed, passengers will use it but also rail companies [will use it] for operations and for other systems that are not very easy to connect to the internet, including safety critical communication, unmanned trains and CCTV,” says Levintal.
He warns, however, that when converging services under one network, even in different siloes, there is the potential for cyber attackers to hack one as a gateway to the others.
“While 5G can easily be created with security in mind, we know from different technologies over the years that hackers will always find the weakest link to penetrate, for example, through passenger internet to gain access to the safety critical networks - that presents a real threat to the train system,” he says.
Furthermore, over time, more and more services will be integrated into the 5G network, creating even more potential attack vectors.
5G: a secure network?
It’s largely expected that an increasing number of services, both in the rail industry and outside, will use the 5G network to enable the hotly anticipated Internet of Things (IoT) era of connectivity that will see more autonomous machines, like trains, subways and cars.
Ericsson estimates there will be around 29 billion connected devices by 2022, of which around 18 billion will be related to IoT.
But with so much planned for the 5G network, is it more or less secure than those before it?
“I think security and wireless networks are very tricky because it depends on the application and how the network is being configured; both Wi-Fi and 4G can be very secure if configured and used correctly,” says Tutela head of industry analysis Chris Mills.
“The biggest challenge will be further down the line when everything is connected and data is stored on different servers, all of which can be individually secure, but there are more links in the chain for something to go wrong,” he adds.
However, he notes that 5G doesn’t have any inherent security concerns, it’s more about making sure there are protocols, procedures and standards in place to ensure accountability for every link in that chain and that data isn’t just being lost of track of.
Vodafone CTO Scott Petty says 5G is actually significantly more secure than 4G and Wi-Fi.
“5G has a whole set of new capabilities, much stronger end-to-end encryption mechanisms and much more intelligent protection of subscriber information, as well as the devices that connect to the network - those are really critical features,” he says.
The network also enables ‘slicing’, Petty notes, whereby the network can be split or sliced into smaller networks for tailored speed, capacity, coverage, encryption and security. This can be achieved much more easily with 5G and enables sharing of data and information “in very private ways, with much, much stronger security than in the 4G environment,” says Petty.
5G has stronger end-to-end encryption mechanisms
Technology on the cloud is more convenient to maintain, verify and develop.
Security in the cloud
5G is a shift to ‘virtual networking’ and will see more services and storage residing in the Cloud and on Edge computing, which, while creating its own risks, is more secure than on premise and endpoint components, according to Levinthal.
“Technology on the cloud is more convenient to maintain, verify and develop, because when it is centralised in one point it is easier to build the necessary security measures,” he adds.
“I think the direction we are going in centralising everything into the cloud is better, though there are some disadvantages because now everything is in one place.”
Arthur D. Little managing partner Bela Virag explains that since 5G services are serviced by a more distributed, cloud-oriented computing environment, the attack surface increases and the security perimeter becomes vaguer.
“Therefore, the entire system will require more effort to remain secure; so overall, 5G itself is probably more secure. However, we still believe that the overall end-to-end security becomes harder to provide,” he warns.
There is no complete solution for cyber security for rail - or any company or organisation, says Levinthal. But there are, of course, ways to mitigate risk.
“The first thing to do is to separate the network into different zones and this is what rail operators intend to do, but they must also implement and deploy security measures into the network that will detect someone trying to leverage it to harm or to hit some of the services,” he says.
Operators must also be aware of the human risk factor. The more technology and services, the more complex the system and subsequently its maintenance becomes, creating more scope for someone to make a mistake.
“Mistakes maintaining the network are inevitable because we are all human, but for critical infrastructure a small mistake might result in a very big impact on the application - therefore it is important to be aware and monitor this risk,” says Levinthal.
To sum up, he reiterates: “Separation and zoning are good, but once a hacker gets into the network, security measures must be in place to detect them and to stop them executing their attack.”
For critical infrastructure a small mistake might result in a very big impact.