Why cybersecurity is front and centre for rail

Cybersecurity has become increasingly important in the rail sector for a range of reasons, although the primary being that the systems making up our rail networks are becoming ever more digitised and interconnected.

This is not only increasing complexity, but also providing new attack vectors for malicious actors, explains Robert Morgan, principal associate at Arup, who points out that these can vary from cybercriminals trying to make a quick buck through to nation states looking to disrupt key infrastructure.

This heightened vulnerability is evident from recent incidents, says Eric-Vittorio Li Destri, railway cybersecurity expert at US-based communications equipment company Viavi Solutions.

Li Destri notes that some of the most disruptive and costly rail cyberattacks have been orchestrated in the last few years. These have predominantly consisted of ransomware incidents that target Information technology (IT) systems and, increasingly, operational technology (OT) systems.

“In 2021, the Swedish public transport authority, Skånetrafiken, suffered a devastating ransomware attack that brought its whole network to a standstill. In March 2022, Italian State Railways faced a similar attack that put a halt to customer ticket purchases, indirectly halting the network,” he says.

“Also in 2022, Danish State Railways (DSB) experienced extensive disruptions when its IT service provider was attacked, preventing drivers from accessing a key safety-critical IT system. The Belarusian state-run train company also fell victim to a ransomware attack in the same month, aimed at disrupting Russian troop movements.

“These kinds of attacks result in significant financial and operational costs, with overall losses easily reaching billion-dollar figures annually.” 

It may be getting more attention right now, but cybersecurity within the rail sector is actually already quite mature. Matt Simpson, global discipline lead for cyber resilience at Canadian engineering company AtkinsRéalis, has been addressing these risks for over 15 years and notes that until recently, discussions around cybersecurity were mainly taking place within the engineering and security teams.

The topic became ‘mainstream’ around 2018, he says, with the arrival of the Security of Network and Information Systems (NIS) Regulations, which made addressing cybersecurity a legal requirement.

“Modern infrastructure has more vulnerabilities because it’s more dependent on IT equipment. This can be addressed through cybersecurity, and that’s why governments began introducing regulations,” he explains.

“These regulations are slowly weaving their way into all kinds of railway standards and operations, which has ultimately raised the profile of cybersecurity risks across all parts of the sector. Boards are more aware of their cyber risk, which means they have to address it and are therefore investing more money.”

A fully comprehensive approach to cybersecurity is required to ensure safety, one that encompasses both IT and OT systems. Everything must be secured – from networks, ticketing, and communication systems through to signalling, train control, and track switching.

This means deploying advanced solutions that offer network visibility, threat detection, and response capabilities, says Li Destri.

According to Morgan, the single most significant impact you can have on cybersecurity is achieved through the appropriate design of the data networks that interconnect systems.

“Get this right and although you might not stop an attack, you’ll limit its ability to spread to other systems and significantly lower the overall cost of protecting the network,” he explains.

“In addition, applying Purdue model thinking – creating security zones and conduits between system components of different criticality – and controlling the flow of information between zones, can significantly reduce the attack surface available to a rogue actor should they gain access to a system.” 

When we talk about cybersecurity, we often focus on the tech, but the reality is that it revolves around people. As Simpson puts it: “If you have 1,000 employees, you’ve potentially got 1,000 vulnerabilities and risks walking around that you need to address.”

Staff are the ones that click on the malicious URLs – phishing is the most common cause of a cyberattack, used to introduce ransomware onto systems, explains Simpson – or mistakenly connect systems without putting the appropriate firewall measures in place. Therefore, the focus must be on staff education.

“You can have the best technology in the world, but if someone can find a workaround because it's more convenient, that’s how they’ve always done it, or they’re up against it, they’ll bypass your tens of millions of pounds investment. It’s very much about taking them on the journey with you,” says Ben Kaintoch, associate partner at PA Consulting.  

“You need to educate your engineers, project managers and operators on what they need to do in their roles to ensure cybersecurity,” Simpson continues.

“Train your engineers to address cybersecurity risk by design, then train your operators – and all computer users – not to click on unsafe links and to be suspicious of a random USB stick they find. This will make a huge difference across your organisation.”

Companies must also consider the suppliers that they work with and ensure they assess their cybersecurity credentials. They have all the right controls in place and ensure that their access is limited to what they specifically need, Kaintoch adds.

Cybersecurity is a continuous journey – there is no final destination, as the threats are always evolving. It’s also unrealistic to think any railway will ever be 100% cyber secure. “They’ll go bankrupt trying, and never achieve it,” says Simpson.

Even organisations including the Government Communications Headquarters (GCHQ) and the Ministry of Defence (MoD) have been hacked, he points out, explaining that the focus should instead be on being “good enough” to ensure your critical systems are protected and the impact of any attack is as small as possible.

Doing this will also make you a less appealing target, Simpson notes, as cybercriminals will always look for the weakest victim.

There’s a lot to consider when it comes to cybersecurity, but just take things one step at a time, starting with your highest priority systems, Morgan advises. “Recognise that it will take time, but that progress will be exponential – starting slow but then compounding.”  

Australia could be one of the main beneficiaries of this dramatic increase in demand, where private companies and local governments alike are eager to expand the country’s nascent rare earths production. In 2021, Australia produced the fourth-most rare earths in the world. It’s total annual production of 19,958 tonnes remains significantly less than the mammoth 152,407 tonnes produced by China, but a dramatic improvement over the 1,995 tonnes produced domestically in 2011.

The dominance of China in the rare earths space has also encouraged other countries, notably the US, to look further afield for rare earth deposits to diversify their supply of the increasingly vital minerals. With the US eager to ringfence rare earth production within its allies as part of the Inflation Reduction Act, including potentially allowing the Department of Defense to invest in Australian rare earths, there could be an unexpected windfall for Australian rare earths producers.