The widespread introduction and availability of modern internet protocol (IP) fixed and radio-based telecoms networks provide many benefits for a modern railway. These include for both train control, maintenance, operation, asset management and passenger use – ticketing, train information and security. Having everything ‘connected’, though, does have some challenges that need to be carefully managed, with the biggest and most important issue being cyber security.
Railways were relatively late, compared to other industries, in adopting IP communications, but they have benefited from learning from others and adopting good cyber security measures. One can never be complacent though, as the threats from rogue individuals and organisations become increasingly targeted and sophisticated. Railways need to continue to adopt best practise and learn from the telecoms industry, and from companies like Nokia – who deliver networks all over the world for demanding enterprise industry sectors that require secure communications.
Over the last ten years, IP-based communications have become well established for train control systems and are available from a number of suppliers, so it is no longer possible to consider such systems to be totally isolated and protected from hacking, such as was the case with older bespoke systems. This is inventible as the railway is a ‘system of systems’, and applications need to communicate with one another via managed safe connectivity.
Connections are also required for maintenance diagnostics and to enable the original equipment manufacturer (OEM) to support and upgrade software-based assets. That OEM may be based thousands of miles away and it is no longer practical nor necessary to send staff to site to undertake interventions. It may also be far safer to ‘log in’ remotely to support assets.
There are several examples of cyber ‘hacking’ into industrial and rail equipment. In 2003, a virus infection of a train company’s systems in Florida in the USA disrupted signalling, dispatching and other systems, resulting in widespread delays. The cause was believed to be worm virus known as “Sobig” which resulted in delays to services from Washington to Richmond and points south. Ten Amtrak trains were affected, with services between Pittsburgh and Florence halted because of dark signals and long-distance trains delayed for between four and six hours. More than a dozen commuter trains in the Washington area were cancelled.
In 2008, a 14-year old managed to hack into a tram system in the city of Lodz, Poland. The teenager achieved this using public library and open source information from the Internet. He trespassed into tram depots to gather information needed to build a control device, using which he was able to control the trams and change track points, which resulted in derailing four trams and causing emergency stops which injured twelve people.
In 2015 “Project Honeytrain” ran to determine how a railway could be vulnerable to cyber hacking. A virtual rail infrastructure was reproduced with real hardware including computer systems and a communication network, but with no cybersecurity measures and with logins and passwords left at their default settings. Software components of existing railway systems and CCTV videos of real stations, as well as train operator workstations, were simulated, but to hackers around the world it appeared to be a real railway.
The Honeytrain project only ran for six weeks, but, during this time, a total of 2.7 million attacks were identified, originating from most countries in the world. The majority were automated dictionary attacks, trying to identify an unknown password using a dictionary list. This is why names or words on their own should never be used for passwords. One attack involved the same accessing IP address trying to control a mythical signal using a dictionary attack. The attack was not successful, but it demonstrated that the attacker had a good knowledge of the railway control systems involved, and that the actions were performed deliberately.
In 2016, it was reported by Darktrace, a UK cyber security firm, that the railway infrastructure in this country was the victim of at least four major cyberattacks. The network infiltrations appeared to be more exploratory than disruptive, but still a cause for concern.
The following year, in 2017, the widely publicised Wannacry attack affected many organisations globally. Germany’s Deutsche Bahn rail infrastructure suffered system failures and ransomware messages appearing on station information screens.
More recently, and worryingly, another piece of malicious software has been identified that is designed specifically to enable the damage or destruction of industrial equipment, and with the intention of disabling and safety systems that protect human life. A malware (malicious software) called Triton, also known as Trisis, was designed to compromise industrial control systems and to target control equipment used in oil, gas and nuclear energy facilities.
The Triton malware was designed to tamper with, or even disable, safety-instrumented systems used by human operators to monitor industrial processes. These systems monitor potentially dangerous conditions, triggering alerts or shutdowns to prevent accidents or sabotage. And because Triton’s code also contains the ability to disable safety measures, the ‘fails safe’ mechanism that exist to shut down equipment safely in unsafe situations, and similar to those we have in rail control systems, would be unable to respond.
Security incidents like these have the protentional to affect railways in many ways. Not just the loss of revenue while services are unavailable, but the recovery and restoration costs, potential prosecutions, damage to brand reputation, compensation to users and non-compliance penalties. A report by www.checkpoint.com in 2015 said that, in an average day in some enterprise networks, an unknown malware is downloaded every four seconds. Every 53 seconds, a bot communicates with its command and control centre and every 81 seconds, a known malware is downloaded. A high-risk application is compromised every four minutes and every 32 minutes sensitive data is sent outside the organization.
The rail control, command and communications sector is now very good at producing ‘safety cases’ for any new safety-critical or safety-related product. These are documents produced by independent engineers from the designers of the system and to analyse the safety arguments for the design and operation of the new product. These are then reviewed and approved by a separate panel of industry experts who ‘sign off’ the product, together with any constraints for its use. Under a traditional safety case, once it has been approved, the product should not be changed or altered in any way without a revised safety case being submitted.
The threat of a cyber security breach has required a different approach to maintaining safety from the traditional safety case. If a cyber threat is detected or identified, it is vital that a “patch” to mitigate and defend against the threat is deployed without delay. So, defences have to be deployed quickly and the cyber security system has to be constantly looking for new threats and attacks. Infrastructure managers cannot wait till an attack occurs and then create a project to deal with the issue. The cyber security defences have to be agile, automated and constantly refreshed and updated.
The key to any cyber security system is ‘defence in depth’, with layers of protection so that, if one defence is breached, the system is still protected. Defences must not rely just on manual interventions, but must use the latest automation techniques, application of data analytics, machine learning, and end-to-end encryption. Security must be everyone’s responsibility and not just be left to the IT department. Simple precautions such as ensuring robust password management and not using portable storage media are equally important.
There are various standards and guidance to establish a cyber security regime, for example International Electrotechnical Committee IEC 62443-2-1 ‘Industrial communication networks – network and system security’. This describes the elements necessary to establish a cyber security management system (CSMS) for industrial automation and control systems (IACS) and provides guidance on how to develop the elements.
This includes defining the baseline security requirements based on risk and how to patch an effected system, with operators, suppliers and vendors having clear agreements in place to cover vulnerability testing, patch development, testing and deployment. The facility to detect and respond quickly to incidents is vital, and a cyber security operations centre will need to be established, with the objective of minimising the impact of any attack.
ISO/IEC 27001 provides requirements for an Information Security Management System (ISMS) and ITU-T X.805 security architecture, to enable operators to assess network security and eliminate potential threats in complex environments. It can be applied across network operations, as well as in network management in three layers:
- Infrastructure layer, which comprises basic communications network building blocks such as routers, switches and transport equipment;
2. Services layer, which comprises network services or circuits that deliver data generated by applications, such as signalling, supervisory control and data acquisition (SCADA), land mobile radio or CCTV across the communications network;
3. Application layer, which comprises the devices over which applications run.
A major telecoms company such as Nokia has experience with all the layers in a network, unlike other companies which may only specialise in the Application layer.
The National Cyber Security Centre is available to support the most critical organisations in the UK, the wider public sector and industry, as well as the general public. When incidents do occur, it can provide effective incident response to minimise harm to help with recovery, and learn lessons for the future. It also publishes lots of guidance for cyber security, which recently has included 12 principles for the effective control of a company’s supply chain. With the rail industry dependent of a wide range of suppliers from across the world, supply chain management of cyber security needs careful consideration.
EU Cybersecurity Act
To further help industry and society to improve cybersecurity, the Cybersecurity Act (Regulation (EU) 2019/881 of April 17, 2019) entered into force on 27 June 2019. The Act strengthens the mandate of the EU cybersecurity watchdog, the European Union Agency for Cybersecurity (ENISA), which supports EU member states to tackle cybersecurity threats and attacks and to establish an EU-wide cybersecurity certification framework (“Framework”). ENISA was established as long ago as 2004 and has been working to make Europe cyber secure.
The Framework will enable the publication of European cybersecurity certificates and statements of conformity for information and communication technology products, services, and processes to be recognized in all EU Member States. EU Member States will develop rules on penalties for infringements of the Framework and for infringements of EU cybersecurity certification schemes.
The Cybersecurity Act will allow businesses to certify that their products meet EU cybersecurity standards. Initially, the cybersecurity certification will be voluntary, unless otherwise specified by EU or member state law, although mandatory compliance may come later. Businesses designing, manufacturing or implementing products, services or processes are recommended to assess their level of compliance with respect to the Act requirements and/or to consider certification once the schemes are available.
Cyber security for rail
Nokia offers in-depth expertise in the development of cyber-security best practices, based on its experience of providing communications networks around the world. Its end-to-end security solutions incorporate security products and services that address the specific challenges of rail. For example, the Nokia Netguard Security Management Centre and Security Operations Analytics and Reporting platform enables security operations teams to automate and prioritise activities and report data to inform better business decisions.
Critical network elements such as base stations, network controllers, mobile devices and application servers need to participate in their own defence, with the defence capability best developed during product design and not as an afterthought. The Design for Security (DFSec) approach used by Nokia deals with proactive security measures, including risk and threat analysis, secure OS configuration, access control, password policy, code review, penetration testing and other activities. Nokia also implements reactive security measures known as Security Vulnerability Monitoring (SVM) to ensure that OEM product vulnerabilities listed by computer emergency response teams (CERTs) are highlighted for further qualification and possible patches.
Nokia also applies best-in-class certificate management practices to ensure that IoT devices are properly identified and certified at the time they are deployed. Existing 4G LTE network and emerging 5G networks are designed with certificate management systems in place. Manufacturer-provided certificates, with a unique, secure identifier, can ensure that devices have not been modified or tampered with prior to deployment and help ensure the identify of devices once in operation.
The large number of certificates and diversity of suppliers (certificate authorities) requires a significant effort to manage equipment deployments. Technologies which automate the management of digital certificates can bring operational savings and prevent errors. Nokia combines its expertise in both LTE and IP to achieve mission-critical security that addresses the vulnerabilities specific to these technologies. Having a specialist company like Nokia available enables a railway to focus on its mission-critical responsibilities without being distracted by having to work with multiple security vendors to align on security or incident resolution.
Over 1,000 mission-critical networks have been deployed by Nokia with customers in the transport, energy, large enterprise, manufacturing, and public sector segments around the world. Leading companies across a number of safety-related industries are benefiting from the decades of experience building some of the biggest and most advanced IP, optical, and wireless telecoms networks. In the UK, Nokia delivered the very first digital telecoms transmission systems for rail over 30 years ago, and, more recently, Alcatel Lucent, which built Network Rail’s Fixed Telecom Network (FTN) for GSM-R, was bought by Nokia.
Customers include communications service providers whose combined networks support 6.1 billion subscriptions, as well as enterprises in the private and public sectors. Through its research teams, including the world-famous Nokia Bell Labs in the USA, Nokia is leading the world to adopt end-to-end 5G networks that are faster and more secure. It adheres to the highest ethical business standards and governments are relying on Nokia networks to deliver critical communications.
In Germany, DB Netz and Nokia are to trial the first ‘stand-alone 5G system for automated rail operation’. In partnership with Siemens, the DB Netz trials will form part of DB’s programme to automate part of the Hamburg S-Bahn. This €60 million project aims to have four trains operating automatically on a 23km section of Route 21 between Berliner Tor, Bergedorf and Aumühle by October 2021, ready for the city to host the World Congress for Intelligent Transport Systems. For such a prestigious project such as this, involving autonomous trains, cyber security must be second to none and to the highest standard available. Failure is simply not acceptable.
Trains will operate unattended for around 1km when entering and leaving a siding near Bergedorf station with a driver retained for the rest of the journey, but only intervening in the event of a problem. The trials will test whether 5G technology is mature enough to serve as “the connectivity layer for future digital railway operations”.
In France, SNCF and Nokia are to develop a 5G laboratory to prepare for the switch from GSM-R to the Future Railway Mobile Communication System (FRMCS) in the mid-2020s. FRMCS will be designed for 5G, which offers reliable, high-speed, low-latency performance and much greater capacity than 2G GSM-R, to improve existing telecommunications services and allow the development of new rail applications. SNCF and Nokia will evaluate FRMCS applications both in the laboratory and in the field, with cyber security high on the agenda.
Cyber security incidents and attacks are becoming ever-more sophisticated, and the potential damage that can result is growing. Railway infrastructure can ill afford any successful cyber-attacks. Not just financial loss is at stake, but safety too.
Railways will benefit from new networking technologies, including LTE and IP/MPLS, to support new services and improve the efficiency of the railway. While such networks are future proof and scalable, they will introduce new security vulnerabilities.
However, with a robust network defence, the security threats can be addressed. While all mission-critical networks are different, sound security typically requires a move from manual processes to automation, the application of data analytics and machine learning, end-to-end encryption and a full lifecycle evaluation of cyber-security risks.
Nokia offers an advanced and comprehensive approach, built on its long experience and in-depth expertise in enterprise networks, for both security as well as mission-critical network design and operations. Its solutions are in line with best practices and published standards, to ensure the highest levels of protection for railway communications.