In her guest blog, Dr Emma Taylor, head of digital safety at RazorSecure, takes a closer look at how cyber security and digital safety are integral to operational rail safety – and the strategic approach that makes the most sense.
Above: Dr Emma Taylor
The modern rail network has evolved rapidly over the last decade, so that some of the most critical systems across rolling stock are connected to the internet.
From braking through to communications, the railway has moved to digital operations, with numerous complex connections and data flows happening behind the scenes.
With the increased digitalisation of the railway, technology frequently interfaces with operations – the passenger information system (PIS) display is just one example. Yet, for many rail operators, maintaining a high level of cyber security has not been a visible priority, even though a cyber incident could have a significant impact on operations.
A complex environment
A rail network is a complex and unique computing environment. A digital train is made up of a computer network and lots of systems that are used to control the train. In cyber security language, these control systems are called operational technology (OT) to help separate them from the IT that we use every day.
In this OT environment, a digital system is used to create an action or operation, whether it’s a signal changing aspect or controlling the train's speed. Any malfunctions or deviations from normal behaviour can be costly, not only in lost services or damaged physical systems, but also for the safety of staff and customers.
People often believe that these computer IT systems and digital OT systems do not share a connection through the internet – and that only the IT system is linked to the internet. In theory, this provides an ‘air gap’ between them, giving a degree of protection against cyber security threats, but in practice ‘air gaps’ can be, and are, bridged on a regular basis.
Not only that, but the two types of digital system, OT and IT, are increasingly being connected to create opportunities for greater operational efficiency, and this exposes them to new outside threats.
Cyber security also involves human factors. It’s not just about computer glitches or deliberate attacks – sometimes human error causes issues. And when you unplug and plug in a new connection (such as a laptop) to rolling stock as part of maintenance, you are making a connection between the OT network on your train and your IT system. This significantly increases the number of locations and opportunities where changes can be made – deliberately or by accident – as a bigger system with more data has more complexity and connections.
Reporting incidents or concerns can be very useful here. Sometimes the root cause of something going wrong and the effect it can create in a digital system isn’t obvious. Seeing a digital vulnerability is not as straightforward as spotting a physical crack in a rail or bogie for example. With anything you can connect to the internet, there’s vulnerability.
Understanding the risks
As an industry, rail has not been aware of cyber risks previously. Safety reports have not included evidence of them: it’s hard to know what to look out for.
Cyber security risk management is not that different from any other kind: you need to identify the risk, analyse it, mitigate it and monitor it. Or, in cyber security terminology: Identify, Protect, Detect, Respond, Recover. That sits alongside safety’s ‘Plan Do Check Act’.
Being prepared for the unexpected, while considering what can be learnt from what has happened, is an approach that has much in common with the operational railway frontline – for example, looking at station security, passenger behaviour and whether the digital information systems are behaving as expected.
But on an operational railway, cyber security is sometimes treated as an afterthought, as well as a check-box exercise. Safety is highly prized within the rail industry, and cyber security should receive the same sustained focus.
At a system level, safety and security are intertwined, but there are also differences. Think of the following. A stopped train is considered safe in most railway contexts, but from a cyber security perspective, forcing a train to stop could be a ‘denial of service’ attack. This is when a computer network is overloaded and can no longer work effectively because it is being flooded with requests for connection from the outside. This could have safety consequences in turn. This means that a broader perspective may be needed when assuring a train for both safety and security.
When preparing a cyber security programme within the rail industry, it is important to consider the safety aspects of running a railway. Is the system critical for safety? And what are the worst-case scenarios for a cyber incident that affects that system – not just in terms of financial cost or operational disruption, but also its impact on safety.
Incidents can cross both the cyber security and safety domains, even where there is no malicious act by a hostile party. ‘Loss of availability’ – which means that data or a system is not available when needed – is a defining characteristic of a cyber security incident. For example, the power outage in 2019 – when power frequency variations in the overhead line equipment caused a safety system on trains to shut down traction power – was an operational problem caused by a software system that ‘failed safe’. Drivers were not able to restart their trains due to a recent software update and then had to wait for a technician with a laptop to arrive to enable the restart. This led to passengers having to stay on board for hours, with a knock-on effect on passenger safety and welfare.
Another difference: while safety can be assessed at a point in time and then signed off, it’s just not possible to take this approach to cyber security as things are constantly changing.
And with safety, often you can take a longer time frame to look for trends, monitor and analyse – but this is not the case for cyber security in rail. With cyber security, the internal data flow is so varied and complex, and the external threats change on such a frequent, daily basis, that continuous monitoring and assessment is essential.
'You need to keep your finger on the pulse and maintain an ongoing watchfulness. If you aren’t aware of a system in your network, then you won’t be aware of the need to monitor it.'
Taking a digital safety approach
Where can you start with cyber security? One way is to instead think of ‘digital safety’. This is ensuring that digital components on the network are functional and support safe operations. Think system-wide and ask, “What if?”.
It begins with a fundamental challenge: if you don’t know what is connected to your network then you can’t secure it. A network is only as strong as its weakest link. There are various approaches, but ask yourself these questions:
i. Do I know what I’ve got (such as assets)?
ii. Do I know what is going on with them?
iii. Will I know when things are going wrong?
There can be more digital components than you might realise, and the system can be complicated. This complexity means that it may be more susceptible to rapid and unpredictable changes, as it is hard to evaluate how a system will respond.
Rail systems have many vulnerabilities that could pose a potential ‘point of attack’. That is why being able to detect any suspicious activity within the network is so important.
You need to keep your finger on the pulse and maintain an ongoing watchfulness. If you aren’t aware of a system in your network, then you won’t be aware of the need to monitor it. Given this, how can you secure it? And, if a system is not secure, it is hard to make the case that it is safe. This is why visibility and monitoring is so vital for cyber security. When it is used correctly, it can also provide operational advantages.
Continuous monitoring of physical and electromechanical systems through regular checks is embedded in most aspects of rail operations, from asset management to incident reporting. For example, in the UK there is an industry-wide programme to collect data and generate annual safety reports showing trends and highlighting areas for action. But when you read these reports, cyber security doesn’t have a high profile, even though it is recognised as a potential threat to railway operations. One reason is that achieving continuous monitoring of digital systems through cyber security needs a different approach to what is generally in place.
That’s because continuous monitoring is different in safety and cyber security. For the latter, it implies active ongoing monitoring of live operational systems, while for safety it is the reporting of incidents or near misses after the fact. Ongoing vigilance and prompt reporting of digital system issues is even more important for cyber security than for safety. There is less time to identify, protect, detect and respond once an incident starts to occur.
An important source of information is safety reporting by people, through channels such as CIRAS. When people speak up about things that aren’t right, whether through company channels or confidentially, it creates an opportunity to learn from what has happened – and look out for it happening again or prevent it. While we work towards a greater understanding and increased continuous monitoring of digital systems, reporting by people has a particularly important part to play.
Setting a cyber security strategy
The railway is not unique in its vulnerability to cyber attacks – they are a risk right across the transport and construction sectors – but its infrastructure and sub-systems present unique challenges when creating solutions for safety and security. Simply applying the cyber security solutions for standard IT systems won’t work in a rail environment.
Within rail cyber security, we should treat each system individually and gather the best possible data to protect that unique system. Focusing on one system individually means you can establish a behaviour baseline, which then makes anomalies that have strayed from ‘normal operating’ patterns easier to identify. These system-specific anomalies indicate that something’s not working right and needs investigating. This is integral to continuous monitoring of digital systems.
Monitoring and understanding the system’s broader sequences of events also helps you gain a better view of the risks across all the unique systems on your network. Digital diagnostics installed on your train and infrastructure networks can provide valuable additional information. From this, you can take more precise actions to reduce the exact risks, and provide specific preventive measures. It is also very important to be able to investigate when things go wrong, and any digital incident investigation needs a good digital paper trail.
This continuous monitoring includes the watchfulness of people using the systems – the digital and operational frontline – who can help provide intelligence to identify areas of concern in your cyber security and digital safety. By encouraging them to raise concerns openly or confidentially if they experience something unusual with a system, you will build in a layer of security that can contribute to keeping your systems, and therefore people, safe.
We live in an increasingly digital world, and the boundaries of the safety-critical frontline are growing. Better connectivity is a positive development for the industry but also one that poses its own important challenges: you can’t stay safe without staying on top of cyber security.
Find out more
Office of Rail and Road (ORR): Keeping Britain's railway safe from cyber threats by Paul Appleton, deputy director, Railway Safety at ORR, and HM deputy chief inspector of railways
IOSH Rail Group: Digital systems in the modern railway – vulnerabilities and opportunities (recorded webinar)
RazorSecure: Securing IT vs OT networks – prioritising digital safety
National Cyber Security Centre: Information for small and medium-sized organisations
National Cyber Security Centre: information for large organisations
- Infrastructure Managers
- Train Operating Company
- Rolling Stock