RAILWAY & ROAD ENGINEERING
CYBERSECURITY IN THE NEW AGE OF RAIL by Ling Fang, Senior Vice President, Alstom Asia-Pacific Whilst digitalisation is the way forward, it brings with it an important challenge. We tend to take our personal safety for granted when travelling by rail, whether it is our daily metro commute or a cross-border journey at high speed. Mercifully, in the context of the millions of kilometres travelled every year, accidents are rare. However, even as the rail transport industry moves Ms Ling Fang to embrace the digitalisation of systems and operations, which will improve physical safety for passengers (among other benefits), a potential new challenge is emerging. The deployment of digital technologies inevitably opens the door to risks, threats and the possibility of cyber attacks. The future of rail transport is unquestionably digital. Traditional features provided via electromechanical and/ or analogue electronics are increasingly being implemented with software. Advanced software solutions are allowing operators to have real-time information on train movements and analyse overall performance - ultimately reducing costs by streamlining processes and improving efficiency and reliability. From predictive maintenance to automated signalling, and from driverless operation to enhanced passenger experience, digital technology is enabling more advanced performance and delivering benefits to authorities, operators and passengers.
Addressing the reality of cyber threats The downside of this exciting future is that trains that increasingly rely on digital technology are complex computer systems and, like any digital system, can be hacked. It must be recognised that the risks are real. Railway transportation is as susceptible to cyber attacks as any other industry. In practical terms, the risks of a cyber attack for railway operators and their stakeholders may be summarised as follows: • Risks to operations, in terms of quality of service and revenue generation. • Potential risks to the safety of passengers and assets. • The impact on company image and reputation. Every stakeholder in the development of railway systems - systems integrators, service providers and original equipment manufacturers (OEM) - has to make an active contribution to the resilience of the overall railway system and ensure that it has the necessary 28
THE SINGAPORE ENGINEER April 2020
internal organisation, processes, products and solutions to support this. Ensuring the security of a railway system is significantly different to securing a typical IT infrastructure, since the ultimate goal is the safety and reliability of a mass transportation network. There are practical issues to be borne in mind - the system architecture is distributed across long distances with a large variety of contexts, from a centralised control room to on-board embedded equipment. Also, the anticipated duration of the rail system, as a whole, is much longer than the life cycles of the various technologies that go to make up the overall system. It is also necessary to integrate and secure several generations of technologies, each of which has its own security levels. Additionally, from the perspective of operational demands, it is simply impossible to just halt an entire train network’s operations or access an entire fleet, at the drop of a hat, in order to broadcast a new patch, for example.
Elements of a cybersecurity philosophy To address these issues, it is necessary to implement a Secure Development Life Cycle and a vulnerability management process. This starts with an initial Cybersecurity Risk Assessment, in order to identify the main risks and the mitigations to be implemented. During the risk assessment, the context (likelihood of the threat and system vulnerabilities) is defined and the mitigations are allocated to the system components, finding the right balance between protection level, operational constraints, time to market and to deploy, and, naturally, cost. It is also necessary to harden equipment and services with protective measures against cyber hacking and put in place reliable mechanisms to detect cyber intrusions. Finally, Security Testing and Security Assurance will ensure that the selected security measures are correctly implemented. Rail networks are operating in a rapidly changing context and it cannot be assumed that security measures, once implemented, will be effective for all time. That is why it is essential to put in place a robust vulnerability management process that allows the detection and remediation of any vulnerabilities identified in the system’s components. This is the only way to maintain security throughout the life cycle of the rail networks. Having said that, it must be recognised that cybersecurity goes beyond simply the development of products and solutions. It must also cover other phases such as manufacturing, testing & commissioning, supply chain and installation,
