87
FEATURE
From cyber-secure to cyber smart: why a broader understanding of cyber security is vital to our railway’s resilience MATT SIMPSON
safety of our
railways is paramount.
PHOTO: SESTOVIC
T
he
Yet, as digital technologies transform our networks, our concept of safety must evolve to include cyber security at its core. To maintain cyber security, it’s not enough to have well-designed technologies with state-of-the-art defences. Engineers must be trained, educated and equipped across the industry so that the entire railway ecosystem is secure and safe.
At first it was a futuristic innovation, then it became a bonus - a nice-to-have extra - and now digital connectivity is a fundamental aspect of our transport system. Yet, as the technology races ahead, our thinking lags behind. We’re increasingly dependent on innovation, but it’s still treated as something separate to the core functionality of our networks. Even as our railway is transformed by technologies such as digital signalling, it is still thought of as one issue, and its cyber security as another. In fact, they’re indivisible; when it comes to maintaining services, cyber security is just as crucial as the safeguarding of physical infrastructure. As our transport system becomes ever more interconnected, the bigger the potential impact of a cyber security event and the more vulnerable our entire railway network becomes. Simply designing cyber-safe railway systems is no longer enough; the right equipment isn’t sufficient to provide security. As digital technology grows more integral, our
focus must shift towards processes and the people who maintain it. Having a robust, cyber-secure railway doesn’t help if too few staff understand how such a system is best operated, maintained and updated. That’s why we need to devote more attention to the people who will be running the railway well after the cyber security consultants have left.
Digital vs dispersal Since 2018, the Network and Information Systems Regulation (NISR) has placed more responsibility on railway operators for the smooth operation of the network. As the sister regulation of GDPR, the NISR gives authorities the power to fine operators who fail to maintain services as a result of a cyber event. Should lax cyber security lead to a disruption on the railway - for example, through a denial of service attack - the train operators on that network will be liable.
Rail Engineer | Issue 189 | Mar-Apr 2021
PHOTO: ANDY
THE SAFEGUARDING CHALLENGE
