10 minute read

Understanding cyber security

CLIVE KESSELL

PHOTO: RIDVAN CELIK

Much continues to be written about cyber security, the threats that exist and the precautionary measures that should be taken. The problem is very real and cyber-attacks take many forms, ranging from critical systems being disabled with implications for safety, through to ransom attacks that demand monetary payments for service to be restored, down to the nerd in the bedroom who finds it fun to use his/her knowledge to get into networks which are supposed to be secure.

At best it is inconvenient; at worst it can put an entire business at risk.

Even now, there is a casual attitude to the threats by some businesses, with a few still believing “it can’t happen to us”. They are wrong, as the correct thinking is “it will happen to us, we just don’t know when or in what form”. Part of the problem is that preventative measures cost money and senior management has a reluctance to spend that money on things they don’t properly understand.

Instead, the cyber security situation is often addressed by in-house IT experts who produce information documents, written in IT-speak that further baffles the directors. A means of making it all simpler would be to the benefit of all.

The rail industry is diverse and cyber intrusions have been noticed in many disciplines. A recent talk given to the Institution of Railway Signal Engineers by Alzbeta Helienek (known as Betty) and Mathijs Arends, both from Ricardo Rail based in Holland, explained a means of making cyber security more understandable to people who need to make decisions on what to do.

Betty also sits on the UK Cyber Security Council so has much wider experience than just the railway and signalling industry.

Cyber security and rail

An opening remark by the IRSE President was salutary; in 1963, the then British Rail experienced the Great Train Robbery, where a mail train from Glasgow to London was ambushed en route with several million pounds being stolen. To stop the train, the gang false-fed a signal to red, having gained some insider knowledge. The incident was reported worldwide and has achieved an element of notoriety. In those days, IT had barely been invented, but it demonstrates what can be achieved by those with intent on malice.

PHOTO: SOLARSEVEN

Nowadays, the railway has an interconnected infrastructure to produce efficient operations and needs a geographically wide intelligent device network. Many factors emerge from this, including the all-important safety implications, the opportunities for remote control, predictive maintenance activities and a whole host of economic factors. It introduces the concept of OT (operational technology) to sit alongside the IT (information technology) requirements.

Such a structure will inevitably result in cyber attacks and it begs the question as to whether rail can be insecure but still safe, with the answer being a definite “No”. Incidents can cause the destruction of equipment and risk to lives.

In the past, incidents have occurred in Florida (2003), Poland (2008), Iran (2010) and Germany in 2017, this latter being a ransomware attack on passenger information systems (PIS). Some incidents occur where the affected organisation is not the intended target - the German PIS attack was aimed at the Polish power network. It only emphasises the interconnected nature of data networks globally. Making it all understandable is a real challenge.

Developing the idea

The starting point has to be examination of standards and directives which already exist. As would be expected, there are many of them. At the highest level are the ISO 27000 series, followed by ISA/IEC 62443. The latter is aimed at automation and control systems but is very much IT-expert orientated.

Next are the EU Directives, including GDPR (General Data Protection Regulations), which set out a legal framework for compliance. This has caused much confusion within organisations, big and small, as to the steps needed to comply and the penalties for not doing so.

Then there are national and industrial guidelines, including some produced by the Department for Transport and Network Rail in the UK. Is it small wonder that people are confused by all of this with the risk of ‘eyes glazing over’?

There is a general consensus that the problem has to be progressed in five steps: Identify Protect Detect Respond Recover

But this is too bland to be practically understood and OWASP (Open Web Application Security Project) listed the progression in a different manner: Governance Design Implementation Verification Operations

Aimed primarily at focussing on a suitable management structure, this is also considered too technical and is aimed primarily at IT professionals. Focussing on Rail

Nothing appropriate was found that would be easily applicable to rail engineers and managers. Looking, therefore, at the five-level structure, this needs to take account of: » improvements needed within the organisation covering management and documentation » improvements in scope to recognise the need for greater coverage and better tooling, and » a combination of both these.

This results in: » Recognise the problems » Set out basic principles » Define a strategy » Capture knowledge of what is going on in the network » Produce an active organisation to defend against attack including associated safety risk.

Having got the headings, these now need to be turned into meaningful disciplines and specialisms that can be understood: » People - probably the most vulnerable threat, as this not only includes lax work ethics (careless email activity, computers and CDs left unattended, poor record keeping) but also insider criminal and bribery opportunities; » Risk - training employees to recognise where risks will occur and what to look for will result in a much better appreciation of cyber threats and their impact on safety critical systems; » Technical countermeasures - putting in place technology that can both detect and counteract cyber attacks may make use of proprietary systems, but will often require specialist detection software to be designed; » Integration with Safety - there is often a tension between safety and security interests as the precautionary measures for these may be very different. Safety measures tend to be based on well proven designs to prevent what was always known as ‘wrong side failures’.

Security threats are uncontrollable in how they will appear and in what form. The now universal use of solid state interlockings and data-driven distribution of signalling information still creates unease amongst traditional signal engineers and security threats only add to this. The possibility that train services might be adversely affected makes matters worse.

1 A cyber security training and awareness program exists in your organisation.

2 Cyber security awareness/ training is based on specific role needs. Your organisation has conducted at least one cyber security threat and risk assessment and therefore knows which assets are critical for safety and which for business continuity.

A plan has been made to assess in detail the most important company digital infrastructure and most important suppliers.

3 Cyber security training is incorporated into HR and can be evidenced. Cyber risks are actively managed in a company risk management system.

4 Cyber security is included in role descriptions based on your organisation’s cyber security needs. Cyber security risks are known across the whole network including legacy systems.

5 Cyber security is a natural part of everyone’s job - part of your organisation’s DNA. Dependencies and triggers for changes in cyber risks are embedded in the risk management process.

Digital Resilience Reliability Maturity Matrix

The organisation’s network separates their corporate IT from their safety critical network. The people responsible in the organisation for safety and security structurally communicate. Security requirements are managed and linked to safety requirements.

The network is separated into different zones and conduits. An intrusion detection system can pick up unusual activity in the network.

The critical assets and network traffi c are monitored and logged. Vulnerabilities are discovered with targeted scans. At least one safety case has been created where security issues have been considered and safety testing takes into account malicious actions. The V-lifecycle includes cyber security activities. Threat and vulnerability, and hazard assessments contain at least one representative of both domains. The validation and verifi cation process includes methods of security testing.

Security monitoring includes automatic rules and incident alerts that trigger defence response. Safety and security engineering are integrated as described in CENELEC 50701. Security threats are linked to safety hazards.

A security operation centre monitors, analyses and corrects incidents on digital assets. Continuously changing security threats are dynamically linked to safety hazards. Safety and security activities are performed by a team with deep understanding of both domains. There is a formal business continuity plan that describes how to keep trains running in case of a cyber incident. The BCP is published and available to everyone in the organisation. We should still think about disaster recovery. The most important lines can be kept operational manually during an incident. Processes in the BCP are included in training.

Backups are tested regularly. The business continuity plan includes processes for different durations, for example a week or a month. Table top crisis management exercises should be conducted at least yearly. Incidents can be contained in such a way that an automated process not directly affected by the incident can still be used. The BCP is continuously improved and crisis management exercises carried out yearly with key staff. A dedicated incident response team will actively work to keep the railway operational during a cyber incident. Crisis management exercises are conducted with scenarios, simulations and multiple stakeholders.

» Incident Management - acceptance that no countermeasures will ever be 100% perfect is a pragmatic approach, as attacks will always happen. From this, do not try and build ‘Fort Knox’, but be in a state of readiness to observe a problem and take the appropriate remedial action to minimise or eliminate the impact which may include shutting down systems for a short period of time.

Matrix

Taking all these factors into account, the adjacent 5x5 matrix has been developed with 25 questions - all of which can be answered ‘Yes’ or ‘No’ - to give a check list on where an organisation is.

Somewhat similar to the well-known risk assessment matrix, it would be possible to score 25 if all answers are ‘Yes’. However, not all organisations will need to have a Yes to every box and a first step might be to decide what is applicable and what is not. A company not engaged in manufacturing or deploying safety-related products or systems may not need to consider these aspects. The most important thing is to have a security training programme in place, as attacks can occur very quickly and need to be picked up straight away.

The matrix has been tested in a few organisations and most have welcomed it. Some responses indicate that there remains work to do - ‘I don’t know where to start’, ‘It seems like a lot of extra work and just adds to the cost’, ‘I put everything in the cloud and they look after it for me’.

To combat this negativity and/or ignorance, organisations are encouraged to try the matrix out as a managerial directive and produce some feedback. This should determine some priorities and where to focus next. Maybe a question to ask is ‘How can I improve security in the next six months or year?’

One question already asked is ‘Can it be applied to projects?’ and of course the answer is ‘Yes’. It is expected that the matrix will go through a number of iterations and will thus be updated from time to time, so any comments, suggestions or criticism would be welcomed by Rail Engineer; we will pass these to the authors.

Remember that, whilst this talk was aimed at a signalling audience, it is equally applicable to rolling stock, operational planning and all other infrastructure elements.

This article is from: