Railways are a key pillar of our overarching transportation system and keeping them secure and safe is all-important, Karsten Oberle, Head of Rail at Nokia, explains why 

The job of protecting them, however, is changing, shifting emphasis away from protection against physical threats towards cyber-threats.

This shift reflects the digitalisation of rail operations, and the increasing interconnection between different railway sub-systems, which is providing new entry points into the system for hackers and cyber-criminals. As digital complexity increases, rail operators need a robust, end-to-end cyber-security strategy that can address these challenges and ensure the safety of this key transportation pillar.

Cyber-threats are expanding

Most rail professionals today are aware of the general threat posed by cyber-attacks. But it is difficult to keep up with the innovations being made by hackers and criminal organisations. They seem to be endlessly creative and capable of exploiting even the most advanced systems.

The increase in the number and scale of threats is not entirely due to a growth in hacking, it is also an indirect result of railways digitally transforming their operations. Often referred to as Railway 4.0, digitalisation is an important trend in the rail industry that promises to lower costs, increase safety and improve the passenger experience.

IoT sensors and devices are now making it possible to collect data on everything from the condition of the rolling stock to the monitoring of extreme weather events and the prediction of maintenance requirements. Driverless and remote-controlled train projects may steal the headlines, but important data is being logged for mundane things, from rubbish levels in bins to an individual passenger’s train choices correlated against timetables and fares.

This data-driven approach to operations holds huge promise for both greater efficiency and safety. The data that is generated across the system can be analysed by artificial intelligence and machine learning, creating advanced algorithms that can optimise and automate processes, workflows and even predictive maintenance schedules. These ‘smart’ systems also hold the answer to how railways can become more secure.

Moving away from perimeter security

The traditional approach to digital security has been all about securing the perimeter of the system. When there is a strong moat and one drawbridge, this is a feasible approach that makes it possible to be relatively relaxed about the security of the internal network. Many enterprise security systems have traditionally used this to protect the enterprise LAN.

The problem today is that the moat, to the extent that there is one, has multiple entry points to secure. This is especially the case when internal users are accessing ‘as-a-service’ applications that run on the public cloud. But, even if railways keep all their data and applications running off a private cloud, the sheer number of sub-systems that are integrated means that there are multiple points of entry that can be exploited, including sensors, other IoT devices, handheld terminals, phones, laptops, automatic ticketing systems – and the list goes on.

To tie up all these loose ends and secure every one of them is possible, but as the digital transformation grows, it becomes increasingly expensive. And, importantly, it doesn’t account for internal threats. With even the deepest moat, a single phishing attack that fools employees into revealing their identity credentials to an external actor, can open the entire system to be exploited. External suppliers that work on the systems and disgruntled employees are also potential weak links in the security chain.

The SOAR approach to security

The more complex network security issues that arise with digitalisation require a holistic approach to security. This more in-depth approach uses some of the same analytic tools that are powering Railway 4.0. Identified by Gartner as the new security paradigm, they named it SOAR for ‘security orchestration, analytics and response’. A SOAR approach to security doesn’t replace existing security infrastructure but acts as an overall eye-in-the-sky to pick up security threats that individual systems might not be able to recognise.

SOAR relies on the ability of artificial intelligence (AI) and machine learning (ML) programmes to create an in-depth model of what normal operations looks like. It can automate responses workflow to gather and analyse security data from various different sources, making them more available and easily digestible for stakeholders.

Security attacks almost always look abnormal, and many generate distinct traffic patterns or ‘signatures’. Known attacks can be quickly identified and shut down. Even novel attacks are identified, and security personnel alerted to the anomalous behaviour.

SOAR can also automate the response of the network to known attacks. Thus, for instance, a distributed denial of service attacks (DDoS) can be recognised by security analytics that spot the unusual rise in traffic, identify the machines (either inside the enterprise network or outside it) that are sending the attack traffic and automatically instruct edge routers to simply not forward traffic from those attacking machines.

SOAR-based security approaches can also measure compliance across multiple systems in real-time and automate the updating of networks and devices to meet the best-practice standards set by the regulator.

Cyber peace of mind

Security and safety are watchwords of the rail industry. Security teams need a better way to gather the supporting information about the security state from a wider range of sources, but also to automate security processes.

The adoption of digital technologies based on more open IP platforms has been slow, in part because of fears around security and safety. But operators can take comfort knowing that SOAR approaches to security are being widely adopted across telecom and enterprise networking. The power of new analytics technologies such as AI/ML are making this kind of in-depth security feasible and affordable.

Rail operations have much to gain from digitalisation. New IP-based applications that boost the efficiency of a variety of critical functions, such as train control, signal control, maintenance monitoring, video protection and passenger information systems, can now do it safely and securely. With a SOAR-based cyber-security architecture, operators can eliminate or quickly mitigate threats, allowing them to focus on their primary operations, delivering freight and people quickly and safely to their destinations.

Karsten Oberle is Head of Rail at Nokia. Karsten Oberle received the Dipl.-Ing. (FH) degree in communications engineering from the University of Applied Sciences ‘Fachhochschule für Technik’ Mannheim, Germany, in 1998. In the same year, he joined the Alcatel Research Center in Stuttgart. As Head of Rail, he is responsible for expanding Nokia’s business in the railway sector with a current focus on the future of rail communication (e.g. FRMCS, 5G), cybersecurity for railways and analytics. This includes building and managing new sales programs, steering of global business development activities, and guiding regional sales and marketing teams on customer engagements.