Britain’s rail network is a central part of the UK’s critical national infrastructure (CNI). Any compromise to the systems in the organisations supporting the rail network would have a significant impact upon public confidence in the rail system and an associated and substantial economic impact.
With criminal activity moving away from traditional crimes and into the world of the Internet, even the biggest organisations are not immune and need to adequately prepare for the event of an attack – a fact acknowledged in the Strategic Defence and Security Review (SDSR), which in 2010 identified terrorism and cyber security as the highest priority of threats (Tier 1) to the UK’s CNI.
In addition to potential attacks from external sources, rail companies also face threats to their systems and data from within – protecting confidentiality, integrity and availability of their assets/data has to be paramount and what’s more this needs to protect data at rest, in transit and in use. A belligerent, rogue agent or terrorist wishing to hack into a signalling system could cause exactly the same damage as an employee who is allowed to input incorrect data. Both activities could cause major disruption and potential loss of life.
The pressing need to protect British infrastructure against the cyber threat has led to the proliferation of a number of standards and guidelines to help strengthen an organisation’s security posture. However, working through these documents can be a daunting prospect for companies that may not have appropriately qualified and trained employees.
Making sense of confusion
Cyber crime can be very confusing. It comes in a multitude of different threats, risks and vulnerabilities, and could affect virtually anyone in an organisation. In addition, the geographical spread of the rail network and the use of legacy systems means that different locations are likely to have different risks they will need to identify and reduce. For example, a train station in a country village using a legacy IT system might have a different security requirement to a newer station using more automated systems. What is clear is that irrespective of the sophistication of the station systems, both have internet -enabled cameras that are vulnerable and can disrupt operations if exploited.
As a result, there is not a ‘one size fits all’ way to combat the cyber threat but there will be some common themes. Before an effective security strategy can be implemented, companies need to understand and work their way through the plethora of frameworks, standards and best practices out there. As a rule, standards are mandatory and must be followed, while frameworks are intended to serve as a support or guide. Best practice should be used as a baseline.
The most important thing here is that a compliance regime in itself is not an answer. Organisations need to understand, against the relevant threat profile, what good-enough needs to look like when set against the controls in the compliance regime. The key here is that understanding the effectiveness of outcomes by implementing a control is what matters, not the control itself. Hence in a low threat environment we may expect to patch networks within days; whereas for our most sensitive network we might seek to apply a patch within hours.
Knowledge is power
Understanding the threat profile and the description of effective outcomes are vital starting points and while standards and frameworks are clearly fundamental, an organisation would not be in a position to identify and address its main risks without a security risk assessment (SRA). A quality SRA will be able to identify the vulnerabilities and risks and highlight these to management. Only then will management be able to take the right control measures using a cost benefit analysis approach, to either mitigate or accept the risk. If done properly – with long-term goals in mind – it will not only reduce risk, but also ensure public confidence in the service.
Ultimately, management is responsible for the overall implementation and oversight of any security strategy planning. Clear guidance should be given from senior management at the start of any project, which is then cascaded down to local level to implement. In a distributed system, more governance at the local level is required. This in turn means more leadership and better training are required. Those companies that do not have the budget, experience or time to address many of the problems should work closely with an outside cyber security agency that provides advice and guidance.
Why does all this matter in rail at this time? Simple, we have entered the era that sees much of the technology behind railway signalling and signalling communications evolving away from point-to-point connections to Internet Protocol connections.
Outlined below are five of the top security issues facing the rail sector, along with recommendations for how senior managers can address each.
1. Inexperience in completing a comprehensive SRA
This is essential to ensure all critical assets, vulnerabilities and threats are identified – if in-house experience in this area is lacking, working with a consultant with prior experience of dealing with SRA’s in the CNI space will ensure this is done to the highest possible standard. Particular attention should be paid to critical systems (signalling and safety systems), protection of wireless networks, access controls (physical and logical), and physical security (perimeter and building), ensuring that any vulnerabilities in these areas are addressed. From the output of the SRA all high level risks should be highlighted to management.
2. Standardisation of security in the rail network
Frameworks, standards and guidelines are vital to ensure the UK’s rail network as a whole is operated safely. However, different parts of the network require different security measures. Frameworks should be used to set a foundation and guidance issued to local management to conduct their own assessments on the geographical nature of their locations. For example, what might be a vulnerability in one location might not be in another. Once the SRA is conducted, it is vital that a standard approach is implemented across the network.
3. Lack of a physical boundary (perimeter control)
Due to the geographical spread of the rail network, securing its entire perimeter would be inherently difficult and costly. To address the issue of trying to protect the network from physical intrusion, a layered approach to security should be adopted which should work hand in hand with the SRA. Where there is a need for added security, compensating control measures should be adopted. This could be the implementation of CCTV, intrusion detection systems, fences, access controls (site and buildings) and security guards. Trying to mitigate all risk is challenging, but adding these compensating control measures will reduce overall risk to acceptable levels.
4. Vulnerabilities of malware on critical systems
Malware can come in many different forms, for example viruses, worms, Trojan horses, or logic bombs. If unguarded, these could cause catastrophic consequences on the rail network – particularly to the Supervisory Control and Data Acquisition (SCADA) systems at the heart of it. Effective management of malware comes in the form of anti-virus software, firewalls, intrusion detection systems, patch management (updating anti-virus software), system separation and personnel training.
5. Vulnerabilities in the supply chain
At a time where P&L pressure is leading organisations to outsource more and more engineering services to third parties, the remote access to equipment that allows the third party supplier to monitor and preventatively maintain equipment massively increases the potential vulnerabilities. Boards need to be aware of the nature of these vulnerabilities and the surety expectations they need to place upon their supply chain. If a CCTV camera is installed in a station by the lowest cost supplier and not configured to prevent alteration of firewall protocols then that installation is vulnerable and provides access to other systems that can lead to disruption or worse.
The threat facing the UK’s rail system is real, and it is here to stay. It is up to rail companies, security specialists, consultants and government to join forces to tighten the defences. By implementing a holistic approach that centres around continuous policy evaluation and adaptation, organisations can mitigate the risks in networks from the latest evolution of vulnerabilities and attack vectors – ensuring the rail system continues to stay one step ahead of the threat.