Simplifying the complexities of security in rail: A Q&A with Nomad Digital
Posted: 21 January 2021 | Global Railway Review, Nomad Digital | No comments yet
Security continues to play a significant and increasingly crucial and connected role within rail. Global Railway Review delves deeper into the risks, speaking to Nomad Digital’s Security Architect, Mark Robson, about their Security-as-a-Service solution, and the importance of beginning with a healthy asset management system.
What do you consider to be the biggest security-related challenges that the railway sector must overcome?
There are many aspects of the railway sector where security is becoming an integral part, if not already present. Concerning these aspects, it is hard to find an area where security is not a challenge.
One of the most prominent areas that Train Operating Companies (TOCs) struggle with is asset management. This is due to the use and integration of many third-party products and services which are combined to create the overall technical solution that TOCs provide. The challenges of asset management occur when trying to keep track of where responsibility starts and ends for the products and services. For example, who is responsible for installation and is this the same party responsible for maintenance?
Often it is the case that the supplier of the asset is best positioned to identify the security challenges that face their product and how these challenges should be secured. It is with their co-operation that the TOC can establish the best understanding of how components are connected and what technical communication is occurring. This is essential to maintaining security and should be an integral part of asset management.
One of the most prominent areas that Train Operating Companies (TOCs) struggle with is asset management. This is due to the use and integration of many third-party products and services which are combined to create the overall technical solution that TOCs provide.
By having a thorough asset management system in place, it provides the TOC with the ability to provide more accurate vulnerability management identification and procedures, incident response actions and access control processes. These processes and procedures are vital in the current climate, so that adherence to legal regulations, such as GDPR, is possible. Also, it must be noted that there are strict time frames specified in regulations, such as GDPR, and the potential for penalties if adherence isn’t achieved.
Additional tools at the TOCs exposure can then assist with the steps relating to asset management and compliance. However, they all require a healthy asset management system to be in place. Such tools include Security Information & Event Management (SIEM), Vulnerability Scanning, Intrusion Detection (IDS/IPS) and Governance, Risk Management & Compliance (GRC). At Nomad Digital, the focus is to offer a Security-as-a-Service (SaaS) solution, which is beneficial to many TOCs by providing some of the aforementioned tools.
It’s important to highlight that many more security challenges exist. However, good asset management must be considered a security challenge, as it provides the foundation for wider security to be monitored and implemented.
To what extent do you think it is important for rail infrastructure managers and train operators to take a holistic approach to their security solutions?
By accepting that a healthy asset management system is essential to maintaining a good security stance, we are already acknowledging that a holistic approach is paramount. When high accuracy is achieved within the asset management system, it creates a foundation from which we can build further security. Analysis from the information provided in such a system may provide paths and opportunities that may otherwise be ignored or invisible. For example, identifying that only two per cent of systems are of one particular operating system so, to minimise the risks, it may be best to phase them out. This would then eliminate the requirement for a niche skillset within the TOC and broadens the ability of existing staff to be capable of working on systems.
The same approach could be taken for identifying systems that are running out-of-date versions of the software. Once identified, they could then be injected into project plans and flagged that they need to be replaced. This would remove potentially weak systems from remaining within the infrastructures.
Ideally, the overall result should entail a widespread and consistent, yet basic, security approach which can be relied upon. More than sufficient information allows security to delve further into technology, in areas that may present higher concern, such as edge gateways or sensitive information storage.
However, it must be noted that a holistic approach should not be relied upon and that niche security measures should still be included. These measures could include performing penetration testing, vulnerability assessments and code reviewing. By taking a holistic approach, there may be a false sense of implemented security, as a global image of security is presented. However, it could only take one vulnerability, one risk or one opportunity for a threat to get inside. Additional security techniques are required to ensure a defence-in-depth approach is implemented and, in high-security areas, a zero-trust approach is applied.
In what ways does Nomad Digital work with rail infrastructure managers and train operators to understand their Security-as-a-Service requirements?
Nomad Digital offers a SaaS solution to TOCs, where we can implement event monitoring and incident handling of malicious events relating to the ground to train connectivity.
Nomad Digital offers a SaaS solution to TOCs, where we can implement event monitoring and incident handling of malicious events relating to the ground to train connectivity.
This enables TOCs to utilise Nomad Digital’s technical expertise within this area to resolve incidents as quickly and effectively as possible, whilst also being able to relay them in clear communication so that all parties involved can understand the risk, how it was resolved and steps implemented to prevent future recurrence of the risk identified.
Nomad Digital is capable of providing the necessary documentation to assist in compliance adherence, such as security management plans and vulnerability audit reports, to evidence the security controls in place and to verify how effective they are.
With Nomad Digital covering the train to ground connectivity, the TOC can focus on the critical areas related to train management and signalling, too.
What are the core benefits of Nomad Digital’s cyber-security solutions and what kind of feedback are you receiving from your customers?
The core benefits of Nomad Digital’s cyber-security solutions include aiding in the detection and response to malicious activity against on-train and shoreside components.
The core benefits of Nomad Digital’s cyber-security solutions include aiding in the detection and response to malicious activity against on-train and shoreside components. This is achieved through Nomad Digital’s bespoke secure Intrusion Detection Service, which operates in real-time.
All detection is logged and managed by a service desk operating on a 24-hour basis, ensuring that someone is always present to work on any malicious activity detected.
The result of using Nomad Digital’s cyber-security solution is a management package that provides key stakeholders with the required information to evidence compliance with and makes business-critical decisions from.
Some of the tangible benefits include:
- Monthly incident reporting
- Security management plan
- Regular vulnerability assessments.
What would be your main recommendations for a rail organisation looking to improve their existing security solutions?
The first recommendation must be that rail organisations develop a thorough understanding of the assets that they have. It can often be found in organisations that vulnerabilities and weaknesses appear from old or legacy technology still running without the business fully understanding its purpose. Likewise, the technology is not maintained because it simply works and no issues have occurred, so it is forgotten about. This accurate asset inventory will greatly assist in the maintenance of rail industry solutions that help to prevent future security concerns.
To continually improve the security of a rail industry organisation or solution, the most thorough approach is to adopt a security standard such as ISO27001 or IEC62443.
The second recommendation is to perform regular system hardening practices. This involves reviewing the systems that are often connected to create an overall solution and restricting access to them through firewalls and user access control, removing unnecessary software and many other steps which can be found referenced in security standards. Benchmarking against widely accepted security baselines is also another method, such as using the CIS benchmarks. A great technique that we adopt at Nomad within solutions is to containerise vendor software to assist in system hardening. This results in significant restrictions for what software can and cannot do.
The final recommendation is to implement regular risk assessments of the technical solutions that are deployed. Risk assessments could include vulnerability tests or penetration tests. The length of the test may vary, but this is dependent on the level of risk that the organisation is willing to accept. The regularity of the risk assessment is also an important factor, as technology rapidly changes. Therefore, between risk assessments, new vulnerabilities and security weaknesses may appear that create security concerns for the solution being assessed.
To continually improve the security of a rail industry organisation or solution, the most thorough approach is to adopt a security standard such as ISO27001 or IEC62443. These cover the three recommendations above in greater detail and many other aspects, such as system hardening. Working with a partner such as Nomad Digital to achieve this can bring a wealth of knowledge and experience acquired from a wide variety of implementations across the world.
If you would like to find out more about Nomad Digital’s security solutions, please contact: [email protected].
With special thanks to David Dove, IT Manager and Information Security Officer.