Expert Panel: What are the main technological barriers regarding cyber-security?

Richard Thomas, Industrial Fellow (Data Integration & Cyber-Security), UK Rail Research & Innovation Network (UKRRIN), University of Birmingham: The diversity in the age and capabilities of our rolling stock and supporting infrastructure is a big issue, meaning that implementing newer, perhaps more secure technologies, can be a challenge. Existing systems fitted onto older assets may not be capable of conforming to today’s best cyber-security practices. Another barrier is the cost of upgrading assets, where new technologies must be deployed at scale – e.g. ERTMS.

ERTMS and the Digital Railway programme present an interesting balancing act between retrofitting existing assets and deploying new technologies. However, these systems have lifespans in the order of decades, rather than the five or so years commodity hardware, such as smartphones, have – a challenge we are solving in the UKRRIN Centre for Excellence in Digital Systems.

One way to address this challenge is having so-called modular standards, where security can be improved over time, considering backwards-legacy for legacy systems which may not be able to meet new requirements just yet.

The sector also has a reliance on using existing technologies, e.g. GSM-R, a standard that is over 20 years old, and shows its age when considering its cyber-security ‘resilience’. Developing cyber-security into new standards (e.g. FRMCS) from the outset allows us to be proactive rather than reactive to secure our estate.

Simon Moorhead, Chief Information Officer, Rail Delivery Group (RDG): The UK’s railway system is complex meaning it faces unique challenges when it comes to cyber-security.

We interact with customers through ticket machines, physical stations and ticket offices, online channels and on trains. We have tens of thousands of staff members and many suppliers that support us, who need to be aware of cyber-security. Like many long-established industries, some of the hardware and software in everyday use by the railway is relatively old.

Cyber-security is at the forefront of our thinking when it comes to safety and delivering improvements. We’re investing in new on-train technology to benefit passengers with better information while meeting cyber-security standards. As we mix old with new, we’re seeking to provide a consistent interface to make things simple for customers, while adding extra controls between different systems and networks to keep them safe.

The UK rail industry is well advanced in implementing the Network and Information Systems Directive (NIS), designed to increase the security of network and information systems that support essential services within the transport industries and is closely aligned with our Rail Cyber Security Strategy.

An NIS priority is to ensure the cyber-security of the industry’s supply chain and one of our current initiatives is to implement a supplier accreditation service for key supply chain partners.

Cyber-security is a threat that can’t be conquered, but it can be kept at bay.

Matt Miller, Transportation Industry Principal, OSIsoft: Rail systems are networks of geo-dispersed assets with long lifecycles which were never originally designed to deal with modern cyber-security threats. Railways and operators traditionally dealt with these threats by tightly controlling physical access to their systems and networks. This created pockets of data in ‘silos’, which are secure, but inaccessible for workers and systems outside of operations to use in better discussion making. This is in direct conflict with the current market needs to securely bring new data sets into a common operational view and to liberate all the data to create new value across the intermodal supply chain.

There are standard industry best practice approaches, consistent with Critical Infrastructure Protection (CIP) architectures used by other national scale networks, such as utilities.

Replicating data from highly secure ‘siloed’ systems (i.e. control rooms) with a cyber de-militarised zone (DMZ) is one common practice. Along with other standard security barriers such as firewalls and uni-directional gateways, they strengthen enterprise architectures from cyber-threats and can be tailored to meet the risk, experience and asset profile of the organisation and reconfigured as they change. Data from IoT and other non-critical systems can either flow up into operations from secured networks and systems or directly into business systems and shared with operations with any of the DMZ architectures.