The rail industry in the connected era: promising potential versus cyber risks

The rail industry and cyber threats | Stormshield

This is the story of one industrial revolution meeting another: for even the rail industry is subject to digital transformation. Electronic tickets, onboard WiFi... the benefits in terms of traveller experience are obvious, but change is also taking place at industrial level, amid national infrastructure. Bringing with it new drivers of operational excellence, but also a fair share of associated risks – chief among which are cyber threats. So, a brief overview...

When we talk about digital transformation in the railway sector, we tend to think of e-tickets and onboard connectivity. However, innovation is slowly permeating all layers of a rail network that is becoming more connected every day. The Internet Of Things, cloud/edge computing, automation, robotisation and artificial intelligence... just a few disruptive technologies that are propelling the rail industry into a new era.

 

The promises of Rail Industry 2.0

Stormshield Vice-President of Engineering Franck Bourguet sees the opportunities afforded by digital technologies in the rail sector as falling into three main categories. And of these, operational excellence is in top position: “One of the promises of Rail Industry 2.0 is that it provides solutions to boost existing network capacity by making optimal use of available infrastructure.” The issue here is to optimise the service provided by improving the frequency and punctuality of trains, while continuing to deliver – or even improve on – the required operational safety. Another major aspect is that of passenger safety: new tools, such as video protection or IIoT sensors (Industrial Internet of Things), integrated with control and monitoring systems, provide new levels of visibility on board trains and at stations. Lastly, the passenger experience is enhanced, particularly through the use of onboard or station-based services, with information and entertainment screens, or electronic ticketing.

To take advantage of these opportunities, operators need to deploy new connectivity capabilities at stations and in trains: IP protocols, WiFi, GPRS and 4G LTE standards, etc. They provide trains with abilities such as interaction with the control centre using the train-to-ground communication system. And these technologies are not merely the preserve of new equipment: they are now bringing openness (i.e. communication and intelligence) to systems that were traditionally closed.

But opening up your networks also means making them vulnerable and exposing them to malicious attacks... For critical infrastructure such as rail, the serious nature of the issue is evident to all: “When an attack is made against the transport sector, there can quickly be utterly dramatic consequences, including on human lives,” pointed out Guillaume Poupard, Director General of France’s ANSSI information systems security agency, at the International Cybersecurity Forum (FIC) in Lille (France) in 2017.

 

Why rail is vulnerable to cyberattacks

Rail transportation IT systems require high levels of availability, accessibility and security, which means that they need to be strong and resilient to cope with cyberattacks. What factors make rail infrastructure vulnerable?

Franck Bourguet identifies several types of risks. Because driver assistance and control systems now feature connectedness and communication, their vulnerabilities present new attack surfaces. If these weaknesses are exploited, it could have serious consequences – potentially including seizure of control of the train.

Another potential risk area is ticketing and the associated financial risks. The issues faced by these highly-exposed rail information systems are ultimately similar to those faced by websites, such as payment security or ticket validity.

And lastly, passenger safety and comfort may be targeted by malicious attacks. Franck Bourguet puts forward a scenario which highlights the critical nature of certain functions, using the case of driverless trains: “If a train’s ability to communicate with its control centre or with its passengers is interrupted, for example in the middle of a tunnel, this can result in scenes of extreme panic,” he explains. Less dramatic, but nonetheless disastrous in terms of image, is the hijacking of information and entertainment systems, either on board or in the station.

Lastly, the application of Industry 4.0 technologies to the rail sector creates new risks. Consider the case of predictive, connected maintenance technologies which are making giant strides forward, driven by progress in artificial intelligence: “When technical monitoring systems are rendered unavailable, or their data is falsified, there is a potential risk of damage to equipment, undelivered services, and possibly even accidents,” Franck Bourguet points out.

 

What risks are we talking about?

Cyber attackers have clearly identified this broad spectrum of threats. According to The Cyberthreat Handbook, a report published in 2019 par Thales and the cyber-intelligence company Verint, transport is the fourth largest sector targeted by hackers – after the defence, financial and energy sectors.

On a smaller scale, consider the example of this 14-year-old script kiddie who succeeded in taking control of the tram network in Lodz (Poland) in 2008 with a simple modified television remote control. The hack resulted in the derailment of four trains and 12 injuries. Or a larger-scale event in 2015 at the CeBIT exhibition in Hannover (Germany), at which a simulation reconstructed a typical infrastructure (video surveillance data flow, control interfaces, time scheduling, etc.) to estimate the type and intensity of malicious acts. Over a 6-week period, researchers recorded a total of 2,745,267 attacks, 10% of which succeeded in taking partial control of the system.

So, what are hackers’ methods of choice? The distributed denial of service (DDoS) attack remains a classic: “Sometimes it’s easier to block communication than to break into a system,” comments Franck Bourguet. Another frequent attack vector is ransomware, which spreads as a result of human weakness (phishing and booby-trapped attachments); although easy to implement, the damage it causes can be significant. German rail company Deutsche Bahn fell victim to the notorious WannaCry in May 2017. In this case, ransomware infected 450 computers, affecting passenger information systems, ticket machines and video surveillance networks. Another example came in 2016, when the transport system in San Francisco (USA) was hit by ransomware, locking up its ticket machines for 48 hours. This forced the SF Muni company to deactivate its barriers and open up the transportation system, resulting in heavy financial losses.

 

Rail cybersecurity: multi-level tiered responses

It’s easy to understand the importance of legacy systems in the rail industry. This older infrastructure (IT, equipment, etc.), dating back to a time when digital technology was either in its infancy or non-existent, may still be in use today. And in an era of intelligent networks, the belief that such equipment – designed for non-connected environments – is somehow protected is now an obsolete concept.

Franck Bourget believes that some proprietary protocols have not been designed to provide security for the data they carry. And corrections are impossible to make without a retrofit and significant investment. However, cybersecurity solutions do exist, adding a layer of firewall protection, with an encryption or filtering ability along with protocol analyses to confirm that transfers are legitimate.

Another area for attention: not only networks but also workstations and various other devices need to be protected if they are to be preserved from local attacks or malicious code and malware. In an industrial environment, this refers to control stations, sensors, actuators and other autonomous devices. So, if the network is corrupted, solutions exist to block the attack, which would also target this industrial equipment.

Data protection is also an area where work is required: as the French transport operator, RATP, opens its artificial intelligence laboratory in Châtelet-Les-Halles (Paris, France), we should consider the confidentiality issues relating to videos recorded on trains or at stations, as well as the use of the Internet and the Cloud to circulate the data that drives the algorithms. These are issues for which encryption solutions are able to offer tailored responses.

Mission-critical systems, sizing of infrastructure, convergence of IT and OT networks, the rise in artificial intelligence… for these reasons, rail operators urgently need to incorporate the concept of cyber-resilience into their philosophies. And they also need to keep in mind three basic principles: adopt a risk management policy, identify your sensitive assets and segment your network. After all, the question is no longer how to guard against an attack... but what to do when one happens.

Share on

If you want to go deeper on this subject, you can find out how to make the most of digital transformation and improve the security of business applications and the OT with our SNCF Réseaux case study.
An inventory of threats, possible benefits and issues relating to smart transport systems, pooled management of multiple sites, protection of operational flows, etc... Stormshield presents a series of webinars (in French) devoted to the rail industry.

About the author

mm
Stéphane Prevost
Product Marketing Manager, Stormshield

After 10 years building his IT and R&D experience, Stéphane joined Stormshield in 2008 as a Product Manager. With this dual skillset in cybersecurity and product marketing, he helps promote Stormshield products in his role as Product Marketing Manager. His curiosity, creativity and experience help him create accessible, sharp messaging around security products.