It is unusual for an article in the rail engineer not to contain a rail-related engineering story. Yet this subject needs to be heeded by all, since ignoring the message could be catastrophic for any business.
Rockwell Automation and Cisco Systems organised a seminar in London last November to examine the risks of computer fraud and hacking.
No-one is immune from this peril but sensible precautions can and should be taken to minimise the risk.
Background
Stand-alone data systems are a thing of the past. Unfettered access to data is a modern business requirement and interconnected network devices are needed to provide a free flow of information for manufacturing convergence.
All industries are involved – utilities, telecommunications, finance and transport being perhaps the four main ones. Many use control systems that operate key infrastructure but such systems have long lifecycles, typically upwards of 20 years.
Products age in that time and become increasingly vulnerable to cyber threats. The cost of cyber crime is estimated at £27 billion per year with consequential industry losses of around £21 billion – big numbers.
What exactly is cyber crime?
Threats cover a range of sources and reasons: access control, theft, man-made disasters, unauthorised employee action, malicious intent and others.
Some threats have hit the headlines and been given high profile names – Conflicker and Zeus have targeted business systems while Stuxnet and Duqu have attacked industrial control systems.
Large companies have proved to be vulnerable, Lockheed Martin and Sony to name but two. Targeted attacks are a reality.
The ‘hacker’, in the widest sense of the word, starts with a long and detailed lead-up to plan, reconnoitre, target network and web based applications, and finally attacking and exploiting, this latter being done quickly.
Security
It’s easy to say, but what does it really mean? How many people really understand it? “Do you know what you don’t know?” might be a simple adage. Does someone want to steal information and/or technology, both electronic and human?
Security threats are real and breaches are the norm. Organisations must be prepared to accept risk since it cannot be avoided. Many firms employ security experts but their effectiveness can be suspect. They must be able to explain risk and particularly network security risk.
The merits of wireless versus wired networks are often debated. The perception is that wired is safer but rogue access points can exist undetected. Detection is easier with wireless as it will be picked up.
Security vulnerability is not usually bug related but much more to do with design and equipment. For any asset, it must be established what is to be protected; source code is a typical response, this being a particularly difficult item to protect.
Different levels of management give different answers. Open or closed access to the internet causes argument; if blocked, then people will find a way round it, thereby breaking the rules.
If open access is permitted then employees must be trained and trusted. All outbound web visits must however be blocked to protect against Malware from bad infected sites.
Combating the threat
The Centre for Protection of National Infrastructure (CPNI) exists to research the risks, reduce the threat and protect critical national systems.
It seeks to give authoritative advice to 13 industry groups of which railway signalling, air travel, space systems (GSM and GPS) and telecommunications are four.
It produces publications in the form of Recommended Practices and Good Practice Guides plus an analysis of the top 20 critical security controls. A web site www.cpni.gov.uk is there for all to access. That said, what practical measures should an industry or business be taking?
Security is all about managing the variables which, if carried out correctly, can enhance uptime and thus profitability. Industrial security must be designed as a defence in depth and implemented as a system. Security is not a bolt-on item.
Multiple layers of protection are needed to provide security countermeasures in components and systems so as to shield potential targets. Typical requirements are:
- Proven and consistent coding practices,
- Firmware update behaviour,
- No ‘backdoors’ or hidden passwords,
- Prevent disruptive operations at run time,
- Minimise open TCP / UDP ports,
- Web server hardening,
- Ethernet protocol suite testing for optimum TCP/IP practice,
- CIP Protocol compliance testing.
An access control sequence will logically be: check physical security; CPU lock in place; read/write tags in place; defined constants; main controller blocks not user accessible; firmware signing; digital signatures authenticated; IP and know how protection in place; custom routines authorised and authenticated.
Telemetry
Traditional networks for control of utilities and transport undertakings, linked remote sites to control centres using PSTN and leased lines, VSAT and scanning radio.
These had low data rates and were mainly for monitoring purposes. Security was obtained by obscurity with air gapped networks, little encryption, proprietary protocols and limited control.
Things have changed in the past decade, with ADSL, MPLS, satellite broadband and GPRS on 3G being the norm. The cost of bandwidth has plummeted. High speed networks and multiple points of presence (PoP) are available countrywide.
Ethernet and IP are the dominant standards and most instruments and outstations are IP enabled. A greater demand exists for operational information, re-routings and initialisations, physical security with CCTV monitoring and workforce management.
All this needs higher bandwidth and a ‘one size fits all’ solution is not applicable. Sites need to be prioritised with a standard solution for each tier of control.
Duplicated links between control and site – maybe a private line and the internet, maybe a ring architecture – with virtual private network (VPN) ‘tunnels’ added for security. In all of this cyber security is vital, the approach architecture being: defend-extend-prevent-comply.
Severn Trent Water is a typical utility where robust telemetry is vital. Comprising 100,000 kilometres of sewers, 46,000 kilometres of water mains and 6,500 operational sites, all serving 8.7 million people, inadequate control can be disastrous.
Asset failure is inevitable but the impact is dependent on management preparedness and can be shown:
Unaware
Incidents Just Happen
Routine
Minute by Minute Control
Planned Reactive
Planned Response
Elements of Proactive
Beat the Future
Mainly Proactive
Calm Resilience
Proactive
Decisive Actions Based on Fact
Proactive equates to optimal investment, robust risk management and condition monitoring to know failures are likely before they happen.
Sources of information may come from telemetry, SCADA and customers, the latter being an exercise in relationship management. The corporate world and the process control world have merged, which has exposed threats and challenges that need understanding.
Experience has shown that in a network such as Severn Trent, information security can be enhanced by regular anti-virus patching, periodic penetration testing (usually by an ‘in-house hacker’), security testing, system monitoring and firewall provision.
In parallel with this, user awareness and security training needs to be conducted, it being a surprise that so few firms carry this out.
Change management and system / performance testing may need to be improved as might system life cycle management – a little and often rather than major changes being preferred.
Updating to use the latest set of common standards is good advice noting that old programmable logic controllers (PLC) are particularly vulnerable.
Getting the Supply Chain department signed up to a culture that builds security thinking into the procurement process is important. Lastly, if the end customer does not ask for security, the chances are it will not be provided.
What message for rail?
It might seem to some that all of this is irrelevant to the rail industry. Anyone who thinks that is in dreamland. Maybe the business systems of Network Rail and the train operating companies are the easiest targets but it is their operational systems that carry the highest risk.
Functional safety, operational integrity, IP protection, plus product availability and quality should be in the mind of every railway engineer. The sheer cost of bespoke designs is driving the industry to use more and more standard solutions.
Professional help will be needed both to get the right protection in place and to react when an incident occurs. This help may involve legal, public relations, product and security experts.
This seminar should have been a wake-up call to those who attended with an unspoken message to pass on the information down the chain.
Whilst both Rockwell and Cisco were inevitably putting forward their solutions to the problem, the risks were well explained and anyone who ignores them does so at their peril.
