From cyber-secure to cyber smart: why a broader understanding of cyber security is vital to our railway’s resilience.
The safety of our railways is paramount. Yet, as digital technologies transform our networks, our concept of safety must evolve to include cyber security at its core. To maintain cyber security, it’s not enough to have well-designed technologies with state-of-the-art defences. Engineers must be trained, educated and equipped across the industry so that the entire railway ecosystem is secure and safe.
At first it was a futuristic innovation, then it became a bonus – a nice-to-have extra – and now digital connectivity is a fundamental aspect of our transport system. Yet, as the technology races ahead, our thinking lags behind. We’re increasingly dependent on innovation, but it’s still treated as something separate to the core functionality of our networks. Even as our railway is transformed by technologies such as digital signalling, it is still thought of as one issue, and its cyber security as another. In fact, they’re indivisible; when it comes to maintaining services, cyber security is just as crucial as the safeguarding of physical infrastructure.
As our transport system becomes ever more interconnected, the bigger the potential impact of a cyber security event and the more vulnerable our entire railway network becomes.
Simply designing cyber-safe railway systems is no longer enough; the right equipment isn’t sufficient to provide security. As digital technology grows more integral, our focus must shift towards processes and the people who maintain it. Having a robust, cyber-secure railway doesn’t help if too few staff understand how such a system is best operated, maintained and updated. That’s why we need to devote more attention to the people who will be running the railway well after the cyber security consultants have left.
Digital vs dispersal
Since 2018, the Network and Information Systems Regulation (NISR) has placed more responsibility on railway operators for the smooth operation of the network. As the sister regulation of GDPR, the NISR gives authorities the power to fine operators who fail to maintain services as a result of a cyber event. Should lax cyber security lead to a disruption on the railway – for example, through a denial of service attack – the train operators on that network will be liable.
For smaller companies, the cost of becoming cyber-secure is prohibitive; the investment needed to bring cyber defences up to date could well be the difference between making a profit or a loss, or even surviving or going under.
The dispersed nature of the UK’s railway network makes achieving improved cyber security more difficult. In an age of increasing connectivity – where trains, operators and infrastructure systems communicate on seamlessly interconnected networks – a single gap in our cyber security defences could breach the entire digital ecosystem.
Ultimately, in a connected world, you’re only as strong as your weakest link. It’s not enough for the top operators and stock owners to have impressive cyber security – we need to help the whole industry to evolve, for everyone’s sake. A lopsided approach to security could invalidate the efforts of the more advanced operators, leaving the entire industry vulnerable – including passengers.
While the vast majority of cyber security scenarios won’t result in an unsafe railway, they could render it temporarily unavailable. Railway designs will always endeavour to ensure that trains fail safe, but if a service is stopped due to a cyber security event, operators may be liable under NISR, as well as being fined and with angry passengers on their hands. These cases also tend to make headlines, which has a knock-on effect of reputational damage – all from just one cyber security event.
Significant consequences like these can be triggered by minor causes: a personal laptop plugged into the main system or a corrupted memory stick innocently inserted into a secure computer. With hundreds of contractors working on railway assets, it’s easy to see how a lack of awareness among a large and dispersed body of staff could lead to a cyber security event. Unless cyber security skills and awareness can be spread across the industry, these types of incidents will always be a threat.
The term ‘cyber security’ tends to conjure up images of espionage, counterintelligence and futuristic scenarios of intelligent computers wreaking havoc, but the reality is often far simpler. For most companies, worrying about malicious international hacking is irrelevant; much more pressing are the innocent mistakes resulting in the railway’s digital ecosystem being shut down by malware.
Focusing on people, rather than just technology, can help mitigate this risk. That’s why Atkins Cyber Academy was founded to increase cyber capability through the upskilling of graduates and apprentices and to cross-skill existing engineers into Cyber Security practitioners. The industry needs engineers who understand the technical aspects of cyber security as well as the strategic impact of risk.
Tech no more
Even the most robust and cyber-secure technologies must be operated and maintained. No matter how secure its design, the ever-changing digital space means that we need to be continuously maintaining cyber security controls. In a world where these systems are interconnected, who exactly is responsible for their maintenance? Who will pay for it?
As an industry, we need to explore these questions together. Digital signalling systems, for example, should always be built cyber-secure first and foremost, but their continuing security depends on the operators and train companies using the digital ecosystem. They are the ones who will monitor, maintain and operate it, and with digital systems spanning across the boundaries of the railway industry, those organisations must communicate effectively about who’s accountable.
We can’t treat technology and people in isolation. You can’t maintain a secure railway without people who understand how this is done. As a discipline, cyber security is still in its infancy and as yet there are simply too few professionals with the understanding of both railway engineering and cyber security.
This dearth of skills has prompted many operators to buy in cyber security consultants, to make up for this knowledge gap within their organisation. This might be effective in the short term, but cyber security isn’t a one-off that can be addressed with a temporary expedient. Instead, we need to work collaboratively to train railway engineers so that they become conversant in cyber security. Their experience of designing safe railways is invaluable, as is their comprehensive understanding of risk management.
Working with cyber security experts can help engineers to develop a better understanding, enabling them to mitigate risks in their designs and processes, and ultimately helping their organisations become more independent in future. All the railway academies, apprenticeships and graduate schemes need to be teaching cyber security not as a separate consideration but as a core engineering skill, so that our railway engineers intrinsically understand it as part of their basic competency.
The shift to cyber
What we need is nothing short of a major shift in the culture of railway engineering. The world has been transformed by digital technologies and we must recognise how fundamentally we now rely upon them. Our concept of safety must expand in order to be fit for the new world that is rapidly emerging. That means we need more than just a handful of clued-up cyber security specialists – we need the vast majority of engineers to have a solid grasp of the core tenets of cyber security, so that competency spreads throughout our industry.
Hiring experts might be a good short-term solution, but it suggests that cyber security is something you can do once and then forget about. In reality, the nature of digital connectivity means that cyber security isn’t a one-off event; it’s a continuous process and it’s not going away; in fact, it will become more and more critical. There’s no going back to the world of the 1990s or even the early 21st century. Rather than clinging onto old concepts of safety – which treat digital security as an afterthought – we must update it so that the primacy of digital connectivity is taken fully into account. Building up cyber security capabilities – even if that just means having the basics – is more valuable than simply paying someone else to make the problem go away for a while.
In English, the word ‘safety’ is often used synonymously to mean ‘security’. Although they’re not identical, their closeness recognises a fundamental truth: you can’t be safe without addressing security, because safety is underpinned by security. Security is the umbrella; safety is being underneath it. Without proper security, there’s a higher likelihood of a safety event. Without cyber security, a railway could be hacked or be susceptible to malware which compromises its software.
When software is changed by outside influences, its safety can no longer be assured because the software is no longer the same as when it was tested and approved. In a railway safety environment, modified software is unacceptable because such modifications change how it works, potentially compromising the safety of the whole network. Such knock-on effects are made more likely by the interconnectivity of systems, increasing the likelihood and severity of the ensuing safety event.
The more sophisticated our technology, the more of a threat this poses. For example, as we continue to adopt Automatic Train Operation – which connects railway systems, operators, and passengers – from a cyber security perspective there is no boundary between train, infrastructure owners and passengers. Without proper cyber security measures, opening the door to one of these components gives access to the whole network. Such measures must be actively upheld if they are to last. That’s why we need cyber security, embedded not only in our designs but also in our people and the processes they employ to operate, maintain and update them. Otherwise, our railway’s availability will always be vulnerable.
Whole and holistic
Becoming cyber-secure is a big challenge. There aren’t enough skilled cyber security professionals; change is happening fast and the dispersed nature of the UK’s rail ecosystem hinders rapid evolution. The biggest companies and operators must help the whole industry to evolve, otherwise we face a ‘tragedy of the commons’ scenario whereby a precious resource shared by all (in this case, our railway’s security) is improperly protected because no one can agree upon whose responsibility it is.
Everyone knows that safety is paramount; but few have realised just how much safe operational performance depends on cyber security. To safeguard our passengers, the industry as a whole must be at a comparative maturity, so that there are no weak points for a virus to exploit – or to make tempting targets for hackers or general malware.
So cyber security must be considered holistically, as an integral element of the railway’s safety. Only then can we rapidly equip engineers throughout the sector with the skills they need to uphold cyber security after the implementation of new technologies. Things move fast and so we must use the time we have wisely: upskilling our engineers and enabling them to design railways that are fully safe, secure – and fit for the future.
Matt Simpson is Technical Director, Cyber Resilience at Atkins. www.atkinsglobal.com