Cyber security in the time of digital railway

Source: RTM Dec/Jan 19

Richard James Thomas, industrial fellow in data integration and cyber security at the University of Birmingham, considers the cyber security challenges that will arise as digital railway systems become the norm across the UK network.

The Digital Railway Programme is transforming railway signalling from a Victorian-era system with lineside signals to advanced, state-of-the-art in-cab systems. Through this digitisation, we are able to run trains at higher speeds and closer together with moving-block signalling, increase capacity on congested lines, and achieve improved cross-border operations. ERTMS is at the heart of this, and has already been deployed on the Cambrian Line in Wales and on Thameslink.

Whilst the digitisation of these systems offers significant benefits, they can also come with a catch: potential increased exposure to cyber-attacks. ERTMS is just one example of an Industrial Control System (ICS), a collective term for control systems used in industrial environments. Bespoke systems are now being replaced with commercial off-the-shelf solutions, with the interconnection of the operational equipment to the traditional IT ‘enterprise’ networks, allowing for additional oversight and improved management. This convergence also comes with its own risks if not carefully considered where, in other sectors, attacks have been seen in the wild – for example, Stuxnet, CrashOverride and BlackEnergy.

This was partly due to lack of understanding, proving assumptions about the mythical airgap false. WannaCry affected parts of the public information systems across the German rail network, but did not affect the operational, safety-critical side.

ICS systems, ERTMS included, present a different security challenge when compared to commodity systems: their lifespan. Commodity equipment refresh cycles are typically in the order of years, whereas ICS components may be in the order of decades. As an example, ERTMS is composed of the ETCS and GSM-R, which was deployed in the UK between 2007 and 2014, and will become the data carrier for ETCS data, whereas today in commodity environments we readily have 3G/4G in use.

Another issue is that the security landscape is constantly changing, with more intricate attacks being developed. Attacks which were previously impossible are now returning into focus. For example, an attack that recovers the GSM encryption key can now be achieved in nine seconds. This allows an adversary to eavesdrop in on the connection between the base station and device, but not yet ‘inject’ their own messages. This highlights that with these longer-lifespan systems, we need to not only consider our attackers of yesterday or today, but we need to look at the horizon of what will be possible, say in five to 10-plus years.

With the EU NIS Directive in force, security is even more of a priority; we need to be able to reliably assure the security of our systems, both new and old. We also need to consider the standards from a security perspective to ensure they have sufficient foresight. At the University of Birmingham, as part of the Research Institute in Trustworthy Inter-Connected Cyber Physical Systems and continuing as part of UKRRIN, we have looked at parts of the standards to assure that they offer the necessary levels of security that we would expect for a safety-critical system. It is clear that the standards haven’t quite kept up to pace with technological advances, but security has at least been considered, with modularity in parts to allow security improvements, where we have made a number of suggestions to ensure security for the future.

The digital revolution on the railways is an exciting time – but something we need to keep in mind, especially for today and the future, is the impact that security has on safety. Both need to be considered and regularly reviewed.


Enjoying RTM? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!


There are no comments. Why not be the first?

Add your comment


rail technology magazine tv

more videos >

latest rail news

View all News

rail industry focus

Building the North's new railways

26/02/2019Building the North's new railways

Mike Hulme and Justin Moss, co-chairs of Nort... more >
Rail Technology Magazine fuels the Northern Powerhouse with official partnership

21/11/2018Rail Technology Magazine fuels the Northern Powerhouse with official partnership

Cognitive Publishing, the home of leading rai... more >

editor's comment

23/01/2018Out with the old...

Despite a few disappointing policy announcements, especially for the electrification aficionados amongst us, 2017 was, like Darren Caplan writes on page 20, a year generally marked by positive news for the rail industry. We polished off the iconic Ordsall Chord (p32), hit some solid milestones on Thameslink (p40), progressed on ambitious rolling stock orders (p16), and finally started moving forward on HS2 (p14) ‒ paving the way for a New Year with brand-new infrastructrure to... read more >

last word

Encouraging youngsters to be safe on the railway

Encouraging youngsters to be safe on the railway

This summer, Arriva Group's CrossCountry and the Scout Association joined to launch a new partnership to promote rail safety among young people. Chris Leech MBE, business community manager at the TOC, gives RTM an update on the innovative scheme. Recognising that young people are more likely to take a risk trespassing on railway tracks, C... more > more last word articles >

'the sleepers' daily blog

The West Midlands 30-year strategy

19/03/2019The West Midlands 30-year strategy

Malcolm Holmes, executive director of West Midlands Rail Executive (WMRE), outlines the West Midlands Rail Investment Strategy 2018-2047. The West Midlands Rail Executive was formed three years ago to give local authorities a direct influence over the award of the region’s main rail franchise. Working with the Department for Transpo... more >
read more blog posts from 'the sleeper' >


Women in rail - is the industry on the right track?

12/03/2019Women in rail - is the industry on the right track?

RTM sits down with Samantha Smith, sole female member of the TransPennine Route Upgrade Alliance Leadership Team, to find out more about encourag... more >
TfN Strategic Transport Plan: not just for transport's sake

22/01/2019TfN Strategic Transport Plan: not just for transport's sake

Peter Molyneux, Transport for the North’s (TfN’s) strategic roads director, has been leading on the development of the seven economic... more >
Exclusive: Midlands Connect and WMRE talk collaboration and investment in the Midlands' railway

22/01/2019Exclusive: Midlands Connect and WMRE talk collaboration and investment in the Midlands' railway

In the jigsaw puzzle of regional transport decision-making, there must be collaboration and compromise. Midlands Connect media lead James Bovill ... more >
Rail Ombudsman interview: RTM sits down with CEO Kevin Grix

20/12/2018Rail Ombudsman interview: RTM sits down with CEO Kevin Grix

In November, the first ever Rail Ombudsman was established in a bid to give passengers a free independent service to allow passengers to claim co... more >