Cyber security in the time of digital railway

Source: RTM Dec/Jan 19

Richard James Thomas, industrial fellow in data integration and cyber security at the University of Birmingham, considers the cyber security challenges that will arise as digital railway systems become the norm across the UK network.

The Digital Railway Programme is transforming railway signalling from a Victorian-era system with lineside signals to advanced, state-of-the-art in-cab systems. Through this digitisation, we are able to run trains at higher speeds and closer together with moving-block signalling, increase capacity on congested lines, and achieve improved cross-border operations. ERTMS is at the heart of this, and has already been deployed on the Cambrian Line in Wales and on Thameslink.

Whilst the digitisation of these systems offers significant benefits, they can also come with a catch: potential increased exposure to cyber-attacks. ERTMS is just one example of an Industrial Control System (ICS), a collective term for control systems used in industrial environments. Bespoke systems are now being replaced with commercial off-the-shelf solutions, with the interconnection of the operational equipment to the traditional IT ‘enterprise’ networks, allowing for additional oversight and improved management. This convergence also comes with its own risks if not carefully considered where, in other sectors, attacks have been seen in the wild – for example, Stuxnet, CrashOverride and BlackEnergy.

This was partly due to lack of understanding, proving assumptions about the mythical airgap false. WannaCry affected parts of the public information systems across the German rail network, but did not affect the operational, safety-critical side.

ICS systems, ERTMS included, present a different security challenge when compared to commodity systems: their lifespan. Commodity equipment refresh cycles are typically in the order of years, whereas ICS components may be in the order of decades. As an example, ERTMS is composed of the ETCS and GSM-R, which was deployed in the UK between 2007 and 2014, and will become the data carrier for ETCS data, whereas today in commodity environments we readily have 3G/4G in use.

Another issue is that the security landscape is constantly changing, with more intricate attacks being developed. Attacks which were previously impossible are now returning into focus. For example, an attack that recovers the GSM encryption key can now be achieved in nine seconds. This allows an adversary to eavesdrop in on the connection between the base station and device, but not yet ‘inject’ their own messages. This highlights that with these longer-lifespan systems, we need to not only consider our attackers of yesterday or today, but we need to look at the horizon of what will be possible, say in five to 10-plus years.

With the EU NIS Directive in force, security is even more of a priority; we need to be able to reliably assure the security of our systems, both new and old. We also need to consider the standards from a security perspective to ensure they have sufficient foresight. At the University of Birmingham, as part of the Research Institute in Trustworthy Inter-Connected Cyber Physical Systems and continuing as part of UKRRIN, we have looked at parts of the standards to assure that they offer the necessary levels of security that we would expect for a safety-critical system. It is clear that the standards haven’t quite kept up to pace with technological advances, but security has at least been considered, with modularity in parts to allow security improvements, where we have made a number of suggestions to ensure security for the future.

The digital revolution on the railways is an exciting time – but something we need to keep in mind, especially for today and the future, is the impact that security has on safety. Both need to be considered and regularly reviewed.


Enjoying RTM? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!


There are no comments. Why not be the first?

Add your comment


rail technology magazine tv

more videos >

latest rail news

View all News

rail industry focus

editor's comment

23/01/2018Out with the old...

Despite a few disappointing policy announcements, especially for the electrification aficionados amongst us, 2017 was, like Darren Caplan writes on page 20, a year generally marked by positive news for the rail industry. We polished off the iconic Ordsall Chord (p32), hit some solid milestones on Thameslink (p40), progressed on ambitious rolling stock orders (p16), and finally started moving forward on HS2 (p14) ‒ paving the way for a New Year with brand-new infrastructrure to... read more >

last word

Encouraging youngsters to be safe on the railway

Encouraging youngsters to be safe on the railway

This summer, Arriva Group's CrossCountry and the Scout Association joined to launch a new partnership to promote rail safety among young people. Chris Leech MBE, business community manager at the TOC, gives RTM an update on the innovative scheme. Recognising that young people are more likely to take a risk trespassing on railway tracks, C... more > more last word articles >

'the sleepers' daily blog

Maximising efficiency requires investment in data, but it’s rewards for rail could be extensive

14/11/2019Maximising efficiency requires investment in data, but it’s rewards for rail could be extensive

Rail Technology Magazine’s Matt Roberts explains the significant role data can play within the future development of the rail industry. Standing as a cornerstone of the UK transport network, the rail industry is forever striving to innovate and maximise efficiency in all aspects of its work. Data is just one such way of achievi... more >
read more blog posts from 'the sleeper' >


Andrew Haines, CE of Network Rail, tells BBC News his organisation could issue future rail franchises

24/06/2019Andrew Haines, CE of Network Rail, tells BBC News his organisation could issue future rail franchises

Andrew Haines, the Chief Executive of Network Rail, has told the Today programme on Radio 4's BBC’s flagship news programme that he wo... more >
Advancing the rail industry with management degree apprenticeships

08/05/2019Advancing the rail industry with management degree apprenticeships

In answering the pressing questions of how current and future generations of managers can provide solutions to high-profile infrastructure projec... more >
Women in rail - is the industry on the right track?

12/03/2019Women in rail - is the industry on the right track?

RTM sits down with Samantha Smith, sole female member of the TransPennine Route Upgrade Alliance Leadership Team, to find out more about encourag... more >
TfN Strategic Transport Plan: not just for transport's sake

22/01/2019TfN Strategic Transport Plan: not just for transport's sake

Peter Molyneux, Transport for the North’s (TfN’s) strategic roads director, has been leading on the development of the seven economic... more >