03.03.16
Prioritising the cyber threats to ICS in rail
Source: RTM Feb/Mar 16
Dr John Easton, a lecturer working with the Birmingham Centre for Railway Research and Education at the University of Birmingham, discusses the growing threat to the railways from cyber-attacks.
Hardly a week goes by when there isn’t at least one major cyber security story in the news, and as recent incidents involving companies such as Sony have shown, even the big technology providers are not immune to this growing threat.
When thinking about cyber-attacks many of us naturally focus on the familiar; in the case of ICT systems that means desktop PCs and servers, the types of equipment we see at home or in the office. In large industrial systems like the railways however, front and back-office IT systems are just one of a number of classes of ICT equipment involved in day-to-day operations.
In the railways, as in many large infrastructure-based systems, Industrial Control Systems (ICS) are a key element in the delivery of business objectives (i.e. the provision of signalling and train control). ICS are distinct from more conventional ICT because they possess a combination of both cyber and physical components, such as sensors and actuators.
ICS pose unique challenges from the perspective of security, as they commonly have long service lives, and comprise multiple generations of equipment from a wide range of suppliers. The software used to control ICS is often custom-written, so the use of older, unsupported operating systems is commonplace, and the rate of application of security patches (if available) is frequently much lower than is seen in conventional ICT systems due to the need to ensure availability of the infrastructure.
Increasing exposure of ICS to attacks
Traditionally, ICS have been considered as comparatively safe from cyber-attacks; this was largely because they were based around proprietary hardware, ran on physically separated networks, and often used custom communications protocols.
In recent years however, ICS have begun to use larger numbers of standardised Commercial Off-The-Shelf (COTS) components, most of which use the same IP-based communications used in other ICT systems.
While the use of COTS technology decreases costs and helps to make ICS more interoperable, it can also increase both the exposure of ICS to attack, and make it easier for attackers to transfer successful methods of attack from other ICT systems.
An interesting differentiator between ICS and other ICT systems is that in an ICS there is the potential for real-world impacts to result from cyber-attacks.
In 2014, a cyber-attack on a steel mill in Germany became one of the first confirmed instances of physical damage to the infrastructure, and while this might suggest that the threat to ICS from cyber-attacks is small, by far the most common impacts of attacks to ICS are denial of service leading to reputational and financial damage for the operators.
Rather more worryingly, cyber-attacks do not need to be deliberately targeting a particular system to cause this type of disruption; in December 2011 an attack on the signalling system of a railway in US Pacific Northwest led to a 15-minute delay to services, but was later found to have been the result of a “random incident” and not a targeted attack.
The threat to rail is real
The threat to the railways from cyber-attacks to their ICS is real, and the industry is responding to the challenge with strong leadership being provided by stakeholders such as RSSB and Network Rail.
Despite this, with the roll out of new ICS, including the European Train Control System (ETCS) on the horizon, it’s important that every effort is made to provide industry ICT staff with the tools they need to fully understand and mitigate the risk of cyber-attack to this class of equipment.
The Engineering and Physical Sciences Research Council funded SCEPTICS project, part of the Research Institute for Trustworthy Industrial Control Systems (RITICS), aims to do just that. The team are developing a three-stage process that will enable railway ICT staff to identify and prioritise the ICS that are most important to the delivery of railway operations, describe those systems and their interfaces using a standardised set of documents, and (in conjunction with security experts) assess the risk to those systems from cyber-attacks.
Perhaps most importantly, the team hope that by providing processes for assessing ICS, they will raise awareness of this class of equipment within the industry, and where security is concerned ensuring stakeholder awareness of risks is a major step towards preventing attack.
Tell us what you think – have your say below or email [email protected]