29.01.19
Cyber security in the time of digital railway
Source: RTM Dec/Jan 19
Richard James Thomas, industrial fellow in data integration and cyber security at the University of Birmingham, considers the cyber security challenges that will arise as digital railway systems become the norm across the UK network.
The Digital Railway Programme is transforming railway signalling from a Victorian-era system with lineside signals to advanced, state-of-the-art in-cab systems. Through this digitisation, we are able to run trains at higher speeds and closer together with moving-block signalling, increase capacity on congested lines, and achieve improved cross-border operations. ERTMS is at the heart of this, and has already been deployed on the Cambrian Line in Wales and on Thameslink.
Whilst the digitisation of these systems offers significant benefits, they can also come with a catch: potential increased exposure to cyber-attacks. ERTMS is just one example of an Industrial Control System (ICS), a collective term for control systems used in industrial environments. Bespoke systems are now being replaced with commercial off-the-shelf solutions, with the interconnection of the operational equipment to the traditional IT ‘enterprise’ networks, allowing for additional oversight and improved management. This convergence also comes with its own risks if not carefully considered where, in other sectors, attacks have been seen in the wild – for example, Stuxnet, CrashOverride and BlackEnergy.
This was partly due to lack of understanding, proving assumptions about the mythical airgap false. WannaCry affected parts of the public information systems across the German rail network, but did not affect the operational, safety-critical side.
ICS systems, ERTMS included, present a different security challenge when compared to commodity systems: their lifespan. Commodity equipment refresh cycles are typically in the order of years, whereas ICS components may be in the order of decades. As an example, ERTMS is composed of the ETCS and GSM-R, which was deployed in the UK between 2007 and 2014, and will become the data carrier for ETCS data, whereas today in commodity environments we readily have 3G/4G in use.
Another issue is that the security landscape is constantly changing, with more intricate attacks being developed. Attacks which were previously impossible are now returning into focus. For example, an attack that recovers the GSM encryption key can now be achieved in nine seconds. This allows an adversary to eavesdrop in on the connection between the base station and device, but not yet ‘inject’ their own messages. This highlights that with these longer-lifespan systems, we need to not only consider our attackers of yesterday or today, but we need to look at the horizon of what will be possible, say in five to 10-plus years.
With the EU NIS Directive in force, security is even more of a priority; we need to be able to reliably assure the security of our systems, both new and old. We also need to consider the standards from a security perspective to ensure they have sufficient foresight. At the University of Birmingham, as part of the Research Institute in Trustworthy Inter-Connected Cyber Physical Systems and continuing as part of UKRRIN, we have looked at parts of the standards to assure that they offer the necessary levels of security that we would expect for a safety-critical system. It is clear that the standards haven’t quite kept up to pace with technological advances, but security has at least been considered, with modularity in parts to allow security improvements, where we have made a number of suggestions to ensure security for the future.
The digital revolution on the railways is an exciting time – but something we need to keep in mind, especially for today and the future, is the impact that security has on safety. Both need to be considered and regularly reviewed.
Enjoying RTM? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!