15.05.17
Get ready for cyber safety
Source: RTM Apr/May 17
It’s time the rail industry turns its attention to the importance of cyber security as we move towards increasingly digital systems, Johnny Schute, deputy chief inspector of railways and deputy director of policy, strategy and planning in the Rail Safety Division of the ORR, tells RTM’s Luana Salles.
The rail industry’s most infamous curse – its largely analogue systems which can often inhibit widespread innovation – may also be its biggest blessing in disguise, at least when it comes to cyber security.
Globally, cybercrime has been touted as one of the biggest threats to any nation given the fast-moving digital world we live in. This is clearly highlighted in the government’s recently-published cyber security strategy, which calls for a comprehensive response to this growing problem, “from the most basic cyber hygiene to the most sophisticated deterrence”.
But here’s the catch: because, as is widely reported, the rail sector has lagged behind many other industries when it comes to digitisation, a lot of the areas where there might be cyber vulnerabilities in more complex and sophisticated systems don’t actually pertain to rail just yet – granting it a head start when it comes to preventative planning.
Of course, these vulnerabilities are coming, and they’re coming with Digital Railway and increasingly more complex digital information systems, as Johnny Schute, deputy chief inspector of railways, was keen to emphasise.
Asked if the industry’s slower digital adoption provides a unique opportunity to ensure it is at the forefront of the fight against cyber-attacks, he said: “I think that’s an important point. We need to get the conversation – the communication, the collaboration, the collegiate approach – going now, because of course, by getting these in place now, it means we’ll be much better configured in industry as a whole to deal with it as Digital Railway gathers pace.”
My original interview with Schute was meant to discuss digital railway and rail operating centres, but he asked if we could talk about cyber security instead, because it’s “quite a new area of the rail world” – and one which the regulator intends to both promote and keep a close eye on.
“This is a live topic that is being debated, albeit at the early stages. The ORR has a keen interest in it. It’s very much about the rail industry dealing with it themselves but, as the regulator, we keep a close eye on it,” he explained.
“One of the areas that we are nudging and encouraging people towards is safety by design. Making sure that safety measures and security measures are put in place at the design stage will mean there isn’t a requirement for expensive retro-engineering to deal with the vulnerabilities that otherwise might emerge.
“We’re very enthusiastic about making sure people design in the relevant features rather than having to deal with them once the items have been manufactured.”
The regulator’s role
The ORR’s role is expected to adapt as cybercrime becomes a more prevalent issue for the industry. The first order of business will be ensuring all organisations are clear about who is responsible for what piece of legislation, which is being worked out alongside the DfT.
Apart from that, Schute said the regulator is breaking down the wider picture into four areas: understanding the nature of the problem and how an organisation’s culture might help mitigate it; managing the issue and ensuring people have suitable governance structures, policies and procedures in place, including a whole-life approach to systems security; focusing on networking internally and with other regulators; and investigating shortcomings.
“But all is still to be determined – we’re actually de-conflicting and seeing who’s the most appropriate body to intervene in these areas,” he emphasised.
Identifying risk
Just like the ORR’s role in this is still emerging, so is the problem as a whole, including the risks it may pose to the sector.
“We’re still at an early stage,” argued Schute. “But where vulnerability exists is that instead of having the rather analogue systems we have at the moment, you’d obviously have a situation whereby a train is talking to trackside material or transponders and that could be intercepted – it’s not a certainty by any stretch of the imagination, but you could interfere with those areas.
“That’s where one of the vulnerabilities lies. But of course, vulnerabilities go wider – everything from the information systems that exist within stations and actually, just the information management systems that every large organisation has, are vulnerable to cyber-attack.
“Cyber security is not only a big national issue – as you’ll have seen, the National Cyber Security Centre was opened by the Queen recently – but also a very, very hot topic. Therefore, we are going to be talking about it, and we’re going to be talking about it as it affects the rail industry for the next several years.”