Eddy Thesee, VP of Cybersecurity at Alstom talks about the various cyber threats today’s railway systems face, and how Alstom is well placed to counters these threats to secure the entire rail network
What are the major cyber threats impacting railway systems?
Railway systems are software-intensive, highly connected industrial control systems. As such, they faced all the usual threats met by Industrial Control Systems. In addition, the railway system has some specificities linked to:
- Geographical footprint (spread over tens to thousands of kilometers offering a wide physical exposed surface
- It is a system of systems relying on a complex supply chain
- Project duration and very long product lifecycle
As rail networks digitalise, risk exposure increases, reinforcing the need for a robust strategy to secure information, infrastructure, and rolling stock. This requires adapted levels of cybersecurity by manufacturers and operators, compliance with security standards, and a comprehensive approach for new and legacy systems.
Data privacy and governance are other areas that could be affected by cyber threats. To avoid this, the industry must implement data and privacy protection frameworks that enable a long-term approach to cybersecurity and risk management.
Systems are increasingly integrated to monitor the conditions and movements of trains – vulnerabilities in these systems could be exploited and the impact of an attack could be destructive. Business interruptions and systems could be corrupted, or encrypted beyond use which could lead to additional expenses and reputational damage.
What is the potential impact of an attack on the safety and continuity of railway services?
The transport industry has long focused on safety for generations – the safety of passengers and staff, after all, is crucial to ensuring efficiency, profitability, and reputational integrity. However, the shift to computer-based technologies means there is a need to refocus attention on safety and cybersecurity while ensuring that neither compromises the other.
As of today, we are not aware of attacks impacting the safety of the railway. The availability can be impacted by denial-of-service attacks or partial or complete encryption of some exposed components. We can also face the risk of corrupted data being injected into the system, but this will be limited to information displayed to passengers. The other information is integrated into protocols and systems designed to be resilient to corrupted data or loss of communication.
All systems developed, deployed, and maintained by Alstom are equipped with protection defined to safeguard operations against cyber threats. This includes implementing systems with design features that provide operators with the flexibility to make relatively easy and affordable modifications in line with future security needs.
Railway operators must deal with a combination of new and legacy systems. These assets must be included in a comprehensive cybersecurity strategy to minimise the impact of cyber-attacks on the safety and continuity of operations.
What is the best way of protecting rail operational networks?
Railways are operated in quite a specific and unique context. One that is safety critical, highly regulated environment with a complex system made of several layers integrated over a long period of time. There is also a real challenge for physical protection linked to the geographical footprint. In addition, railway systems are made of legacy “in operation” systems and newly introduced ones (both being mixed).
The strategy will rely on the application of key principles: segmentation, and defense in depth. The objective is to isolate the weakest points and reinforce/protect the most exposed ones. In all cases, everything starts with a risk assessment made with good knowledge of the rail operation and architecture and operational cybersecurity knowledge. Based on this risk assessment, it is possible to prioritize, measure progress, and adjust in case of evolution of the context.
A holistic mitigation strategy is required to address all the dimensions at stake in security: people, processes, and technologies. One without the others is a recipe for failure. Furthermore, we need to involve expertise from rail operation and safety, and operational cybersecurity to have a relevant assessment you can use to establish a defense strategy.
As a leader in the railway industry, Alstom addresses the entire rail cybersecurity lifecycle. Alstom can help rail asset owners and operators undertake risk analysis, understand their vulnerabilities, and react appropriately. We ensure this by meeting the highest industry standards for information security, ISO 27001, international cybersecurity standard for industrial control systems, IEC 62443 as well as the specific railway standard: TS50701.
From building a new line to launching a new type of train or upgrading or operating their transportation systems, the Alstom cybersecurity team works with trusted partners to set best practices and benchmark standards for the rail industry, throughout the entire value chain.
Alstom is also a shareholder of “Campus Cyber”. The goal of the campus is to bring together industry, governments, and academic and association representatives under a single co-creation environment. Additional regional hubs are scheduled to open in the coming years. In a world driven by digitalization, assurances that data and connected systems are protected are a fundamental requirement for ensuring continuous operations. Therefore, Alstom has placed cybersecurity at the heart of its excellence and safety culture. Lastly, our target is to double the number of cybersecurity experts in Alstom by 2025.
How does Alstom enable railway operators to secure their networks and protect their infrastructure?
Alstom addresses the entire rail cybersecurity lifecycle, helping rail asset owners and operators analyse risks, understand their vulnerabilities, and act appropriately. To answer to cyber threats that are constantly evolving, Alstom’s market-leading cybersecurity capability matches proven IT and OT security expertise with deep product knowledge and deployment experience.
From building a new line to launching a new type of train, and upgrading or operating transportation systems, the Alstom cybersecurity team works with trusted partners to set best practices and benchmark standards for the rail industry. Alston delivers tailored services to combat cyber security, including:
We prepare for the future by introducing cybersecurity controls within our products and solutions. We make them suitable for long-term cybersecurity thanks to architecture evolutions, new services (vulnerability watch), and a new delivery model. To us, preparing for the future also means being very active in norms and standards definition, contributing to shaping the future, and creating a strong ecosystem to allow the development of railway cybersecurity.
We address the installed base. A major part of the challenge in protecting the railway comes with the existing systems already in operation. These are legacy infrastructure that was designed and built years ago when cybersecurity was not yet a key area of interest in railway. These systems have homologation, safety cases, and performance requirements attached to them. The other challenge of the installed base is the high mix of systems of different natures, generations, and readiness for cybersecurity. We would need solid expertise in both railway and cybersecurity to be relevant in implementing efficient security controls for these systems.
Finally, we support the transformation required in the operators, organisation processes, and ways of working. Cybersecurity comes with the implementation of security controls (new processes, new roles, new solutions), but these controls must be operated for a very long period. The railway systems will have to be monitored, regular re-assessment must be done, and updates will be necessary. Alstom will be there in its leading position in mobility to make sure the operator investment is protected over the whole lifecycle.
What message would you like to share with the CIO/CISO of railway authorities and railway operators in the region that would help them enhance the security of their passengers and cargo?
One thing to keep in mind is that railway cybersecurity is a domain that is still under construction. The first standard (TS 50701) is less than two years old, and the first IEC is a work in progress that will be issued in the coming years.
My first recommendation is to be curious and strive to learn what currently exists and what is under construction.
My second recommendation is to take the time to understand the railway system and its specificities. There are many good practices, processes, and tools to protect IT systems, however, not all are necessarily efficient for railways.
Last and certainly not least, don’t hesitate to ask. Dialogue, partnerships, and collaborations are extremely important for enhancing the security of passengers and cargo. We work with trusted partners to set best practices and benchmark standards for our industries, throughout the entire value chain.
Cyber threats are constantly evolving, but Alstom has developed a market-leading cybersecurity capability that matches proven IT and OT security expertise with deep product knowledge and deployment experience. Continuous monitoring of vulnerabilities and understanding that cybersecurity is not a set-once-for-all process is key to ensuring the protection of railway/mobility systems. Over the last five years, we have built solid expertise in the railway industry and the capacity to advise, support and execute any railway cybersecurity activities.