It’s a fact that no organisation is safe from cyber-attack. Threats are evolving minute-by-minute and are becoming increasingly complex. As railways become increasingly dependant on digital technologies, with IP (internet protocol) used for devices from CCTV cameras to mission-critical train control systems, they also need to protect themselves by ensuring they have robust cyber security.
Railway networks are becoming more open and more interconnected. They have to be, in order to deliver the integrated digital railway and to make the most of ‘big data’. Some control engineers are understandably tempted to stick with traditional closed networks to maintain security. But this is not as easy as it sounds and is not without risk. It would also miss out on many of the benefits of a modern IP communications network.
Traditional serial-based communications networks are now nearly impossible to procure, support and change. Even with no connection to other networks, the traditional ‘secure’ closed network has always been vulnerable to attacks from removable media, from the ‘man in the middle’ and from replacement servers and components, which might themselves be infected.
In addition, due to the outdated nature of these networks, if help or assistance is required from specialists, they may be hours or days away rather than being able to give online help. So, when an intervention is required on a remotely located asset, the railway asset manager may not have the competent resource available to send to site and, even if resource is available, sending someone to a remote lineside location may put them at risk.
Many infrastructure managers require a whole-life partnership with the OEM, but this can only be efficiently delivered if the OEM can access the network and assets remotely. This is why an IP-connected infrastructure has many benefits, but it needs to be secure and safe, with robust cybersecurity management in place.
Some may think that a railway network is low down on a hacker’s priority list of networks to attack, but that is not the case. In 2015, project Honeytrain was created. A model was set up of a mythical, virtual rail transport control and operating system as a ‘honeypot’ to hackers, in order to assess the cyber-attack risk to rail.
A virtual rail infrastructure was reproduced with real hardware including computer systems and communication protocols. Software components of automation and control systems, identical to those used on existing railway networks, and CCTV videos of real stations and train operator workstations were simulated, including a mythical customised website with general information, timetables, ticketing and information about train disruption. Logins and passwords were left at their defaults and no security measures were enabled. To hackers around the world, though, it appeared to be a real railway.
The results were alarming. The project was in operation for only 6 weeks, but a total of 2.7 million attacks were identified. The majority (61 per cent) of attempted attacks occurred on the media server and firewall components. It was believed that the majority were carried out as automated dictionary attacks, with a hacker trying to identify an unknown password using a dictionary list. Often, whole dictionaries, as well as known or commonly successful combinations, are used to create such a list. This is why a simple text word on its own should never be used as a password.
It was observed that one hacker tried to control a mythical signal using another dictionary attack. The attack was not successful, but it was identified that the attacker had a deep knowledge of the industrial control systems involved, and that the actions were performed deliberately. Another attack was on the mythical railway media server. Valid login credentials were determined and the aim of the attack was to change the content of the railway website.
The analysis of the results concluded that relatively small measures (for example robust passwords and firewalls) would have been sufficient to prevent unauthorised access to railway systems, or to avoid their visibility within the internet.
However, there are many examples of how even the most basic of security recommendations are not being followed – such as revealing login details. In the UK, a 2015 TV documentary revealed how one railway operations centre employee had written down username and password details on a monitor. In other industries and businesses, more sophisticated attacks on critical infrastructures are being detected around the world, so railway infrastructure managers need to remain one step ahead and deploy the best security available.
In some enterprise networks, it is reported that:
- every 4 seconds – an unknown malware is downloaded,
- every 53 seconds – a bot communicates with its command and control centre,
- every 81 seconds – a known malware is downloaded,
- every 4 minutes – a high-risk application is used,
- and every 32 minutes – sensitive data is sent outside the organisation.
In February 2016, the Department for Transport stated in its rail cyber security guidance to industry: “Railway systems are becoming vulnerable to cyber attack due to the move away from bespoke stand-alone systems to open-platform, standardised equipment built using commercial, off the shelf (COTS) components, and the increasing use of networked control and automation systems that can be accessed remotely via public and private (communications) networks.”
Security agencies around the world recognise the risks. In the US, cyber-security is seen as a serious economic and national threat, with the US Computer Emergency Readiness Team (US-CERT) creating a framework to support the protection of critical infrastructure. In Europe, the EU has proposed a cyber-security strategy outlining its vision, clarifying roles and responsibilities, and defining actions required to protect citizens. In Asia, some governments have established national cyber-security policies.
Consequently, railway security must be stepped up with a multi-layered and active security approach to provide the right balance of costs with the in-depth protection needed to defend against today’s security threats.
Breaching an organisation’s cyber defences doesn’t always take a sophisticated attack by a foreign government or crime syndicate. Security breaches may be caused by human error, from lack of compliance with good practise or by configuration errors. Unfortunately, even the most competent and prepared staff can be overwhelmed by the sheer volume of threats that that need to be addressed. Cybersecurity management is made even more difficult as there is a cybersecurity skillset shortage, which makes a human-centric and manually intensive incident response difficult. The key, though, is automation, which can enhance both the investigation and mitigation of threats.
Capabilities that can efficiently protect networks include security automation, incident response plans, standards and policies, end-to-end security, security in depth (and not just at the edges), analytics to correlate security-related information, devices and cloud layers to spot suspicious activity and threats. Machine learning enables the identification of potential compromises by using threat intelligence information across the network and an active defence-in-depth approach.
Rail infrastructure managers need to deploy equally sophisticated protection measures as those used by hackers. These need to include:
- Detecting, mitigating and using AI to predict new threats;
- Reducing the vulnerable areas;
- Improving analytics to correlate data from multiple domains and to help identify suspicious, malicious, or inadvertent anomalies;
- Combining threat intelligence data and security analytics in order to prescribe appropriate response more effectively and provide strategic mitigation to threats.
Global communications group Nokia has extensive expertise and experience in the development of cybersecurity best practices for the railway. Over the years, it has worked with many networks to ascertain the risks and the underlying operational processes required. This enables the scope and appropriate level of protection to be defined.
The latest security principle is based upon SOAR – Security Orchestration Analytics and Response. It is a methodology that continuously assesses and learns with predictive capability.
Nokia advocates ‘defence in depth’ as a balanced, economically feasible approach to security. It aims to build cyber defences aligned with a company’s network operational objectives and its network capabilities. The focus is always on processes and technologies that achieve a layered security model that spans across networks, applications, data, identity and access management, the principle being a layered series of defences that close off any attempts to exploit security gaps.
Adopting an in-depth security approach can bring many advantages:
Automation meets the avalanche of threats: Automating incident response ensures defences are not overwhelmed by thousands of daily alerts. Security automation that encompasses business processes, regulations and security policies keeps pace with the rapid rise in attacks.
End-to-end security protects all network technologies: End-to-end security encompasses the entire network and its security processes, such as access management and audit compliance; network security; and security management for IoT (Internet of Things) devices.
Network segmentation and firewall confine threats: Network segmentation with IP/MPLS (multiprotocol label switching) virtual private networks, based on rail applications or other policies, provides traffic isolation and hampers lateral movement of hackers as they scout the network.
Analytics for continuous improvement: Security analytics correlates data from across the network, devices and cloud layers to spot and provide insight into suspicious anomalies. With machine learning, the effectiveness of security increases continuously.
Encryption protects data: With multi-layer encryption, even should a perpetrator tap into the communication channels, confidentiality, integrity and authenticity are still protected.
Nokia’s security expertise is rooted in its strong presence in the public safety segment and as a trusted partner for public network operators around the world. With more than 30 years of experience in the rail industry, the company is confident that it can offer an advanced and comprehensive approach. Its mission-critical network products, for IP/MPLS and LTE (long-term evolution), feature strong, built-in security mechanisms. Combined with the end-to-end security architecture of its NetGuard portfolio of products, infrastructure managers can be provided with industry-best protection, with the right balance of costs and the in-depth protection needed to defend railways against today’s security threats.
Fundamentally, there are two areas to address. Data transmitted across transmission infrastructure, be it fibre, microwave or copper, and data transmitted across wireless access infrastructure – GSM, LTE or WiFi. Ultimately, the payload is IP-based, regardless of the layers below.
Looking at the first area, fixed infrastructure, all layers of transmission need to be addressed. These are, typically, optical and microwave. These are considered to be the ‘Layer 0’ transmission. It does not understand the data but simply pushes it from one point to another.
Layer 1 is typically an electrical switching layer. At this layer, there is more flexibility to package the data (by using OTN – optical transport networks – for example) but it is still blind to its contents.
Layer 2 is now into Ethernet, where data contents are understood – this is typically called the switching layer. Layer 3 is the IP layer, where data is seen and understood – this is the routing layer.
Nokia provides secure key encryption at all communication layers, with all keys (used to encrypt and decrypt data) managed by the Nokia Encryption Platform.
By including the wireless access part of the end-to-end railway connectivity story, then LTE connectivity adds further security to an already very secure transmission.
One of the world’s largest providers of GSM-R, Nokia is in the forefront of development on the next generation of wireless network technologies for rail, in the shape of LTE and future 5G technologies. LTE security is based on two layers of protection instead of one-layer perimeter security as in earlier generations of GSM. The first layer deals with security in the radio access network, while the second layer provides security in the Evolved Packet Core (EPC) network.
Ultimately, LTE access, coupled with the secure transmission, means that data integrity is maintained at all times.
In practice, the implementation of this two-layer security architecture is subject to vendors’ interpretation and, therefore, may expose a mission-critical network to threats if not engineered properly. The encryption of all traffic between base station and core network is essential.
In railway networks, emergency voice services depend on group communications in which users can simultaneously communicate with groups of other users. These require specific arrangements to secure group call communication and direct mode of operation, as well as ensuring the security of both device and back end control servers.
Effective cybersecurity is essential for the safe adoption of new IP-based applications for train control, traffic management, maintenance, monitoring, video protection and passenger information systems. Security incidents can cost railway operators in many ways – not just the loss of train paths from disrupted services, but the recovery and restoration costs, potential lawsuits, damage to brand reputation, compensation to users and non-compliance penalties.
Railways face increasingly stringent legal, regulatory and compliance requirements, making them directly accountable for ensuring effective information security and data privacy. End-to-end security enables rail managers to focus on their mission-critical responsibilities without being distracted by the daily operation of a telecom business or by having to work with multiple security vendors.
Nokia combines its world-class expertise in both GSM-R, LTE Optical and IP to achieve mission-critical security that addresses the vulnerabilities specific to these technologies. Mission-critical network solutions (IP/MPLS, optical, LTE) not only deliver network reliability, performance and scalability, but can also defend against security threats and attacks if engineered correctly.
Read more: ORR approves Network Rail’s £35bn CP6 plans