Jesus will debate how to secure critical rail infrastructure from cyber attack in a forthcoming IRS Rail Webinar on 28 July
Cyber attacks have disabled ticketing systems for several passenger rail operators and forged track switching signals as well. Much more sophisticated cyber threats are currently targeting other industries – seeing these threats in rails is only a matter of time. This is unacceptable – safe operations are possible only if we are secure from cyber threats. The same is true for reliable and efficient operations. In this article we explore modern cyber attack techniques targeting industrial operations and project how those techniques will evolve in the medium-term, given the trends we see in other industries.
Let’s start with targets: vital networks for rail systems are target rich and getting richer. Rail system digitalization steadily introduces more computers into our systems, all running software, and all software is a target. All software has defects after all – nobody produces flawless software, and some defects are security vulnerabilities, discovered and undiscovered. Worse, increased digitalization demands increased connectivity for all those software assets, and every connection that allows any message or information to flow allows attacks to flow as well.
Now to threats: the most pervasive threat is common malware. Malware that infects consumer cell phones and laptops seeking to steal consumer credit card numbers or account passwords is a pervasive threat, with limited consequences. Such malware may trigger shutdowns if it compromises vital computers through an email or a USB drive, but the malware is not designed to damage operations. Common ransomware is a bigger threat. Ransomware is designed to render computers inoperable by encrypting important information and extorting money to restore the data. Such malware does impair operations, and restoring operations in the face of such compromise can be much more involved than saying “just restore from backups.”
The most sophisticated ransomware threat, however, is targeted ransomware. This is where an adversary does their homework, crafts very convincing false emails, and steals remote access credentials. These adversaries might steal credentials from rail system operators, or more recently in other industries, steal these credentials from smaller and less-thoroughly-defended service providers – providers who are trusted to access operations networks remotely, and who might even have continuous VPN connections into such networks from the providers’ premises. Once inside their targets, these attackers use so-called “pass the hash” and other techniques to steal even more valuable credentials. These attackers frequently create new accounts for themselves, so that even if the passwords they stole originally are reset, the new accounts are unaffected.
With powerful credentials in hand, these targeted attacks spread through a network until they reach what they deem to be a target important enough for their victims to pay a large ransom to restore. This is when they plant their ransomware on dozens of hosts at once and trigger it, crippling operations and demanding up to several million dollars at a time to decrypt their targets.
There are two important lessons here. First: many operators new to cyber security have the impression that security updates, encryption and firewalls will save them from this class of threat. This impression is mistaken. These security measures provide a degree of protection from common malware, but not from targeted attacks. If we re-read the attack description above, we observe that:
• Victims pulled forged emails and/or attachments through their corporate firewalls over encrypted connections. Firewalls do not block authorized traffic, nor does encryption.
• Attackers’ connections to their compromised computers are generally encrypted – over the HTTPS protocol, or over a supplier’s VPN. Cryptosystems encrypt attacks as readily as they encrypt legitimate communications.
• The attackers used stolen credentials to move around their target network – they did not exploit defects or vulnerabilities in software systems.
In short, modern attacks exploit permissions, not vulnerabilities.
It gets worse. The second lesson: many security practitioners look backwards at attack patterns, reasoning that, because there are few targeted ransomware attacks that have impaired rail operations historically, protecting against such attacks should be a low priority. The problem with this logic is that that it ignores clear trends: high-volume cyber attacks have become steadily more sophisticated over time.
These “exploit the permissions” targeted attack techniques were, only a half decade ago, thought to be used exclusively by nation-state adversaries. Today they are used routinely by organized crime, with a steadily increasing volume and variety of victims. Targeted ransomware is too profitable for organized criminals to give up any time soon. This means that today’s “ultra-sophisticated” nation-state capabilities, able to defeat intrusion detection, two-factor authentication and other software security systems, will almost certainly show up as widespread, targeted threats in another half decade.
Rail system operators cannot afford to throw out and redesign vital networks for control centers, power management, switching systems and rolling stock every half decade. We need practical, cost-effective security systems today – systems that will survive even very sophisticated attacks, for the foreseeable future.
Robust, practical and cost-effective designs are already in use, and these designs prevent cyber attacks much more reliably than do intrusion detection, encryption, firewalls and security updates. To explore how these designs achieve such goals, please sign up for one of our up-coming webinars, or download the latest Waterfall eBook at https://waterfall-security.com/rails-occ/
When Ursula von der Leyen addressed the European Parliament in July 2019 asking for a vote of confidence in her appointment as President of the incoming European Commission, her focus on sustainability did not come as a surprise.
Global warming is ‘the’ hot topic in all international forums and its importance is rising. What makes it a singular issue is the way it has stepped out of institutional rooms to massively enter the public debate of citizens around the globe. It is a fact that no other public policy issue is being discussed as much as the tools that national and continental governments should put in place to stop temperatures rising.
What was unique in von der Leyen’s speech was its level of ambition: ‘I want Europe to be the first climate-neutral continent’, she said.
It is true that the recently published proposal for a Climate Law received bad comments from many environmental activists since it provides for climate neutrality to be reached by 2050 only, proposing no stringent mid-way targets. Nevertheless, it is a fact that the Union has made climate change its top priority like no other political body anywhere else. On CER’s side, as a prominent participant in all debates that shape European climate policies, we will do our best to support and realise the ambitions of the Union executive branch.
Active in Brussels since 1988, CER is proud to defend the rail sector on the grounds of its sustainability credentials, which are today making railways a fundamental part of the solution.
In the context of the European Green Deal (EGD), the Commission Directorate-General for Mobility will soon put forward a Strategy on Smart and Sustainable Mobility: we look forward to seeing reflected there a firm stand in favour of redressing all those regulatory imbalances that currently make railways less attractive vis à vis other transport modes.
Other policy initiatives are announced, which we hope will be strong enough to make European mobility move in the right direction: we will see a revised TEN-T Regulation and combined transport Directive, initiatives aimed at increasing rail infrastructure capacity, a revision of the Energy Taxation Directive.
As for gathering more resources for sustainable investments, we also hope that the EGD Investment Plan will bring positive effects. On the one side, we need a quick agreement between the Member States on the 2021-2027 Multiannual Financial Framework to secure necessary resources for key budgetary lines like the Connecting Europe Facility or pivotal R&I initiatives like Shift2Rail. On the other side, we hope that additional resources can be re-oriented through appropriate financing: the European Investment Bank will play a key role (and it will soon revise its transport lending policy!) and the Sustainable Finance Action Plan must find ways to have more binding consequences on institutional investors (a new version of it will be made public next autumn).
Much is still to be seen of course, but in the meantime the CER Management Committee met with Commission First Vice-President Frans Timmermans in February to underscore railways’ commitment to upgrade their technology and the quality of their services. The Commission’s political will is clear and confirmed; if we manage to get the European Parliament and national governments onboard as well, I see a bright green future ahead for Europe!
Photo by SenuScape from Pexels
Salif spoke about the benefits of the Digital Bag at the 8th International Railway Summit in New Delhi
Train drivers, conductors and maintenance technicians are at the heart of railway operations and ensure that passengers (and goods) are transported to their destination in the best conditions of safety and comfort.
They are mobile staff, but still obliged to go to their office to take with them information and papers they need to perform their missions. While it might be good to go to the office to meet colleagues and get fresh news about the company, it also can be perceived as a waste of time that prevents from focusing on core missions. Also, even after having passed by the office, while executing their mission, mobile staff might still miss recently updated guidelines to fully complete their operations. This is also a risk for seamless operations and passenger experience.
Now, let’s imagine a modern, light and user-friendly tool that mobile staff would always have with them and with which, anytime and anywhere they could:
• Consult technical and company manuals to acknowledge all required procedures in manuals
• Receive briefing wherever they are, to prepare their journeys
• Write and send back reports to inform about all events that occur
This vision is a reality with software solutions that enable the digitization of operational processes and, therefore, the removal of paper-based procedures. Immediate outcomes are accelerated data flows and enhanced operational efficiency.
In the aviation industry, for the past 10 years, pilots, cabin crew and mechanics are more and more equipped with mobile tablets and software that support them in the execution of their missions, from preparation to closure.
This major evolution in the way to operate flights generates major business benefits:
• Facilitate transmission of a safety culture since guidelines are more accessible
• Enhance the efficiency of operations: by receiving flight information in advance (or during a flight) on their tablets, crew can anticipate issues and make ad hoc decisions
• Make work conditions better for staff: no need to carry heavy bags
• Improve passenger experience: being always connected, staff can better inform customers
Challenges faced by rail operators are similar to those faced by aviation, so why would rail staff not be equipped with similar mobile solutions so they could benefit from digitized operational processes?
This is exactly what dgBirds offers, via the Digital Bag software solution that is composed of:
• A user-friendly mobile application that can be downloaded and used by mobile staff from iPads. “Documentation”, “Briefing” and “Reports” are the services available from this mobile application
• An administration platform, accessible via any Web browser and from which back office staff can organize, distribute and monitor all documentation to their remote colleagues
Documentation service: from an iPad, easy access to all documentation and manuals, anywhere, any time
As illustrated below, via innovative services, the Digital Bag can help rail staff better perform their missions, throughout their complete journey:
Digital Bag: supports rail staff over their journey
Watch this video to see how the Digital Bag concretely supports rail mobile staff: dgBirds Digital Bag for rail staff
About dgBirds:
dgBirds is a software company based in Paris and is a subsidiary of Air France.
Based on the experience of Air France pilots and cabin crew, dgBirds has developed and proposes a software solution that enables organizations to organise and distribute all the information that mobile staff require during their missions and that they can access from a mobile application.
This value proposition is addressed not only to the air transportation sector but to all transportation organizations that, by definition, have mobile staff who are, on a daily basis, in close relationship with passengers / customers and, as such, are key stakeholders to guarantee the quality of their experience.
contact@dgbirds.com
www.dgbirds.com
Jean-Francois spoke about where the rail sector sees itself in a few decades time, and what the endgame of digitalisation could and should be, at the 7th International Railway Summit in Frankfurt
“Digital Railways” doesn’t have quite the romantic ring of the great train services of the past – the Orient Express, the Canadian Pacific or the Trans-Siberian but Digital is the next big wave in the railway sector and train users and operators can look forward to higher service standards ultimately improving efficiency and reliability of railway systems.
A new golden age of rail travel
Railway networks in many countries have become extremely dense, especially on commuter lines in major cities, making it difficult and costly to implement major upgrading projects. Instead, the kind of improvements in efficiency that digital technology excels at can have massive operational impacts.
In fact, digital technologies hold out the promise of true transport integration, linking main-line rail services with other urban transportation modes, enhancing efficiency and passenger convenience. The introduction of Information and Communications Technologies (ICT), Intelligent Transport Systems and open-data/ open-source transport applications are transforming urban transportation, optimising the efficiency of existing and new urban transport systems, at a cost much lower than building new infrastructure from the ground up.
New transport data collection technologies are also being deployed to provide information about delays, downtime and predictive maintenance which could lead to huge improvements in service standards, safety, and unlocking the potential of railways. Passengers will also be able to make real-time decisions about their journeys based on the features that matter most to them such as reliability, safety, travel time and cost. What’s more, railways today offer a connected service all along the passenger journey with on-board wifi for internet and entertainment options.
Other positive aspects of railway digitalization highlighted in a European Railway Review interview include the opportunities digital technology offers for cleaner air as well as the tangible benefits to travelers of increased flexibility and convenience. Enhanced safety, predictive maintenance and automated driverless operation are all part of rail’s future.
Mastria: Alstom’s multimodal traffic orchestrator. ©Alstom
How do we get there?
The path to digitalisation will not, of course, be entirely smooth. The “Connected trains” survey by management and technology consultancy BearingPoint found that a digitalised and integrated rail system with connected trains is the future, but it will require collaboration and coordination to get there.
Digital technology in the railway sector will see a shift from the traditional emphasis on heavy engineering, to software and data handling skills. There will always be a place for traditional rail engineers, but demand will grow for data management talent, as digital signalling technology unlocks capacity on complex mainline networks.
With new ways of working and new technologies, industry collaboration and effective business change will be more important than ever. Rail operators should take this digitalisation opportunity to integrate different mobility options into their existing offering and consequently focus on value creation through innovation. Without a doubt, it is the quiet efficiency of digital technology that will take rail systems and their passengers into a new age of rail travel that is safer, more convenient and comfortable, more economical, and more climate-friendly.
Mastria: Alstom’s multimodal traffic orchestrator. ©Alstom
Jean-Pierre spoke about how rail systems could meet the mobility challenges of the future, about the economic implications of high speed rail, and about whether HSR was delivering on its promise of improving society, at the 4th, 5th, and 6th International Railway Summits respectively.
Jean-Pierre will speak at the 7th International Railway Summit about how digital technologies can enable smooth cross-border travel and trade.
The first thing to note is that rail appears as a key factor in the 21st century world.
Rail is essential but in complementarity, not competition, with other modes, as the backbone of a new mobility chain.
Rail from its origin has survived various revolutions:
Today, we are now facing the so called 4th revolution: A digital revolution.
This revolution is generating very strong impacts on all decision-making processes, all production and maintenance processes and obviously on the whole information chain itself.
Rail must obviously profit from this technical revolution in order to rapidly and efficiently improve productivity, security and services thanks to connectivity.
One key word is “speed”, since we currently face very strong demands from the markets.
These markets can be intra-urban markets, inter-urban, inter-regional or even inter-continental markets if we consider the emergence of large inter-continental corridors.
Nowadays decision-making cycles are faster and faster. This can be seen as being in contradiction with the operating modes of rail, since investments are really important considering the size of their deployment, and the long cycles of ROI.
These rapid developments obviously demand new approaches and new competencies directly linked to the information domain.
But these have to remain fully compliant with rail technologies and the complexity of its system.
We must admit that, today, the rail sector, whatever the economic context might be, is running out of the resources that would allow the development and the implementation of these new emerging technologies.
Considering this statement, we definitely have to adopt new modes of cooperation.
That is the reason why UIC works in close partnership with major actors such as UITP, UNFCC or IATA, why we have developed a Digital platform and an Alliance program with Universities.
Such collaborations enable a better design of our interfaces and the provision of seamless information to our customers, whether Freight or Passenger.
We wish to, and must, open this 19th century pyramid focused on closed working methods and create new circuits open to the outside world, with new partners and relays.
Etienne, networks and telecommunications expert at Thales Ground Transportation Systems, presented how the Internet of Things (IoT) can improve operational and monetary efficiency at the 5th International Railway Summit in Kuala Lumpur.
The railway industry is going through a digital transformation due to recent challenges around increased competition from other transportation methods while coping with limited resources.
Better performance is expected to satisfy the increasing traffic demand in congested cities, leading to optimum utilisation of existing infrastructures. Achieving this within decreasing budgets means better returns on assets, simplified wayside systems and lower maintenance costs. Meanwhile, required efficiency improvements call for more integrated Operation Control Centres, automated with new data-driven functionalities, enabling infrastructure operators to quickly react to incidents. Finally, improving passenger experience is fundamental, while maintaining compliance with safety regulations and cyber security to mitigate new threats created by digitalization.
Rail Infrastructure Managers must at the same time:
• Improve safety conditions and reduce service disruptions,
• Maximize asset availability and increase operations efficiency,
• Optimize the financial return on assets and manage decreasing overall budgets.
This leads to stringent operational requirements for rail infrastructures. Achieving this requires a paradigm shift. To succeed, the industry must develop decision support tools that provide a comprehensive view of the infrastructure and integrate information from increasingly disparate systems. All this leads to smarter maintenance regimes – moving from break and fix to predict and prevent.
This in itself is nothing new. Defence, Aeronautics and Space have developed Health and Usage Monitoring Systems (HUMS) to increase availability and minimize breakdown risks. Applying this model to the railway industry enables predictive maintenance, where failures are anticipated and repaired before service disruption, optimising not only performance but also safety and cost.
These new capabilities rely on new technologies such as the Industrial IoT, Big Data Analytics and Cloud technologies. Data generated by sensors is collected through versatile networks fit to field conditions, then fed into a cloud infrastructure supported by Big Data Analytics frameworks.Relying on Artificial Intelligence and Deep Learning algorithms, data scientists and subject matter experts combine technical savvy and unparalleled interpretation skills to create insights.
Transforming raw data into knowledge is not easy though. This requires strategic choices like sensors with proper data normalization and formatting, and efficient diagnostic rules. The network and IT architecture should use a good balance of distributed and centralized processing, relying on a scalable IIoT platform, modular enough to accommodate technology evolutions and context-specific operational choices. Cybersecurity is, of course, central to the solution, from sensors up to the application front-ends. These solutions must be scalable with real-time capabilities to enable fast response. A consolidated view of the information also supports immediate monitoring and long-term strategy.
The Industrial IoT model will help railway industry to benefit from predictive maintenance, real-time diagnostics and long-term process optimization. From an integrator’s standpoint, modularity and independence from technology are paramount to ensure future-proofing, and adaptability to diverse Rail Infrastructure manager’s needs.
Then a predictive maintenance solution will significantly improve maintenance costs, downtime and unplanned events. For the maintenance teams, this will also improve work conditions, focussing on high value tasks. Eventually, right-first-time repairs, enabled by accrued anticipation capacities, will minimize time spent on trackside and increase safety conditions.
Francis, Chief Digital Officer of UIC, spoke on the new challenges the digital revolution poses to rail at the 4th International Railway Summit in Paris, and how digital can improve mobility at the 5th International Railway Summit in Kuala Lumpur.
Francis will act as Chairman of the 7th International Railway Summit’s conference programme, which will revolve around the creation of an efficient digital railway.
For the past few years, we have been entering a new era. Everybody speaks “digital”, thinks “digital”, acts “digital. We are currently living an actual revolution. The 3rd industrial revolution, the digital one, must be a unique opportunity for rail operators and manufacturers to progress faster and further, enabling railways in the world to once again be an actor and a vector of development in the 21st century. Digital can impact all railway domains.
Examples of current trends in the railway sector but, obviously, far from being exhaustive:
Digital has changed, and will go on dramatically changing, our world. Regardless, we have to be aware that some risks are there and have to be seriously considered.
Safety has always been a founding and key value of railway. Due to the huge presence of technology in modern railway systems and connected interdependencies, new vulnerabilities have been introduced to the sector.
The Attack surface has dramatically extended with:
Vulnerabilities can come from breaches in the system (lack of authentication protection, poor maintenance, operating systems and software components not updated …) or human factors (leaving the default PIN entry code to the railway system as 1234, for example).
Rail operators have obligations under EU and domestic law to protect the safety of their operations. Failure to take reasonable care to do so may make them liable for some of the resulting losses.
Cyber security must be at the centre of development and it must be a priority for any government as the risk of vulnerabilities exploitation by hackers is real.
Every rail operator faces the daunting challenge of protecting its own infrastructure:
In order to support the Railway Community and to make it win that new challenge, UIC has recently set up the UIC Digital Platform.
The missions of that platform are designed around three precepts
The UIC Digital Platform is legitimated due to the worldwide vision that we represent and the idea of building a community at the service of the railways, in order to “make rail smarter” in the coming years and decades. Be part of it!
UIC is the worldwide organisation for the promotion of rail transport at a global level and collaborative development of the railway system. It brings together some 200 members on all 5 continents, among them rail operators, infrastructure managers, railway service providers, etc. UIC maintains close cooperation links with all actors in the rail transport domain right around the world, including manufacturers, railway associations, public authorities and stakeholders in other domains and sectors whose experiences may be beneficial to rail development. The UIC’s main tasks include understanding the business needs of the rail community, developing programmes of innovation to identify solutions to those needs and preparing and publishing a series of documents known as IRS that facilitate the implementation of the innovative solutions.