Introduction to NIS for Train Companies
As railways adopt more automated, wireless and connected technologies, their most safety-critical assets have become exposed to new and more dangerous types of cyber-attack. Train attacks are no longer science fiction. In early May of last year, the world was rocked by the WannaCry cyber-attack, which affected more than 200,000 victims and spread to over 150 countries. Computers had essentially been taken hostage by ransomware, and users were asked to pay up in the form of bitcoin. Law enforcement agencies, health services, telecommunication networks, universities, businesses, and railway systems were all affected by the attack. Estimates of the total damage ranged from hundreds of millions to billions of dollars. Experts said at the time that the next kind of attacks we will see will target critical infrastructure in the form of electrical networks, water companies, and transportation systems. The European Union had pre-empted this in 2016 when it brought out the EU Directive on Network and Information Systems (NIS) security. NIS addressed the cyber security needs of companies delivering operational services through harnessing ICT. It was made UK law in May. The purpose of this paper is to demonstrate how and why the NIS regulations can be put into force by UK’s Train Operating Companies. Its scope includes the guidance given by the UK National Cyber Security Centre and a discussion on what constitutes ”essential service” in terms of NIS relevance to train operating companies.
Information Technology increasingly underlies the successful delivery of train services. It is critical to signalling, interlocking, train and station management. Rostering of crew, rolling stock and fleet management are heavily dependent on IT systems and the communications glue that keeps them together. Our latest trains depend on mobile communications and on-board computers for regulation and movement authority. Train maintenance is finely tuned, and delivery of refurbished stock is precise and reliant on data availability and timing. Train planning is an art form underlain with science and technology and timetables…well can I say more. Getting correct information to our passengers is complex and technology driven.
Modern rail command centres use wireless connections to control activities, monitoring train speeds or regulating traffic signals. These wireless signals can expose a network's vulnerabilities and leave the infrastructure wide open for attack. Train networks use Wi-Fi connections to control critical components of the train, like brakes and doors. Attackers can find ways to access the wireless network to send commands to those components and change the behaviour of the train. Once attackers succeed in breaching a network to gather information, they can attack the physical elements of the network. They might change the controls on the train or could even access commands in order to derail the train. These kinds of attacks are termed ‘simple’ by dark net terms, and once a system is breached it's just a matter of deciding what commands a malicious actor wants to send. While current concerns concentrate on cyber-attacks aimed at corporate ICT infrastructure, systems and applications, the most dangerous attacks would be those aimed at systems ‘in-flight’. A similar detect-and-resist approach is needed.
The threat landscape isn't that far-fetched. In the WannaCry attacks, Germany's rail
network, Deutsche Bahn, was incapacitated by its ticketing and information systems going down. It is rumoured that cyber-insurgents from the middle east, aggrieved by German foreign policy, are already targeting Deutsche Bahn’s European Train Control System (ETCS). San Francisco’s subway services were recently the target of a cyber-attack which resulted in the hackers taking control of 2,112 out of 8,500 devices, shutting down workstations, ticket machines and computers. The hackers demanded a ransom of around $73,000, and the loss in revenue amounted to around $559,000 per day. A study by cyber security experts Raytheon and Ponemon claims that 66% of organisations are not ready to address security issues for remote assets.
Failure of ICT brings operational consequences, financial loss, and reputational downfall. Moreover, failure to deliver results in hardship for our customers – they are late home, late to work, late to meetings, rendezvous and dinner dates. Or they make do with cramped accommodation after trains are cancelled. Train failure reduces our customers quality of life, not to mention the clear safety imperative. Cyber vulnerabilities will surely cause our service mission to become compromised and leave our business open to intense scrutiny.
Being joined-up-digital, as train operating companies are nowadays, presents many challenges, not least because we occupy a place in the Internet of Things (IoT). Transport played a major part in the industrial revolution and it is now part of IoT, the “fourth industrial revolution”. The internet provides a vastly increased attack surface which requires us to consider our approaches to protection and crime prevention. These are very different challenges to physical security, preventing criminal access to our railway assets. The assets we possess and need to protect now are information assets, the data that allows us to move trains and the systems and applications that process and convey that data. Data volumes are proliferating: data velocities are accelerating, and data is generated and stored in complex and virtualised ways. The need for bandwidth and media to consume bandwidth are growing at our stations, our depots and our offices. The need to protect the Confidentiality, Integrity and Availability of our information Assets in this IoT, digital world, as it clashes with the increasingly competitive, increasingly scrutinised, hard pressed railway world is paramount.
Alex Cowan, CEO of transport cyber defence experts, Razor Secure, has warned rail, aviation and car manufacturers and operators that many more attacks on their distributed IT assets and networks can be expected in the coming year. Cowan has described how cyber-attacks on transport networks are an ever-increasing threat to the safety of passengers. Security vulnerabilities exist in the most unlikely places throughout all transports networks and since these networks are by definition on the move and distributed, they can be much harder to protect. They are characterised by weakness. Attacks on ‘non-critical’ networks, such as entertainment systems or passengers Wi-Fi may seem no more than inconvenient at the time but they can be a path to much greater access for the hacker to more automated, wireless and connected technologies their most safety-critical assets have become exposed to new and more dangerous types of cyber-attacks. These attacks can threaten passenger safety, disrupt service, and cause severe economic damage. Legacy components and many communication protocols throughout the railway industry
were never designed with cyber security in mind and are in critical need of the new kind of network protection. For hundreds of millions of train and metro passengers around the world, the need for a more robust network security has never been more critical.
Added to this is the global threat. The international threat to cyber security has never been less obvious, less publicised, or less real. The Russians’ attack seems relentless – distortion and disruption of national transport will soon be on their radar, even if it hasn’t been already, for a long time. How better to embarrass a government, to injure a National Economy, than attack its service economy, workers commuting into the City of London? Perhaps the attack motives are more direct, involving terrorism and major threat-to-life.
On May 10th the Network and Information Systems Regulations (NIS-R) came into law. This follows the EU NIS Directive of 2016, applicable to all member states. The aim of the directive is to ensure that organisations within those vital sectors of our economy are effectively managing the security of their network and information systems. Organisations within those sectors that are identified as “Operators of Essential Services (OES)” and will have to:
take appropriate and proportionate technical and organisational measures to manage the security of their network and information systems (including managing cyber security risks and broader security and resilience risks to network and information systems);
take appropriate measures to prevent and minimise the impact of incidents affecting the security of their network and information systems; and
notify the relevant authority of any incidents affecting network and information systems which have a significant impact on the continuity of the essential service they provide.
The NIS Regulations apply to the sectors for energy, health, water, transport and digital infrastructure.