All Aboard the Cybersecurity ExpressWritten by Amir Levintal and Eddy Thesee
The rail industry has always placed a keen emphasis on safety – ensuring that every ride is as safe as possible, posing no risk to passengers or employees.
But rail systems have evolved significantly since their inception – particularly in the past decade, which has seen the rise of connectivity as a critical component of rail infrastructure and rolling stock. This evolution, which has made trains more efficient, comfortable, and safe than ever before, is not without its challenges. Namely, the need to refocus industry attention on security – especially cybersecurity – alongside standard safety practices.
Safety vs. Security
Safety and cybersecurity share the same goal: to keep passengers and employees safe and the trains running as scheduled. But to conflate the two is to address them insufficiently. For railways, safety generally refers to the protection of passengers and systems from unintended harm – a rusted mechanism, a broken signal light, bugs in the system, etc. Cybersecurity is the protection of people and infrastructure against intended harm – bad actors with malicious intent.
As opposed to mechanical safety, which rests on time-tested tenets, cybersecurity never rests on its laurels – it must always stay one step ahead of increasingly sophisticated hackers. So, to remain cyber-secure, the rail industry must constantly be improving and evolving its cybersecurity solutions to meet the next emerging threat.
One critical hurdle to effective railway cybersecurity is the difficulty in finding the balance between tried-and-true safety protocols and cybersecurity systems that must be constantly updated.
The State of Cybersecurity in Rail Operational Environments
The recent classification of railways as “critical infrastructure” has accelerated the adoption of standardized rail-centric cybersecurity solutions. New protocols and other regulatory initiatives are pushing the industry to become even more cybersecure – frameworks like CENELEC TS 50701 (based heavily on IEC 62443) and recent TSA Directives in the U.S.
But such standardization is complicated by the fact that the rail industry is made up of a diverse set of actors: operators, integrators, component suppliers, and third-party vendors providing solutions across various corners of the supply chain. Fortunately, players throughout the rail industry are looking to address the growing cybersecurity concerns through innovation and the development of new products and services.
But even with cybersecurity a high priority throughout the rail ecosystem, we cannot underestimate the challenges ahead – necessary cultural changes, the long lifecycle of rail products, and the growing complexity of railway systems, to name a few.
Cybersecurity Insights from InnoTrans Berlin 2022
Cybersecurity was a key focus at the recent InnoTrans event in Berlin, the world’s largest trade fair focused on the rail transport industry.
One standout trend from InnoTrans 2022 was the emphasis on heightened visibility in rail operational environments. Rail operators know that they can’t secure what they can’t see, which poses a critical issue to these systems at large.
Another key trend is the demand for integrative cyber-solutions that allow rail operators to do more with less. Operators today know that they need to protect their systems and are tirelessly pursuing solutions that can be holistically integrated into complex ecosystems.
Expectations for Major Themes in Coming Years
Going forward, widespread deployment of rail specific cybersecurity solutions will not only be in greenfield projects (new lines) but in brownfield rail environments (upgrades or extensions of existing lines) as well. Considering most rail systems are comprised of legacy components, it is critical that the industry works to secure pre-existing environments, even as it strives to create new ones that are more inherently secure.
Today, the cybersecurity solutions needed within any industry or enterprise – especially critical infrastructure – must be deeply entrenched in relevant business functions and be able to translate cyber alerts into specific, effective actions. For example, in an industry like rail, where entities and information are constantly moving through a hyper-complex system, there is never the requisite downtime to stop operations and review the assets that require patching; instead, issues must be flagged, and solutions found on the fly. Accordingly, the rail industry is continuing to develop rail specific cybersecurity solutions, as generic solutions simply aren’t up to the task of securing systems as unique and complex as our railways.
Arguably most important among incoming trends is the proliferation of information sharing. Research from industry analysts on the state of railway cybersecurity and the maturity of the industry as a whole suggest that more and more operators are beginning to share cyber-relevant data and learning from one another. We can also expect to see better aggregation of information from rail industry organizations on the types of cyber-attacks occurring across the industry and how effectively they’re being responded to and remediated – after all, the bad guys are working together to spread the word about weaknesses and vulnerabilities… why shouldn’t the good guys join together as well in order to stay one step ahead?
Such transparency is critical in striking the balance between structure and the constant change needed to drive the industry towards a more secure and efficient future.
All Aboard the Cyber Express
Despite the challenges, things look bright for the rail industry.
Operators are continuing to move towards a more cybersecurity-focused culture across the entire industry ecosystem, striving for visibility between the myriad of vendors, operators, integrators, component suppliers, and more.
Rail manufacturers and operators must not only continue to implement high levels of cybersecurity, but they must do so with solutions that are both rail-specific and compliant with security standards for both new and legacy systems – both on and off track.
Amir Levintal, CEO and Co-Founder, Cylus: Amir Levintal is the CEO and Co-Founder of Cylus, an Israeli startup developing cybersecurity solutions for railways and metros. Previously, Mr. Levintal served as a Director of the Cyber R&D Division of the IDF’s elite technological unit. With over twenty years of management and cyber defense experience, he has lead highly skilled teams in the development of complex cyber, software, and hardware projects. He was awarded the Laureate Israel Defense Prize for exceptional technological breakthroughs and received a high military honor for extraordinary achievement and exceptional contributions to national security. Mr. Levintal holds a Masters in Electrical Engineering from Tel-Aviv University.
Eddy Thésée, VP Cybersecurity at Alstom: With a background in Mathematics, telecommunication and information technology, Eddy Thésée joined the railway signaling business 20 years ago in Alstom. After several positions in Information technology, methods and tools, and continuous improvement, he is leading Cybersecurity for Alstom, covering the products, solutions and services portfolio.