Transit agencies are, regrettably, regular targets and victims of cyber threats. In 2022 alone, there were at least four significant cyberattacks across the globe that crippled and disrupted public transit operations, including in Belarus, Italy, Iran and Denmark. These incidents affected the ability to operate train services and caused public disarray through the manipulation of passenger information and ticketing systems. These events highlight the continual material risk posed to rail infrastructure and operations by malicious threat actors. It has never been more important to focus on the adoption of effective implementation of cybersecurity processes, policies and controls to defend the integrity of operational rail systems.
Internationally, rail transportation is commonly considered critical infrastructure and is vital to the global economy. Accordingly, rail infrastructure is a prime target for cyberattacks, particularly in times of geopolitically motivated conflict, as demonstrated by major events that occurred in Iran in 2021 and Belarus in 2022, where operations were compromised, causing widespread delays and disruptions to rail services.
Rail infrastructure is at risk of:
Increasing passenger demands and expectations has led to further dependency on digital technologies and optimised systems. The transition and modernisation of interconnected public information systems, real-time on-board CCTV, and mission-critical controls systems are driving the convergence of OT and Information Technology (IT) at a significant rate.
Additionally, the increasing dependence on commercial-off-the-shelf (COTS) systems, products and Internet Protocol (IP) enabled-networks further expands attack surfaces and threat landscapes that rail asset owners and operators must defend to minimise exploitation of associated vulnerabilities.
Rapid digitisation of rail systems and infrastructure has exacerbated risks posed by malicious threat actors to value and supply chains, including state-sponsored actors, cybercriminal groups, hacktivists and insiders who seek to exploit vulnerabilities in response to the adoption of new technologies.
Rail management systems today often rely on a combination of legacy and modernised systems to deliver and manage services. This is further complicated by the long technology replacement lifecycles for OT systems, which are typically up to 15-20 years, resulting in the operation and maintenance of unsupported legacy infrastructure that has reached end-of-life. Rail transport operators and infrastructure maintainers are reliant on these legacy and modernised systems to ensure the performance and reliability, availability, maintainability and safety (RAMS) of rail services, in accordance with service level agreements.
Rail entities and their operations are also commonly siloed into separate organisational departments, namely design and engineering, operations and maintenance, which can cause issues in organisational communication and blur accountabilities as there is no dedicated function accountable for cybersecurity.
The use of digital technology to control, monitor and communicate train movements and network conditions, including for real-time passenger information, has also led to significant advances in IT and OT system convergence and integration.
All these factors contribute to the expansion of cyber threat scenarios and potential risks by increasing the complexity of managing cybersecurity effectively. Put simply, these causal factors are prevalent and make rail an easy and attractive target for malicious threat actors.
In 2015, European security experts created “Project Honey Train” as a simulated subway control system to identify and analyse how cybercriminals would gain access to a railway created wholly online. In short, a model was developed of a fictitious, virtual rail transport control and operating system acting as a ‘honeypot’ to hackers, in order to evaluate the risk of cyberattack. Over a six-week period, there were 2.7 million unauthorised access attempts against the firewalls, CCTV and media servers. In several instances, hackers were successfully able to access the train control systems.
Whilst Project Honey Train is nearly a decade old, cyberattacks and incidents on rail networks continue to occur, proving threat actors possess the necessary knowledge to effectively target and comprise critical infrastructure.
Managing cyber risks and implementing cyber secure practices for rail systems presents unique challenges, including:
Cybersecurity protection is only as effective as the weakest link in the chain, and legacy systems and associated products were not inherently designed with security in mind. This often results in operational rail systems being implemented with a lack of defence-in-depth techniques, meaning security countermeasures are not applied in a layered or stepwise manner to prevent cyberattacks.
Additionally, adoption and implementation of rail cybersecurity governance, standards, practices and processes can typically be complex and challenging, primarily due to the absence of security operating models that outline how security functions operate within an organisation to help embed Security by Design. Embracing Security by Design as a core principle ensures that cybersecurity becomes an intrinsic part of the infrastructure’s DNA, fortifying critical systems against modern-day cyber adversaries and establishing a proactive defence posture that is more resilient and adaptable to emerging threats.
C-suite executives must realise and understand the material impact of cyber risk. Cybersecurity is vital in the rail sector. Rail operators and infrastructure maintainers need to implement and improve strategies to mitigate risk posed to OT environments. Executive mandates and sponsorship are critical to drive accountability, governance and awareness across the industry.
Know relevant security regulations and standards to adopt industry best practices, guidelines and practices. ISA/IEC 62443 is the most referenced industrial security standard globally within the sector, whilst many other key resources also provide direction and requirements for cybersecurity of railway applications, such as CLC/TS 50701 in Europe, and the Rail Industry Safety and Standards Board’s (RISSB’s) AS 7770 in Australia.
Embed cybersecurity into rail system lifecycles, making assets secure-by-design. Since most systems have been in operational service for a while, it is common practice to begin with a cybersecurity risk assessment to objectively evaluate cyber risk based on criticality of connected assets. Referring to the relevant standards and guidelines allows operators and asset owners to focus their protective efforts on critical systems and save on costs when implementing security controls.
Ensure employee training and awareness are key aspects of any cybersecurity strategy. Contrary to popular belief, ultimately, cybersecurity does not relate exclusively to technology. People and processes also play an important role in securing digital environments. Cybersecurity defences are only as good as the people that use and control them. A simple click by an employee on a phishing email can lead to a devastating chain of events that compromise the integrity and availability of rail services. Processes should be designed and implemented to ensure secure practices are followed and managed across the entire organisation, not just confined to technology departments and personnel.
Make cybersecurity a foundational expectation, just as safety has been embedded in rail culture over the years. This may seem daunting given the expanse of the rail networks and systems and the shortage of skilled employees in-house. External security expertise can help.
At GHD Digital, we have the skills and specialist knowledge within both OT/SCADA and IT cybersecurity domains, as well specialised technology partners to help organisations make the right strategic decisions to protect their critical infrastructure – embedding Security by Design. By applying our three-pronged approach to assess, protect and manage, we help organisations develop bespoke cyber risk strategies and operational models to defend against cyber threats. Connect with us today.
Loading
Advanced Metering Infrastructure (AMI) delivers far more than accurate billing and consumption tracking - it is becoming a vital tool in supporting community safety, emergency response and long-term resilience.
Traditionally risk-averse and slow to adopt emerging technologies, the water sector hasn’t seen the same AI momentum as other industries. In this episode of Transform, we bring the AI-in-water conversation to the forefront - exploring the real-world value AI can deliver and what’s needed for its responsible, ethical integration. Host Divya Sarin (Senior Manager - Digital Strategy and Innovation at GHD), is joined by Satish Tripathi (Managing Engineer at City of Houston) and Freddie Guerra (Digital Water Market Lead at GHD) to unpack what it takes to build an AI-ready water industry. From predictive maintenance to digital twins, the conversation dives into the practical insights, pilot successes and the cultural shifts necessary to unlock AI’s full potential in water management.
Artificial Intelligence (AI) is taking centre stage around the world as a driver of transformational change in the workplace. As new tools such as Microsoft’s Copilot and Google’s Gemini become more widely available, organisations are realising the benefits of AI as a business tool that enables change in how work is done, what work is done, and how businesses can create competitive advantage. However AI adoption goes beyond acquiring a new tool or technology; it demands solid foundations like quality data, well-defined strategies, robust governance models and a skilled workforce. And perhaps most importantly, executive leadership that instils a culture of innovation, learning and change management.