When we settle back in our seat on a train to read a book, gaze at the view outside or watch a movie on a laptop, it is easy to forget how many connected systems are at work around us.
Connectedness by rail is about much more than the free WiFi that we use to surf the net or check our emails.
Railways, and metro systems too, are a complex mix of information technology and operational technology that is open to many types of cyber-attack.
Indeed, modern-day rolling stock may have more than 20 connected systems covering everything from CCTV to on-board retail, from location to ticketing. More broadly, control systems and signalling are also at play.
Ensuring that such set ups are secure is a timely issue for the Middle East, because only in March this year officials indicated that, despite earlier delays, the Gulf states still wanted to push ahead with the Gulf Railway project, which will link GCC members.
Many of the vulnerabilities in the railway industry are associated with the connections between multiple systems.
“The main challenge is ensuring that when systems are interconnected, there is no additional exposure to components on either side which could affect the security of the system overall,” says Richard Thomas, a doctoral researcher working on railway cybersecurity at the University of Birmingham in the United Kingdom.
In a commentary last year, Thomas MacKenzie, of the cyber assurance company NCC Group, highlighted a number of key railway cybersecurity concerns, and pointed out that many are shared between different modes of transport.
MacKenzie noted that a problem that rail rolling stock operators and car manufacturers may have in common is ensuring that the “end solution” – and not just the component parts provided by each supplier – is fully security tested. Echoing Thomas’s view, MacKenzie said that this is because the interfaces and communications between services or products are among the greatest risk areas.
So, he argued that rolling stock operators and car manufacturers should test solutions as a whole, because looking just at individual components is not enough. But this does not exempt suppliers from their share of responsibility, as they too have to consider safety early on.
Other sectors, such as road transport as a whole (with its road sensors, traffic lights and other systems) and aviation face many of the same challenges, given that they too have become ever more digitised and connected.
Shipping also is vulnerable, especially as vessels tend not to have the same level of redundancy built into their systems as aircraft have. Indeed, there have been warnings that since logistics in general is a low-margin industry, cybersecurity budgets can be squeezed and that the investments in the latest technology that are required to ensure that systems are robust may not be made.
The presence of many potential targets, such as carriers and freight forwarders, in what has been described as a fragmented industry is another source of weakness.
As in other sectors, experts have said that transport cybersecurity is about more than purely technical solutions, such as malware detection systems and firewalls. Social engineering attacks that exploit vulnerabilities in human behaviour should also be considered.
Many transport-related activities are just the type of thing that nation states looking to engage in cyber warfare may like to target.
Aiming at key infrastructure can cause major disruption, especially because logistics operates as part of wider networks that include, for example, manufacturers.
The considerable knock-on effects were illustrated by a widely publicised cyber-attack last year that hit the world’s biggest shipping operator, Maersk. Ports across the world were affected and logistics chains suffered disruption.
When it comes to cybersecurity in the rail sector, Thomas at the University of Birmingham is looking at the risks of linking systems together and defining which actors would try to target particular components. His project is focused on EU legislation.
“Over the last three years, we have carried out a formal analysis of the train-to-trackside communications used to send movement authorities and location reports,” he says.
“We were able to validate the protocol against security goals we set and identify potential areas for improvement in future iterations of the standard.”
The research then looked at the cryptography in the train-to-trackside link to protect these messages to and from the train. These were found to use a custom cipher (a code based on a standard that adhered to International Organisation for Standardisation rules).
“This work found that, in some cases, two different messages could have the same corresponding message authentication code,” says Thomas, adding that this represented an opening that could be exploited by an attacker.
“The conclusion of that work was that alternative schemes should be made available which are more secure and offer flexibility to cope with future threats.”
On a reassuring note, Thomas said that, to get a one percent chance of recovering the “key” used to generate the message authentication code, an attacker would need to listen to the “entire UK rail backbone” for at least 45 days. Discussions with regulators resulted in the decision that this particular system should not, however, be used for larger and faster applications, given that it is potentially vulnerable, albeit in a limited way.
“Our main thrust is to provide assurance and carry out detailed analyses of standards and systems with the aim of being able to build a framework which allows system owners to carry out a similar process for themselves,” explains Thomas.
Work due to be published soon has created a modelling tool to allow system owners to define their system architecture, test strategies to improve security and identify the impact of interconnected systems.
In aviation, Professor Chris Johnson, head of computing at the University of Glasgow in the United Kingdom, said there can be pitfalls associated with trying to improve the security of systems.
When a new attack method is identified, then the desire is to protect the system as soon as possible. Doing this can have consequences, however.
“This creates pressure on the usual safety tests – if you rush to improve security, you might add a bug that damages safety,” he says.
Just as with railways, the multiple connected systems that modern aircraft have create “new ways in”.
Johnson notes that there is an array of satellite and ground-based systems for navigation, air traffic management, the exchange of operational and maintenance date and for passenger entertainment and business support. There are also multiple on-board networks for avionics, passengers and other functions.
“The challenge is to protect these diverse systems and to ensure isolation so, for example, somebody who hacks into the entertainment system cannot access the control or communications system cannot access the control or communications systems,” says Johnson.
“These use different technical standard, but there is a convergence of technology with pressures to reduce costs, so the future is uncertain, even if more people are spending more money to protect our aircraft.”
But for all the cybersecurity concerns associated with various forms of transport, passengers should not worry unduly, Johnson indicated as he spoke to Security Advisor Middle East.
“I am about to board a flight and I am not worrying about the cyber issues,” he says.
