Railway cyber security
2 August 2016 • Author(s): Graham Ellis
For my next blog on European Railway Review I have chosen a very topical subject to share with you, security but perhaps not in the vein you might expect…
At a meeting of the Parliamentary Advisory Council on Transport Safety (PACTS) held in January this year members were briefed on automotive cyber security. Whilst this focussed on cars, as they are early adopters of on-board technology, it can also be relevant to trains as more and more data is received and transmitted to and from them. This may either be data from the train and /or from passengers.
Why should we worry about this? Well, we only need to look at the tragic accident on Italian railways where a single track working used what we would now consider to be an antiquated system which resulted in a head on crash at a closing speed of around 120mph.
Identifying railway cyber security vulnerabilities
On most railways throughout the world the signalling systems are becoming ever more sophisticated with in-cab speed permitted displays and trains being able to run closer together as the computerised systems can calculate maximum braking distances in all circumstances rather than relying on a member of staff phoning the other end of the single track working to say that there is a train on its way! The European Rail Train Management System (ERTMS) is mandated for rail operations throughout Europe. What we have not seen, is that there may well be some vulnerabilities is that system, and we need to be sure that those vulnerabilities have been thought about and addressed before someone exploits them.
What am I thinking about? Well first off the control rooms controlling track access, can I access the control room easily as an unauthorised visitor and can I get to the control system. In the Eurotunnel train control that is virtually impossible, the control room is located in a hardened building with various levels of security to gain access. Even Eurotunnel staff cannot gain free access unless they have been pre-authorised, I know this because on a press trip to the control room our guide did not have the correct authority on their access badge and had to request access for each of us individually and we were matched to the pre-arranged visitor list before we could enter.
We had been allowed in at a time when the actual train control was being operated from the mirror image control at Calais and so there was no way we could access the control system. Both Folkestone and Calais are bi-lingual with direct video links and so if something “strange” happens the secondary control room can see that and has the ability to stop all trains, they cannot modify the running schedules, just stop trains safely.
Similarly the new South West Trains regional control room is protected by layers of security that prevent any unauthorised access to the actual operating system. I do not know how secure the facility is because they were still installing the systems in the building but, from what I could see it was as secure as could be made possible within a non-military area.
Security questions to ask…
Do we think that this is sufficient, I don’t because in a lot of cases you do not need to access the control room to gain control of systems, what you need to do is gain access to the computer systems either directly or indirectly. Do we know that the systems installed in the rolling stock are secure or can someone just sit in the carriage and hack into the systems? I don’t know but has anyone checked?
In the automotive industry it was found that manufacturers and suppliers both thought that the other was responsible for security of on-board systems and so no-one actually WAS responsible which left a large vulnerability present. Are we sure that the passenger Wi-Fi is also separate from the on-board control systems or are they using the same systems to communicate to the track side, is the trackside infrastructure secure?
These and many other questions need to be asked and answered in a clear and understandable manner before we rush headlong into full computerised control. Whilst a lot of autonomous systems are used around the world, that world has changed with the ever present threat of terrorism and from the hobby hacker who can easily access the Pentagons systems.
Whilst I don’t believe that there is a massive lack of understanding about cyber security I cannot put my hand on my heart and say that everyone is safe and secure. Is this something that the industry should be discussing behind closed doors and should we; as an industry publication; be arranging just such a conference?
I await your views…