The Challenges of Cyber Security in Transport

The challenges of cyber security in transport, and especially rail, are multi-dimensional.

Rail has the same challenges as any other business:

  • Same data – personally identifiable information, financial, intellectual property etc.
  • Same technology – mobile, on-premise, IaaS, SaaS.
  • Same supply chains.
  • Same exposure to threats eg ransomware, business email promise etc.
  • Same desire to be able to work anywhere, anytime.
  • Same desire to drive efficiencies and get better outcomes for the business and the public.

Standards such as ISO 27001 and cyber security architectures such as SABSA are entirely appropriate to manage that dimension.

Rail is also the custodian of state-owned information and therefore it is appropriate to apply frameworks and standards such as the Victorian Protective Data Security Framework (VPDSF) and Victorian Protective Data Security Standards (VPDSS) that have been developed to protect state owned information.

Rail makes use of Industrial Automation and Control Systems (IACS) that prioritise the integrity and availability of the process over the confidentiality of information. This requires a different set of standards such as IEC 62443. And rail makes use of rail specific telecommunication services that require their own security standards.

But safety is the bedrock of rail. Standards such as ISO 27001 and the VPDSS protect information, not people. You have to turn to other standards to find concepts that reflect the fundamental differences between protecting information and protecting people. For example, from a standard that does understand this, CLC/TS 50701: for some railway control systems, the capability for the driver or the supervisor to quickly interact with such systems is critical. Local emergency actions for the control system should not be hampered by identification requirements. Access to these systems may be restricted by compensating countermeasures. That statement runs counter to what is found in typical information security standards.

That means that rail must also apply standards that understand safety. There is a natural tension between safety and cyber security: equipment with a safety integrity level (SIL) rating is naturally conservative – you want equipment that as been proven and is stable over a long period of time. This is the exact opposite of most cyber security good practice that requires constant change and updating. Standards such as CLC/TS 50701 attempt to address this through concepts such security-related application conditions. And so CLC/TS 50701 should also be included.

The potential impact on safety has not gone unnoticed by regulators and rail must address an increasing number of standards and guidelines that try to bring together these concepts. For example:

2018


  • EN 50129 Railway applications – Communication, signalling and processing systems – Safety related electronic systems for signalling was updated to include the impact of IT security threats on functional safety.
  • RISSB released Australian Standard AS 7770 Rail Cyber Security.

2019


  • ONRSR released the ONRSR Safety Management System Guideline, highlighting ONRSR’s expectation that good practice in cybersecurity be adopted (making reference to AS 7770).
  • RISSB released the Rail Cyber Security (Implementation of AS 7770:2018) Guideline.

2020


  • RISSB released the Rail Cyber Security for Rolling Stock & Train Control Systems Code of Practice.

2021


  • CENELEC released TS 50701 Railway applications – Cybersecurity.
  • ONRSR updated ONRSR Meaning of duty to ensure safety so far as is reasonably practicable Guideline. References to the use of Codes of Practice, although present in earlier versions of the Guideline, are particularly relevant since the release of the RISSB Code of Practice in 2020.
  • The Australian Government passed the Security Legislation Amendment (Critical Infrastructure) Act 2021 which defined the transport sector (including passenger transport) as critical infrastructure, placing a burden on responsible entities to report cyber security incidents.

Whereas it might have once been acceptable to not deploy cyber security controls in some environments, the availability of codes of practice and the expectation that codes of practice be considered as part of the state of knowledge when developing a so far as is reasonably practicable (SFAIRP) argument, would suggest that is no longer sustainable.

Further, there has been a market response so that technologies are appearing to allow the deployment of cyber security controls where none existed previously – such as signalling specific intrusion detection systems.

Traditional suppliers will have to be motivated to move forward given the substantial investment that has been made in existing (pre-standards) products and the substantial investment needed to move forward.

The governance model under which cyber security operates in rail is just as much a topic of discussion as in other industries. The independence of cyber security so it can do its job effectively has been recognised and reflected in RISSB’s Rail Cyber Security (Implementation of AS 7770:2018) Guideline, describing a cyber security governance model that provides a reporting line that is independent of the operational areas of the business that cyber security often falls under.

Finally, the interconnectedness of various parties to deliver a service to the public also means that there is complexity in the incident response process. It would be highly beneficial to ensure parties understand their obligations and have sufficient resources to fulfil those obligations.