Securing Industry 4.0 - The Case of Railway Automation

The current trend of greater automation and data exchange in transportation, energy, and many other industrial and critical systems has security and safety implications. The connectivity between the physical and digital increases the attack surface and the risk to functional and physical safety (of people and goods), in addition to the confidentiality, integrity, and availability of critical production systems and data. The impact of attacks can be social, environmental, and financial, and it might even engage the civil or criminal liability of stakeholders.

As for traditional IT systems, creating and building secure Industry 4.0 requires a holistic approach incorporating People, Policies, and Technology. However, the complexity of these systems is such that it requires an unprecedented level of synergy between these components. A particularly difficult challenge in this area is the sophistication of adversaries, which often are state-sponsored actors, very well-funded and organized. Many organizations in critical infrastructure and industrial automation have struggled with targeted malicious campaigns. Examples include Shamoon/Shamoon2 [1], Triton [2], or the most recent Colonial Pipeline attack [3], among many others.

In the transportation sector, cyber-attacks are more prevalent in the automotive domain [4][5]. DefCon even has a yearly dedicated car hacking CTF [6]. Shipping, air transport, and railway industries have also been hit by attacks [7][8]. The main target remains the IT systems supporting these environments. Examples of attacks on railway systems include the San Francisco’s Muni hack [9], the attack against a service provider to the Danish railway company [10], or the attack on the Iranian train system [11]. Safety-critical railway automation systems or components (directly running or managing the trains or tracks) have not been reported as a direct target for cyber attacks. However, the ‘absence of evidence is not evidence of absence’, and the sector is still vulnerable to attacks, especially in areas related to smart mobility technologies, which are becoming increasingly important.

In this post, we list the challenges to the security of connected and intelligent transport systems, especially in railways, and how to address them.

Smart mobility challenges

Smart mobility technologies aim at integrating real-time communications and data-driven insights to make transportation more efficient and autonomous while ensuring the safety of people and goods. Frameworks and projects, such as the NIST SCCF (Smart Cities and Communities Framework) [12], AUTOSAR [13], or the Shift2Rail European rail initiative projects [14] are leading the charge in providing best practices and technical guidance in developing and implementing smart transportation solutions.

These initiatives address a number of difficult challenges to provide technical frameworks and a set of new tools that will foster the digital transformation of the transport ecosystem, and keep up with the increasing sophistication of the threats, particularly cyber.

Key elements to developing and maintaining a secure smart transportation system include:

Standardization of interfaces and protocols, and exchange formats, with security in mind,
Developing reference architectures, e.g., for Electronic Control Units,
Improve maintainability and security over an entire life cycle of products and processes,
The ability to secure and optimize communication networks, and their secure integration and exchange of data and functions internally and with the external world, e.g., third-party stakeholders or the cloud, and
Interoperability, shared research activities, and even integrated operational management among stakeholders, which include equipment and (sub)system manufacturers, as well as operators and infrastructure managers.

Securing railways

Train incidents happen frequently. According to the Federal Railroad Administration in the US, the most common causes of railroad incidents are defective equipment and human negligence. Next-generation electrical/electronic architectures and advanced train control and monitoring systems can help minimize physical risks while increasing efficiency. The main challenge will be the security implications and increased cyber exposure resulting from applying smart technologies in signaling and communication, maintenance, passenger information systems, freight operations, etc.

While increased automation comes with major benefits, poor design and implementation can take their toll on security and safety teams. Strict security requirements and secure design principles should be applied (ideally from the outset) to all parts of the railway automation system; including hardware, software, information transmission lines, networks, or radio equipment.

Standards such as the NIST 800-82 (referencing NIST 800-53 controls) or even the IT-centered ISO 27000 series can be considered and tailored with respect to the security of railway systems. However, The gold standard in securing industrial automation and control systems is the IEC 62443, one of the most complete standard series to date. More dedicated efforts, such as CLC/TS 50701 (inspired by the IEC 62443), may provide railway operators, integrators, and suppliers, with more detailed guidance and specifications on the cybersecurity of these systems. The next session briefly contrasts these two standards.

The IEC 62443 & CLC/TS 50701

The IEC 62443, developed by the International Electrotechnical Commission (ISA99 committee), has seven foundational requirements addressed to the stakeholders of ICS environments to secure automated processes, (sub)systems, and components. Parts 3-3 and 4-2 of the IEC 62443 standard (available in IriusRisk) define specific sets of security requirements, for each foundational requirement, for ICS systems and components.

The CLC/TS 50701 'Railway applications – Cybersecurity', developed by CENELEC (CLC/TC 9X committee) [15], provides requirements and recommendations to handle the cybersecurity of railway systems and applications. This Technical Specification is essentially inspired by the IEC 62443, including parts 3-3 (for system requirements), and 3-2 (for security concepts and risk assessment), while taking into account the railway context.

For instance, some of the most critical components in a railway system are the signaling or traffic control equipment and infrastructure, which would include wayside stations (e.g., sensors/devices to ensure track security), or the communication infrastructure (e.g., GSM-R or future successor). From a technical perspective, all security requirements and countermeasures will be provided by the IEC 62443. The CLC/TS 50701 addresses then the feasibility in a railway context given specific operational requirements, such as the distributed nature of railway systems and the complex ownership model that this sector employs.

Conclusion

Managing risk across next-generation smart transportation systems, including railway operations, necessitates establishing a clear understanding of the attack surface for those systems, components, and their interactions. Automated threat modeling with established guidelines and standards will help you identify where the biggest risks, threats, and weaknesses are within those systems, and how to address them.

References

‍