As Australia’s rail sector has not been immune from the risk of cyber attacks, industry bodies are joining with government agencies to mitigate the ongoing threat.
In November 2016, The San Francisco Municipal Transport Agency was hit by a cyber-attack. The HDDCryptor malware spread across over 2,000 computers, meaning that the Agency’s network was opened up free for the public.
While the agency’s ability to provide transport across its fleet of light rail vehicles, streetcars, trolley and hybrid buses was not compromised, ticket machines, payment services, and emails were affected.
The hackers demanded a ransom of 100 bitcoin, equivalent to $102,644 at the time. This type of attack, shutting down a network’s computer systems and demanding a payout, is known as ransomware, and can be caused by a person simply clicking on an infected link in an email or downloading an infected file. The networked nature of large transport authorities means that this can quickly spread throughout an organisation.
While San Francisco did not pay off the hacker and was able to restore its systems by the next Monday, the hack was one of the most visible instances of how cyber threats are coming to the rail transportation sector.
Earlier that year, cyber criminals struck the rail network in NSW, targeting regional train services provider NSW TrainLink. Hackers were able to infiltrate the booking service and capture customer credit and personal data.
Unlike the San Francisco hack, this breach targeted a rail organisation’s repository of customer details, including things like bank details and personal information. The opportunistic attack exposed how people using the same passwords for multiple accounts can make a system vulnerable, and in this case, with rail operators having data on large numbers of people, others could be seen as a honeypot for potential attackers.
Western Australia’s Public Transport Authority was also targeted in an attempted attack in 2016, leading the rail agency to shut down its own website and websites for specific services such as Transperth to prevent further intrusions.
More recently, the number of cyber- attacks has been increasing. In May 2020, Swiss rail manufacturer Stadler reported that hackers had targeted the company hoping to extort a large amount of money and threatening the publication of data to hurt Stadler and its employees. Although not impacting production lines, the hack came a week after Australian logistics operator Toll also suffered a ransomware attack, the second that company had suffered in 2020.
A spokesperson for the Australian Cyber Security Centre (ACSC) reiterated comments made by Minister for Defence Linda Reynolds that malicious cyber activity against Australia is increasing in frequency, scale, and sophistication.
“Rail, and the transport sector more broadly, is part of Australian critical infrastructure and provides essential services to Australians,” the spokesperson said.
Ransomware attacks are becoming more common for organisations across the rail sector. As these few examples demonstrate, the reliance of all parts of the rail industry on digital systems means that cyber-attacks are not targeting any one sector of the industry. Furthermore, as large, often widely distributed organisations that deal with personal and safety critical information, the rail sector has many facets of the organisation that are involved with cyber security, not only in operational roles.
“A cyber incident involving critical infrastructure can seriously impact the safety, social or economic wellbeing of Australians, due to the significant disruption it can cause if the systems are damaged or unavailable for extended periods of time,” said the ACSC spokesperson.
This is not to suggest that the rail sector has been blind to the risk posed by cyber- attacks. In the UK, in 2016, the Department for Transport published the Rail Cyber Security: reducing the risk of cyber attack guidelines. In the document, the increasing threat of cyber-attacks in the rail industry is clearly stated.
“Railway systems are becoming vulnerable to cyber-attack due to the move away from bespoke stand-alone systems to open-platform, standardised equipment built using Commercial Off-the-Shelf (COTS) components and increasing use of networked control and automation systems that can be accessed remotely via public and private networks.”
These vulnerabilities leave the rail sector open to impacts of cyber-attacks, from threats to safety, disruptions of the network, economic loss, and reputational damage. The guidelines outline how rail organisations should respond, from the level of governance, through to design, the integration of legacy and third-party systems, and staff training.
As the spokesperson for the ACSC outlined, as rail reaps the benefits of digitalisation, there are also challenges.
“The rail sector is continually modernising through the adoption of new operational technologies. However, with this, comes potential cyber security vulnerabilities,” said the spokesperson.
“The increased adoption of inter-connected technologies has the potential to increase the cyber threat ‘attack surface’.”
In the case of passenger networks, bespoke systems such as electronic signage, ticketing systems, electronic passenger gates, building management and public address systems are areas of concern. In the freight sector, the interconnectedness of the industry and its automation contributes to the vulnerabilities the sector faces.
The exposure of the rail sector was highlighted in a 2016 Victorian Auditor- General report into the security of critical infrastructure control systems for trains. After a 2010 report identified weaknesses, the 2016 report found little improvement since then.
The reasons for the lack of progress were poor governance arrangement, limited security frameworks for control systems, limited security controls for identifying, preventing, detecting, and responding to cyber security events, and a poor transfer of accountability and risk during machinery-of- government changes.
In the Auditor-General report, 10 recommendations were made, all of which were accepted by Public Transport Victoria and the Department of Economic Development, Jobs, Transport and Resources, which has since been broken up into the Department of Transport and the Department of Jobs, Precincts and Regions.
Since the Victorian Auditor General’s report, moves have been made to standardise and improve the Australian rail industry’s cyber security response. In 2018 the Rail Industry Safety and Standards Board (RISSB) published its Australian Rail Network Cyber Security Strategy. Identifying similar threats, the document outlined the vision for the industry of the elimination of cyber risk, resulting in zero cyber-attacks on the Australian rail network. To do this, the strategy follows the principles of understand, protect, detect, and respond.
In addition, also in 2018, RISSB published AS 7770 – Rail Cyber Security, the Australian standard for managing cyber security risk on the Australian railway network.
To improve the response of the rail sector to the cyber security threat, ACSC provides sector-specific resources and materials.
“The ACSC is working with all critical infrastructure sectors to help them increase their cyber defences as well as transport sector entities through the ACSC Partnership Program.”
The ongoing adoption of industry standards as well as the implementation of sector-wide strategies will ensure that the rail industry continues to be prepared to deal with cyber attacks as the threats morph and change.