Siemens explains to Rail Express how digitalisation in rail requires a focus on cyber security.
On June 19, Prime Minister Scott Morrison warned Australian businesses and agencies that they were under a sustained cyber- attack from a sophisticated state-based actor. Rather than describing the nature of a singular attack, Morrison outlined the constant and ongoing threat that Australia’s critical infrastructure was facing.
This reminder of the cyber threat that Australia was facing aligned with what Serge Maillet, head of industrial cyber security, Siemens Australia and New Zealand, has observed.
“Over the past 12-18 months there’s been a significant increase in terms of cyber-attacks that Australia is seeing across all industries. This is happening world-wide but unfortunately Australia is among the top 10 countries being targeted.”
Based on data from the Centre for Strategic and International Studies, a US think tank, Australia is the sixth most targeted country for cyber-attacks, with 16 significant attacks between May 2006 and June 2020. The nature of these attacks is not leaving the rail industry unscathed.
“Any entity attempting cyber threats, also known as threat actors, are increasingly targeting a lot of our critical infrastructure. Rail is certainly part of that critical infrastructure,” said Maillet.
The types of attacks that are occurring are the intrusion of malware due to failed security controls, in many cases, due to human error.
“The reality is that the majority of organisations in Australia are going to be attacked at some stage. The only variables are the type of attack vector, the size of impacts and if the attack is going to be successful or not,” said Maillet. “If it is a successful attack, you want to make sure that you’ve got measures in place to be able to recover from those attacks and bring the critical systems back online as quickly as possible, while minimising any negative impacts on public safety or production.”
THE CONVERGENCE OF IT AND OT
What has made the rail sector and critical infrastructure particularly susceptible to cyber-attacks, and why governments are concerned is the convergence of what were previously two separate systems, information technology (IT) and operational technology (OT).
“While cyber-attacks have been able to target data in an IT environment, the interconnection of IT with OT opens the potential for threat actors to penetrate machines and processes, causing significant harm,” said Maillet.
“If we look at OT in the context of rail, it’s really about machines and process control. This could be rail signalling, rail control, automation, telemetry and more.”
Previously, these systems were insulated from cyber-attacks due to their lack of connection to external or untrusted networks. While IT systems were constantly being patched with new software, OT systems ran on their own proprietary technology, and did not require regular updates.
“Because of that there’s been a lack of focus from organisations on their own OT systems from a security perspective,” said Maillet. “Now that we’re seeing a lot of convergence and hyper convergence happening between IT and OT it’s creating a lot of new challenges, especially for industrial applications, and it’s increasing the risk profile of our critical infrastructure.”
In addition, while enterprise IT is expected to have a lifecycle of three to five years, OT devices are often expected to run for 20 years, if not longer. As these older systems are beginning to be integrated with the wider rail IT network through the process of digitalisation, safety critical technology is becoming increasingly vulnerable to cyber-attacks, said Maillet.
“The challenge from that perspective is that a lot of the legacy OT devices that are still in operation today for a lot of critical infrastructure were never designed with security in mind, because they were never intended to be converged with IT.”
While digitalisation promises and has delivered many benefits to rail networks, the issue of cyber vulnerability and exposure are sometimes overlooked, and the cost of digitalisation is only accounted for in financial terms, not in terms of cyber security, cautioned Maillet.
THE CONSEQUENCES OF DIGITALISATION
To some, the solution may look simple. Why not just update the software that runs these safety critical systems, or install the latest security patch? This is easier said than done, Maillet points out.
“In OT infrastructure the priority is always going to be to maintain the safety, reliability, availability, and integrity of those platforms. So, when you look at putting in a new patch or making a configuration change, that will always introduce potential risk to jeopardise the availability or performance of that system. Often, these elements will take priority over the actual integrity of the system.”
That’s not to say that the patches are not available. Many OT systems run on operating systems such as Microsoft Windows, which have has regular security patch updates to account for vulnerabilities identified in the system. Trying to find a time when the system that controls a rail network can be taken offline for an upgrade is tricky.
Another limit on the possibility of upgrading these systems is the potential for human error. Stephen Baker, head of product innovation and through-life support at Siemens Mobility says that this leads to a bunker-like mentality.
“The problem is that you end up with an infrastructure that is safe and reliable, but you can’t do anything with it, you can’t run analytics, you can’t do downstream processing. The convergence of OT and IT can’t be put on hold.
“Let’s face it,” said Baker. “You can imagine what would happen if all of a sudden you stopped running trains in Melbourne or Sydney because the operation of a vital network has been compromised.”
DEALING WITH AN EVOLVING THREAT
To mitigate the threat of a cyber-attack while still reaping the benefits of digitalisation Siemens have developed a full cycle of expertise that is focused on the people, processes, and technologies that can keep a rail system functioning.
“Industrial security, which includes rail security, is really a dynamic topic. Because the risks are constantly evolving and changing in nature, it’s creating a lot of challenges. So, our job at Siemens is to help our customers better understand where those vulnerabilities are and what types of solutions are best to maximise the security posture of a system,” said Maillet.
When working in the rail industry in particular, Siemens have developed solutions designed for rail.
“When we look at mainline train systems or metro systems, we know that they are deploying a lot of Industry 4.0 technologies, a lot of digitalisation, which is increasing the operational efficiency and reliability of those systems,” said Maillet. “We also have to ensure that we implement technologies that enhance cyber security for the network that the trains systems operate on, as well as the control systems that manage the rail infrastructure.”
With 90 per cent of successful cyber- attacks due to human error, the solution must begin with people.
“We know that even if you have all the right technology put in place, if your people do the wrong thing due to lack of awareness or not having the right level of training in cyber security, then that’s likely to expose a vulnerability,” said Maillet.
“Sometimes it’s as simple as plugging a USB into a computer. If it’s a computer asset in an OT environment, that USB could easily introduce a vulnerability. Another common breakdown is when someone clicks on an email that they shouldn’t which can create a virtual doorway for a threat actor to bypass the security measures that have been put into place to protect critical assets.”
The next step is the processes. In a rail organisation these processes could include how staff fix issues, how assets are managed and what procedures are in place to ensure that assets are maintained securely.
The final piece is the technology, and here Siemens is working on solutions that can enhance the secure digitalisation of rail. Andrew Chan, development engineer at Siemens Mobility’s Centre of Excellence, describes how the company is looking at extracting information from a digital rail asset without the potential risk of exposing it to external attacks.
“A data diode basically allows data to flow in one direction and in that way, we can safely get safety critical information from our axle counters and interlockings out into the IT environment. That’s where we can do amazing things with data.”
Other technologies that Siemens are deploying include edge processing for intrusion detection, and cloud services to mine data for cyber security analytics.
Servicing all areas is an example of Siemens’s distinct approach, said Baker.
“We’re probably one of the few total solution providers – we design the interlocking hardware, we design the control systems, all the network requirements and defences are part of the safety case, we design the networks and even the analytics, so every layer is internal. We’re one of the few organisations that can give you everything from broad level design of the signals and the railways, right through to the cloud analytics which tells the asset owner how the infrastructure is performing.”
While Siemens has a number of areas of the business which deal with rail cyber security, its industrial security services provide the hardware and software services, as well as professional services to rail customers.
These industrial cyber security solutions are provided across three key pillars, security assessments, security optimisation, and security management, all underpinned by holistic approach to industrial security, known as the Defence in Depth security framework.
“Defence in Depth is having as many security measures and layers in the infrastructure as possible based on well-known security best-practices and frameworks. It provides us the ability to have a depth of staggered defences in infrastructure,” said Maillet.
As Australia grapples with the increasing cyber threat, increasing resilience will be a key factor in the success of the digitalisation of rail.