Keeping Rail, Metro Networks Safe From Cyber Threats

“Cybersecurity is the evil twin of digitalization,” says Paul Gwynn, Chair of the International Association of Public Transport’s (UITP) Cybersecurity Committee and Business Development Director of German consultancy Init. “We have to talk more about it and be excited about it. It will bite us very, very hard if left alone.”

And yet, for a long time, cybersecurity has not been openly discussed. When cyberattacks hit (see panel below on London) they were often looked at as an embarrassment and details kept away from the public gaze. At the same time, understanding of threats and how to counteract them was low—not just in the transport sector, but across public and private-sector organizations as a whole. Perceived solutions were correspondingly primitive, often consisting of nothing more than anti-virus software and a firewall.

“There was a lack of ownership of the issue among operators, who saw it as a vendor issue or IT department problem,” says Gwynn, who was commissioned by UITP’s Executive Board to write a paper of governance on the topic. The 12-page document was published in 2017 and will be replaced by an action paper in Q2 2025. “The purpose of that is to inform executives in any organisation of their liabilities.”

UITP set up a dedicated cybersecurity committee in 2022 when it realized that the challenges facing the industry weren’t being adequately addressed either by member organizations or by a number of working groups within UITP itself. “We already had a security committee, but that was focused largely on physical security,” explains UITP Senior Manager Miryam Hernández. She says it had become clear that there were issues surrounding hardware, such as CCTV, for which there were no standards or guidance. “Members were using off-the-shelf solutions that weren’t providing adequate security,” she says.

Cybersecurity First Steps for Operators

Step 1: Conduct a high-level risk assessment.
Step 2: Conduct a risk assessment for every OT system and subsystem.
Step 3: Conduct a risk assessment for every IT system or subsystem.

Source: Cristiano Stifini, Head of Corporate Security, ATAC, Rome

Consequences then were relatively minor, such as when a European rail operator’s CCTV system covering a number of stations was hacked by university students, but the implications were clear. “We found the same issues applied with communications, for example radios and Bluetooth devices,” Hernandez says. “Typically, the systems were open, with no encryption.”

One of the Cybersecurity Committee’s main tasks has been to publish papers that inform and advise the industry. In doing so, UITP has looked at what other industries have been doing and repurposed learnings from those who are significantly more advanced, such as the energy supply sector.

Tendering

“Our first major paper was on incorporating cybersecurity into the tender process,” Gwynn says. “People didn’t know how to deal with cybersecurity in procurement. Tenders either didn’t mention it, or stuck it on vendors.” Realizing that retrospectively bolting on requirements to existing tenders was far from ideal, the cybersecurity committee spent two years coming up with their own sample document from scratch.

“Cybersecurity needs to be considered very early in the tender process—otherwise you find you don’t have a budget for it,” says cybersecurity consultant Serge Van Themsche of Waterfall Security Solutions. “It’s also important to consider obsolescence when tendering, as you may need to buy a system three or four times in an operational product lifecycle.”

“We should really forget the image of a cybercriminal as a schoolboy hacker in a hoodie.”

— Corinne Gutierrez, Senior Cybersecurity Advisor, RATP

Gwynn suggests that although the UITP’s Cybersecurity Committee has brought the topic out into the open, its work is likely to continue for the foreseeable future as new threats emerge and understanding of cyber threats grows. Its work is focused on three areas: governance; cybersecurity by design; and building capacity.

Earlier this year the committee published a paper and toolkit aimed specifically at small and medium-sized operators. “We wanted to give them examples of things they could do themselves,” Gwynn says. Smaller operators often outsource IT, so don’t necessarily have dedicated staff in-house. Strategies have been introduced by the cybersecurity committee to train people on the job, focusing on how to help UITP members to build their own capacity, while also working to bring credible cybersecurity experts into the sector to bridge the gap.

UITP believes there are three pillars for cybersecurity: people, policies and procedures, and physical protection. The latter is seen as the easiest to implement and typically involves adding layers of technical protection. Policies must be fit for purpose and supported at the highest level within an organization. But the most important pillar is undoubtedly people, and it is here that UITP has been focusing on providing training opportunities and fostering a culture of awareness.

People Factors

“People are often responsible for security vulnerabilities,” explains Gwynn, “with 85% of all breaches having a human factor in them. They’re often accidental. So really, a big part of what we’re dealing with is training, awareness, and testing. It’s also worth mentioning that people are also the greatest line of defense.”

The UITP Security Committee has devoted a considerable amount of time and effort on ensuring that standards are in place that are relevant and effective for the transport sector. “In general, standards are transferable, though they might need interpreting and that’s what we do,” Gwynn says. “If you work to some kind of standard, you can generally expect fewer sanctions or none at all if things go wrong.” UITP reports that compliance with standards ranges from excellent to dreadful, but notes that compliance has been rewarded during real-world cybersecurity breaches, such as a case where a €20m fine was subsequently reduced to €80,000.

“The focus needs to change to building cybersecurity in from the very start.”

— Paul Gwynn, Cybersecurity Committee Chair, UITP

Where standards have been developed and refined for main line railway operations, they are then further refined by UITP for urban public transport. This has proved beneficial for measures to protect CBTC signaling systems on metro networks, for example.

Operator Perspectives: Taking a Proactive Approach

“Defending railway systems against cyber threats must be a proactive approach,” says Ho Wing Chan, Deputy General Manager–Operations Innovation Hub, at Hong Kong operator MTR. He points out that many operators are simultaneously transitioning from traditional railway systems that are hard-wired, isolated from each other and employ dedicated applications to smart systems that are computer-based, involve convergence of IT and OT, such as the growing digitalization of rolling stock, and have external interfaces, such as with the Internet of Things (IoT) and the cloud. Consequently, these systems and the networks they control are at much greater risk of attack than ever before.

Chan estimates that a typical rail network will have more than 20 systems that are vulnerable to cybercrime. But he says: “very few attacks affect core systems, and are most likely to be ransomware attacks, but out of prudence operators might still feel the need to shut down their networks.”

Han suggests that there are five key groups (see below) who present cyber threats and that insiders are often overlooked as the source of potential cyber incidents. One thing that all groups have in common is the potential ability to compromise safety, affect services and impact financial resources. “Above all,” he says, “they can severely damage reputation, something that is hard to recover from.”

With the types of cyber threats multiplying, from distributed denial of service (DDoS) attacks, through ransomware and advanced persistent threat (APT) through to deepfakes, Chan says that MTR has developed a cybersecurity governance model to both minimise and counterbalance the effect of actual and potential threats.

“We should really forget about the image of a cybercriminal as a schoolboy hacker in a hoodie,” says Corrine Gutierrez, Senior Cybersecurity Advisor at Paris public transport operator RATP. “The reality is that hacking is now a service. Hackers are very professional; in fact, they work like us.”

Gutierrez says that awareness of how an individual organization can be impacted is crucial. She points out that while the majority of attacks so far are on IT systems, in the future OT systems, the hardware that is the backbone of the railway, such as points and signals, overhead catenary and trains themselves, will be increasingly targeted. “Ransomware is currently the most significant threat for the transport sector,” she says, with hactivist activity increasingly significantly in the last two years. As a result, RATP is preparing a cyber resilience plan and Gutierrez advises others to follow suit. “You can start by applying crisis management principles already in place to cybersecurity,” she says.

Cyber threat actors

• Insiders: disgruntled employees and those who inadvertently cause a breach due to negligence.
• Individual hackers: malware authors, phishers or spammers.
• Criminal organizations: profit-based, they typically use malware to steal data to sell on the black market or demand a ransom.
• Nation states: well-funded, undertaking political or economic espionage or sabotage.
• Terrorists: destroying or damaging critical infrastructure, threatening national security and causing harm to citizens.

Source: MTR

UITP’s Cybersecurity Committee is likely to be busier than ever over the coming year as it takes strategies onboard from its secure by design working group. “The focus needs to change to building cybersecurity in from the very start,” Gwynn says.

“That means identifying who needs to do what at the design stage. An organization needs to understand what it expects of its vendors.” While previously cybersecurity was a hidden cost, it is increasingly understood to be part of a service that operators pay for. “I can see a point coming where vendors won’t supply equipment without a service contract,” Gwynn says.

The committee’s mission to educate continues with the development of UITP’s own cybersecurity diploma, that will eventually comprise eight modules for graduate-level staff. “Commercial courses don’t use language that transport people understand, so we’re preparing a course that is specifically tailored for transport professionals,” Hernández says. No date has been fixed for the completion of the whole course, with new modules likely to be added as the cybersecurity committee releases new guideline reports.

Gwynn is delighted that his committee’s work has become so mainstream over a relatively short period of time, with several sessions dedicated to it at the IT-Trans event in Karlsruhe in May, and many products launching with cybersecurity protection built in at InnoTrans in September. “There has been a remarkable change in the last five years. And I have a sense people are quickly understanding what needs to be done,” Gwynn says.

London, Other Cities Hit by Cyber Attacks

Transport for London (TfL) called in specialist government agencies and took some functionality offline as it investigated a cyber attack that is believed to have taken place on Sept. 1. In a statement issued on Sept. 6, Shashi Verma, TfL’s Chief Technology Officer, said: “We identified some suspicious activity and took action to limit access. A thorough investigation is currently taking place and we are working closely with the National Crime Agency and the National Cyber Security Centre to respond to the incident.”

TfL services weren’t impacted. Although TfL said at first that there was no evidence that any customer data was compromised, by Oct. 10 it had discovered that some data had been accessed, including names, email addresses and home addresses, plus, for up to 5,000 customers, bank account numbers and sort codes.

Access to some online services, such as live travel information updates and the portal for pass applications, was temporarily suspended, and as IRJ went to press had not yet been reinstated.

London’s public transport network is classified by the British government as critical national infrastructure (CNI). It says compromising CNI or its loss “would result in major detrimental impact on the availability, delivery or integrity of essential services, leading to severe economic or social consequences, or to loss of life.”

Other notable cyber attacks have been reported in recent years by Italian State Railways (FS) and its subsidiaries Trenitalia and Italian Rail Network (RFI), which suffered a major ransomware attack in March 2022, and Danish State Railways (DSB), whose services were disrupted for several hours in October 2022 following a cyber attack on its IT supplier.

Data thefts have similarly been reported by US Class I freight railroad Norfolk Southern (NS), short line operator OmniTrax and the New York Metropolitan Transportation Authority (MTA), as well as at commuter operator Merseyrail in Britain and regional passenger operator Lokaltog in Denmark.