As a vital part of the national economy, the rail industry in the UK is undergoing an increase in demand for transporting passengers and freight. Unfortunately, with the rise of sophistication of cyber attacks, Britain’s critical infrastructure, and its rail system in particular, is becoming more and more vulnerable. Due to interconnected systems, entertainment devices and services, and the integration of digital signalling systems, the attack surface of modern rail systems continues to grow.

Cyber attacks on rail systems are no longer a hypothetical threat. As IT/OT (information technology/operational technology) networks converge in the digital railway, cyber security is paramount.

In 2015-2016, four cyber attacks were reported on the UK railway network. In August 2015, Japan Railways Hokkaido was attacked by an allegedly Chinese-backed group. A more successful attack was conducted in December 2015 by (allegedly) North Korean hackers on a South Korean supplier of railway control equipment. Also in December 2015, a series of attacks took place (allegedly by Russian-backed groups) on a range of industrial targets in the Ukraine.

Fortunately, and despite this disturbing trend, there are ways to reduce the risks of cyber attacks. They can be diminished by following modern best practices for securing industrial control systems (ICS), with a major part of the new regulations including the deployment of unidirectional security gateways.

DfT guidance

The British rail industry is preparing itself to take on cyber security as it embraces digital rail technology. As the threat landscape has changed for rail, all stakeholders must now have a shared responsibility of ensuring the safety and reliability of critical national infrastructure.

Particularly for rail, the industry needs strong cyber security guidance to provide consistency between organisations and interconnections.

This year, the Department for Transport (DfT) released ‘Rail Cyber Security – Guidance to Industry’, stating clearly that signalling networks should be protected with unidirectional gateways and there should be a clear separation between enterprise and operational networks. The DfT is also engaged in an RSSB-led development of a cyber security strategy for the rail industry.

Waterfall’s Unidirectional Security Gateways are hardware-enforced protection which enable safe network integration. The unidirectional gateway allows data to flow out of a control network, such as the signalling system, into an external or corporate network, but prevents any flow of communications back.

By deploying the application replication functionality of Waterfall Unidirectional Gateways, operational personnel are able to have real-time access to operational data and monitor their control system equipment as usual. The gateway makes it physically impossible to hack the control network through this external connectivity.


International solutions

Instituting these measures can enable security teams both to eliminate the possibility of online cyber attacks from these links and to divert their resources to secure secondary and residual cyber risks. Following this best practice puts rail systems in the UK in line with defined blueprints for cyber security at industrial sites around the world. Moreover, unidirectional gateway technology has been adopted by international standards and best practices guidance by many governmental and industry standards bodies worldwide.

In France, for example, the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) is responsible for the country’s digital security strategy. ANSSI discourages remote access and encourages the use of unidirectional gateways rather than firewalls.

On class 3 networks, including railway switching systems, they forbid the use of firewalls to connect any class 3 network to a lower class network. The only connection that’s allowed between a class 3 network and a lower class network is through a unidirectional gateway.

Waterfall Security already protects a growing number of rail networks in North America and in other countries around the world.

The company’s market-leading unidirectional security products are deployed globally by all segments of critical infrastructure including power plants, water and wastewater facilities, oil and gas on/offshore platforms, refineries and others.

Written by Andrew Ginter, vice president of industrial security, Waterfall Security Solutions