The introduction of TCP/IP-based networks to railway signalling, telecoms and electrification is now well underway. This will bring many benefits and advantages, but it also introduces a new threat in the form of cyber-crime and a need for cyber-security. These threats may range from the innocent introduction of a virus through to a sophisticated terrorist attack.
In 2012, two US power plants were affected when an employee used a USB stick that was infected with malware. Similarly, some offshore oilrigs have been shut down for up to 19 days following malware attacks launched from USB sticks.
Another example is ‘Stuxnet’. This was discovered in June 2010 and was designed to attack industrial Programmable Logic Controllers (PLCs). PLCs allow the automation of electromechanical processes such as those used to separate nuclear material or to control level crossings (Issue 18 August 2014). Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing five fast-spinning nuclear centrifuges to tear themselves apart.
One railway example was a new physically- isolated operational telecoms system introduced in 2008 which was infected with a virus by a maintenance technician’s USB memory stick.
An anti-virus programme was deployed but, because the system was not connected to a central monitoring system, no action could be taken remotely and, more importantly, there was no easy way of updating the anti-virus programme.
Doing nothing is not an option
It could be argued that it is far too risky to introduce such vulnerable technology for railway operational purposes. Rather, it could seem safer to rely on traditional point-to-point serial communications on the assumption that this will maintain physical isolation from everything else. This misses the point since the new technology offers many advantages, such as remote maintenance diagnostics and monitoring.
Looking forward to the ‘Internet of Everything’, there will also be a requirement to network things we have not yet thought of and these will bring further benefits to reliability, productivity and safety. A totally isolated communication network is therefore no longer sustainable nor is it likely to be achieved.
While some engineers may be tempted to only specify point-to-point serial communications and to consider TCP/IP as not safe enough, they should ask themselves if a traditional relay room housing a transmission node, interlocking or substation is secure from external interference? Often the only security is a simple deadlock, with a key that may be obtained from a well-known on line retailer!
Even if a diverse telecoms link is provided for reliability, two failures of the transmission will lose control. However, a TCP/IP network can be designed with multiple paths for the data packets.
Learning from other sectors
Railways are not alone in needing secure, safe communications. The UK’s national infrastructure is defined by the Government as: “those facilities, systems, sites and networks necessary for the functioning of the country and the delivery of the essential services upon which daily life in the UK depends”. The national infrastructure is categorised into nine sectors: communications, emergency services, energy, financial services, food, government, health, water and transport. Each of these sectors requires secure, reliable communications and the consequences of failure, or insecure communications, can be both economic loss and loss of life.
So whilst some railway organisations may be tempted to go it alone and not invest in modern TCP/IP communications, there are many other sectors which arguably are just as important as railways (if not more so) and they already use networks with TCP/IP. This also means most of the challenges faced in operational networks have already been addressed in enterprise networks and the lesson learned there can be applied to railway TCP/IP communication networks.
So what is the best practise that should be implemented and how can the risk be managed?
The Centre for the Protection of National Infrastructure (CPNI) is a government organisation that provides protective security advice. It defines protective security as “putting in place, or building into design, security measures or protocols such that threats may be deterred, detected, or the consequences of an attack minimised”. Advice is available for physical security, personnel security and cyber security/information assurance.
A framework needs to be established that enables and supports information risk management across the organisation and, while ultimate responsibility for risk ownership should reside at Board level, it needs to be imbedded in all parts of the organisation and not just considered an IT problem.
The level of information risk the organisation is prepared to tolerate in pursuit of its business objectives should be agreed, and a risk statement produced to help guide information risk management decisions throughout the business. This will not be easy or straightforward and there will be many competing priorities.
The risks to the organisation’s information assets from a cyber-attack will always be changing and it should be a regular agenda item for Board discussion. The risk of cyber-attack should be documented in the corporate risk register and knowledge-sharing partnerships with other companies and law enforcement agencies should be encouraged. Cyber-security should not be seen as a one- time fix, but something that needs constant maintenance and update. The components of a risk can change over time so a continuous through-life process needs to be adopted to ensure security controls remain appropriate to the risk.
An overarching corporate information risk policy needs to be created and owned by the Board to help communicate and support risk management objectives, setting out the information risk management strategy for the organisation as a whole. It should not be left to the IT or telecoms departments, nor should each department have its own policy and procedure. All users have a responsibility to manage the risks. Training and user education should be provided which is appropriate and relevant and refreshed regularly. Staff should be encouraged to participate in knowledge sharing exchanges with peers across the business and other rail and non-rail organisations.
Having decided on the level of security required, controls need to be put in place to ensure that the required security level is met. The methods of control that can be put in place to protect an organisation fall into three categories:
Administrative: The policies and procedures for running the organisation from the classification of data to the hiring of staff. Legal and governance requirements fall into this category.
Logical: The systems put in place to monitor and control access to data. These include firewalls, intrusion prevention/detection systems and access control. Logical controls require a co-ordination point, a security operations centre, to manage and operate these systems and a security information and event management (SIEM) platform should be deployed to facilitate this.
Physical: These controls ensure the physical security of equipment and devices. Physical controls include CCTV, door entry systems, fire prevention/suppression systems and alarms. These should be specified and designed by someone with the right competence, and not left to the telecoms, E&P (electrification and power) or signal engineer.
Roadmap to implementation
When planning what to do about cyber- security there are a number of things that should be considered.
First of all, cyber-security needs to be included from the earliest stages of a project. Attempts to retrofit security solutions will almost certainly fail, leaving vulnerabilities in the network. A thorough threat analysis needs to be carried out considering both internal and external threats to security. Statistically, a network is more likely to be attacked from within than outside the organisation via disgruntled employees.
In the past, security involved building a strong perimeter to keep attackers out. The best practice now is to view security in layers using a wide range of solutions to provide monitoring and defence across and throughout the organisation. A Multi-Protocol Label Switching – Virtual Private Network (MPLS-VPN) for operational data is one mitigation against a security threat, but a VPN alone is not designed for security and additional measures should be taken.
The best plan is to keep it simple and not to over-engineer solutions. The ideal security solution is one that enables people to do their work without being aware of it and over- complex solutions can be difficult to support and maintain.
Consideration should be given to the application of recognised good security management practice, such as the ISO/ IEC 27000 series of standards, and the implementation of physical, personnel, procedural and technical measures. Other examples include ISA/IEC 62243 (formerly ISA99) for electronically securing Industrial Automation & Control Systems, IEC 62531 for securing power systems, and BS EN 50159:2010 for railway applications.
An obvious course of action is to limit the use of clear protocols, such as telnet, ftp, http and use to encrypted protocols while making sure that the Simple Network Management Protocol (SNMP) is up to date. This is a protocol for managing devices on IP networks, such as routers, switches, servers, workstations, printers, modem racks and monitoring their health. Similarly all device firmware should be updated regularly.
Robust firewalls between the operational and corporate network are essential. A firewall is, in effect, a filter blocking unwanted network traffic and placing limitations on the amount and type of communication that occurs between a protected network and other networks (such as the Internet, or another portion of the communication network).
Configuring each device to be as individually secure as possible is crucial. Password or pincode security should be implemented on each device both within and attached to the network. Devices can be configured with rate limiting values to avoid flooding the devices with malicious traffic and event logs should be kept resident on each device in the network, with a copy sent to a central system log server for analysis and audit.
Cyber-security should be implemented using a quality assurance system based on; requirements capture – specify – development – design – implement – test – maintain. It should be tested on a regular basis to ensure that it is performing effectively. Penetration testing should be an audit requirement from a corporate governance perspective and ideally should be carried out by an independent third party.
Take it seriously
Managing cyber-security is an increasingly important element of operational network design and implementation. Failure to take it seriously can lead to severe operational difficulties and create the potential to create unsafe situations.
However solutions and tools are available and it is another challenge that railway telecoms, signalling and E&P Engineers must overcome. Other industries face just the same problems and knowledge-sharing partnerships with other companies and law enforcement agencies will simplify the task.