Cyber-attacks on both company and personal computer systems are an increasing threat to the continuity of business, and there is little chance that this menace will ever go away. There is no way of ‘immunising’ against the threat of attack, nor is there any foolproof method to prevent such attacks from causing harm to the data systems involved.
Cyber-crime takes many forms. At the bottom end is the ‘nerd’ in the bedroom who sees it as a challenge to hack into supposedly secure systems just to see if it can be done. At the top end are rogue states which attack computer systems to seriously harm (or even destroy) a country’s infrastructure or military capability.
Somewhere between these extremes are organisations that hack for espionage, commercial gain, activism or the uncovering of sensitive personal details. High profile lawsuits and public enquiries have made the headlines in recent times, with attention being focussed on the relevance/attractiveness of the target and the possible perpetrators. In the main, the bulk of cyber-crime is financially motivated.
Rail at risk
For the rail industry, the threats are many and diverse, with implications for Network Rail, TOCs/FOCs, London Underground, the supply industry and data support providers. To be hacked is, at best, a nuisance and, at worst, a risk to safety.
Many rail organisations have already experienced attacks, so awareness of the threat is growing. Some firms are employing data security experts to advise on precautions – there is no single high-tech action that can be taken and protection measures follow a logical pattern. Other companies may still believe that either their products will be immune to hacking or that, hopefully, it will not happen to them.
A significant risk exists within the emerging control and communication networks (signalling) and the SCADA system for electrification control, both of which will rely on the nationwide digital communication networks for the distribution and resilience of control data. Whilst enormous efforts are being made to safeguard the safety elements of these systems, cyber-attacks can take many forms. A denial of service attack, where techniques such as basic encryption do not provide protection, would cause major disruption to train services.
So where is all this leading? A new European Directive has been agreed that will have implications for everyone and should lead to a focussing of minds.
Network and Information Security (NIS) Directive
This has been at the drafting stage for some time and is now approved at the European level, but has yet to be issued. To understand what it is all about, Rail Engineer met with Simon Shooter, James Mullock and John Drake from the law firm Bird & Bird who have been studying the content for some time and recently put out the following statement:
The proposed NIS Directive aims to implement the European Union’s strategy for cybersecurity across Europe. While its scope of application is still under discussion (in particular whether it will apply to digital service providers such as Facebook and Google), it is likely to apply to designated service providers that provide essential services such as energy, transport, financial services, internet exchange points, food supply chain and health. In trilogue meetings in June and October 2015, the European Council, Parliament and Commission reached an agreement on the main provisions of the draft directive, namely:
- The establishment of a network of national Computer Emergency Response Teams (CERTs) to assist with cybersecurity coordination between Member States (MS), whilst allowing MS the flexibility to use existing competent authorities to establish and administer the required ‘institutional infrastructure’;
- The introduction of criteria to allow MS to develop national, sector-specific guidelines on what would constitute a reportable incident;
- The Parliament has also broadly accepted the Council’s preference for voluntary cooperation and information sharing. However, there will be a limited requirement to share information where an incident impacts continuity of service in another MS;
- Information society providers will be governed by a different set of rules from providers of essential services; and
- MS will have discretion to determine which designated service providers are deemed to be providing ‘essential services’ and won’t have to provide a list of essential companies for security purposes.
The latest update on the directive is that the final form has been agreed in principle. A deadline of 21 months for MS implementation of NIS is likely to start in Q1 2016. Companies which take proactive action early will be best placed to protect themselves from the increasingly sophisticated range of cyber threats, whilst simultaneously taking the lead in reassuring their customers, partner businesses and insurers that they have appropriate safeguards in place to protect the data and finances of their stakeholders.
Broadly speaking, this means that any organisation within the scope of the anticipated legislation that does not take into account the threat of cyber-crime and cannot be seen to be taking reasonable precautions to protect against cyber-crime could be in breach of the legislation and thus subject to sanctions.
The directive is to become European law and will be transposed into national law sometime in early 2018. Although it remains to be seen how the English wording of the legislation is written, it is anticipated that the expected compliance requirement will be balanced by a defence of having adopted adequate procedures to guard against cyber threat. It is going to happen, and organisations should begin to prepare for it right now.
So what does it mean?
Some readers will have realised that the onus is being placed on the potential victims of cyber-crime rather than on the perpetrators. This may seem unfair but it is the only pragmatic solution if the menace is to be minimised. Already some regulated industries should be taking all necessary action to remain compliant with their regulatory obligations.
An example would be a business in the financial services sector, where a breach of the regulatory requirements that demand suitable security measures be taken would likely trigger sanctions if the protection of data was found to be inadequate. The recent hacking of records within the telecommunications provider TalkTalk had to be reported because of telecom-specific data protection regulations.
The directive is not intended to be draconian in its policing and member states will be expected to adopt a proactive role in helping organisations comply. There is a realisation that one size cannot fit all. Small companies will not be expected to dramatically increase their expenditure on cyber security, since this could well make them uncompetitive when the risk is likely to be small. For larger organisations, it may be different and significant sanctions may result if a serious breach of data protection law occurs. All this is a bit scary but it is early days and, providing industry guidance is adopted, then punitive action is unlikely.
There continue to be many conferences and seminars on cyber-crime and how to combat it. Companies tend to fall into a number of categories as to their preparedness:
- Unaware – incidents just happen;
- Routine – controlled response to incidents should they happen;
- Planned Reactive – planned response to incidents if they occur;
- Elements of Proactive – some knowledge of what might happen in the future;
- Mainly Proactive – good resilience measures in place; » Proactive – decisive actions based on fact will be implemented.
The more proactive a company is in this chain of measures, the less likely it will be for any penalties to be imposed. Having a cyber incident response plan in place will be key. Some basic ground rules have been in place for some time to minimise risk of attack and include:
- Having effective firewalls in place;
- Education and knowledge of staff – being aware of disgruntled employees and careless attention to data devices such as personal safeguarding of laptops;
- Control of passwords and access control sequences;
- Constant monitoring of technical data;
- Minimise open TCP/UDP ports;
- Robust behaviour for firmware updates;
- Penetration testing by experts to assess vulnerability.
In short, multiple levels of protection will be needed to both assess the risk and nature of any attack and then to devote time, thought, energy and money to prepare the business for the necessary action when the attack happens. This will include means to identify and neutralise the cause, then to mitigate and repair the damage so as to restore business, but also to learn lessons from what happened so as to improve protection for the next time.
Advice on what constitutes ‘appropriate’ will always be on offer but one should remember that the situation is not static. Hackers will forever be trying to ‘beat the game’ and thus constant vigilance is necessary with associated updates to protection always being necessary.
One essence of the directive will be the responsibility to report attacks. This is already in place in Germany, Austria and Norway but is only voluntary in the UK. A report will need to be made promptly. Once known, the Computer Emergency Response Team will then probe:
- Was there a serious breach of data protection law?
- Is substantial damage or distress likely?
- Was the contravention deliberate, had the organisation been aware that damage or distress was likely, and had reasonable steps been taken?
- Should a fine be imposed?
Awareness and actions for the rail industry
Most rail organisations are aware of cyber-crime and the need for associated security. To what extent the true level of threat is understood is an unknown – probably rightly so, since high profile public statements and detail are inappropriate for this clandestine world.
The UK government has defined nine categories of essential infrastructure, of which transport is one and communications is another. Rail is a major element of the first and has considerable impact in the second.
The Centre for Protection of National Infrastructure (CPNI) studies and gives advice to all industries involved in the nine categories and is well aware of critical rail systems. Many such rail systems are not unique to the UK – ERTMS, ETCS and GSM-R all have pan-European deployment – and thus a sharing of knowledge with other countries is important. It must also be recognised that the said systems cross the wheel-rail divide, thus involving both infrastructure providers and train operating companies.
Current actions being taken by the rail industry
Cross-industry rail groups are actively working on cyber security. Two are the High Integrity Systems Group (HISG) hosted by RSSB (formerly the Rail Safety and Standards Board), and the Digital Railway Cyber Security Steering Group (DRCSSG) hosted by the Digital Railway programme at Network Rail. HISG is investigating what the cyber risks are and DRCSSG is looking into cyber security for future systems. RSSB also facilitates provision of cyber security guidance from the Department for Transport.
To communicate with the industry, RSSB has formed the Cyber Security Advisory Group (CSAG) that will advise on the development and content of the cyber security strategy. In particular, it will mitigate the risk of duplication of effort and facilitate management of interfaces. The development of the strategy will take into account the NIS Directive as appropriate. The strategy is intended to assist parties in the industry to understand their responsibilities and be able to put in place informed, proportionate and cost-effective measures to mitigate cyber security risk.
The requirement to report cyber-attacks may be easier for rail than other industries since it is already required to have procedures in place to report accidents and near misses. Extending this and educating staff to include cyber-crime could be an important early step.
Unfortuantely, there is no ‘silver bullet’, and advice from legal professionals on how to comply with the directive- related cyber legislation will be needed.