How does RISQS help with key issues for rail cybersecurity?
Cybersecurity is increasingly recognised as essential in order to maintain the safe and efficient operation of systems in a wide range of industries. Rail has some unique features that any effective cybersecurity system needs to address. What are these, and how does RISQS help?
The importance of cybersecurity has increased constantly since the initial introduction of digital systems and digital data throughout many industries many years ago. As the use of digital technologies became embedded in core operating processes, cybersecurity changed from being a ‘nice to have’ to a critically important function. This is especially true for safety-critical industries. Nowadays, cybersecurity is recognised as essential to ensure that digital systems do not become corrupted with invalid data and that the integrity of digital systems’ operation is protected.
For most industries, there are three main places where data integrity can be breached:
- between different software systems operating within a private network serving a particular organisation
- between private organisation systems and public internet networks
- between software and equipment that is produced at different times.
However, cybersecurity in rail must address additional needs that make its implementation particularly challenging. Firstly, rail is a safety-critical industry. This makes the integrity and reliability of digital systems essential, rather than merely ‘important’ as in other industries. Secondly, the railway uses multiple digital technologies in multiple ‘central’ operational systems, multiple types of trackside assets and multiple types of moving assets. The railway also communicates with its customers digitally, whether they be passengers or freight firms. Communication between all these needs to be secure, timely and accurate, including at ‘technically remote’ locations between onboard train systems and trackside. Thirdly, the railway operates as an integrated system at a nationwide scale. And the railway achieves all this through many different companies and organisations. This further increases the number and range of different digital systems that need to communicate with each other securely, on time and accurately.
The overall result of all these features is that the railway has a huge number and complexity of potential cybersecurity breach points. This means that rail cybersecurity is both essential and extremely difficult.
Despite these challenges, some rail businesses are already implementing cybersecurity systems. Within the UK these businesses include West Midlands Trains and Northern Trains. These firms have implemented cybersecurity systems on some trainsets respectively, on rolling stock from different manufacturers. Cybersecurity is being used successfully in the UK railway, even in the technologically challenging conditions of operational rolling stock. Work is also underway to incorporate cybersecurity systems in new rolling stock so that it is ‘digital from the factory gate’.
In addition to railway-specific expertise, the deployment of railway cybersecurity is significantly enabled by the development of industry standards. These include National Institute of Standards and Technology SP 800-94 (‘Guide to Intrusion Prevention and Detection Systems’) from the USA, the International Electrotechnical Commission’s standard IEC 62443, and the Cyber Assessment Framework (CAF) from the UK’s National Cyber Security Centre. Further standards are already expected, including from the European Committee for Electrotechnical Standardization (CENELEC) with which the GB railway already has strong standards connections.
However, the suitability of cybersecurity services for the railway is also enabled by RISQS. RISQS is the independent organisation with an established track record in assessing the quality of products and services for the railway, giving railway purchasers assurance about specific products or services. Railway cybersecurity is still a relatively young field, and new entrants to the market are expected and welcome. RISQS is therefore ideally placed to provide assurance for railway cybersecurity too. It has the processes to document this assurance, and its independent technical experts provide the necessary technical expertise. RISQS is delighted to provide assurance for new and existing products in cybersecurity, playing its part in the development of this sector for the benefit of the whole railway.
Keep up with the industry
Sign up to the RISQS mailing list for the latest rail industry news and member updates.