Corrado Giustozzi, senior Cybersecurity strategist from SELTA, reaffirmed that information is power for example: the largest taxi company owns no cars (Uber) yet its value is 15 times that of Hertz; the most popular media provider (Facebook) produces no content, yet holds data on millions of customers and the largest property rental company has no property (AirBnB). These and other examples confirm that value is often expressed in control of information and control of business processes. The example of Associated Press which was hacked to report President Obama being injured, showed how the US Stock Exchange value was negatively affected within minutes – control of information can impact finances in unexpected ways.
Examination of computer systems in the 1970’s demonstrated that the main security risk was people, and the arrival of Internet has driven a massive rise in connected host systems, thereby providing opportunities to maliciously intrude on these hosts remotely via their network connection. With predicted Internet traffic of 5 Billion Terabytes per day by 2020, the opportunities for intrusion and information misuse are expanding enormously. This is greatly aided by the “Internet Of Things”1, where smart devices in all aspects of life are connected to networks, providing further points of intrusion. Yet, the human factor is ever present since people can provide access routes either on purpose (insider threats) or by errors of judgement, emphasising need for resilient management.
The increasing references to Cyber Space, Cloud, etc. suggest a separate domain of activity, but in reality, cyber space is not topological – it is the real world and comprises all computer systems and networks – it is the ‘here and now’ – so cyber threats are threats to us, to our organisations, and to our information and control systems. Even systems that seem to do “nothing of interest” present risk, since they are interconnected with others and so present access routes – all interconnected systems are of interest to cyber criminals – and criminals have always exploited the weakest link.
Many real-world examples were presented to show the range of sophisticated methods used by cyber criminals, including access to Lockheed military secrets2 simply by accessing RSA’s Secure ID Tokens – the unexpected doorway is often the route for access.
2 Lockheed security breach - https://www.theregister.co.uk/2011/06/06/lockheed_martin_securid_hack
“CyberSecurity4Rail” Railway Industry Conference - Brussels 4th October 2017
Conference Report. Table of contents
- Welcome and overview: “Co-operation is essential in the quest to manage technology and people for security”
- Cyber security – don’t be a victim: “Information is power and control of information has unexpected consequences”
- The regulators’ view on cyber security: “Multi-modal transport requires data exchange and interconnection”
- Security in the SERA – policy considerations: “The need for common understanding, guidelines and best practices”
- The Network and Information Security Directive (NIS Directive):
“A host of European actions in cyber security”
- The railway sector perspective on cyber security: “Integrated approach to security and safety without duplication”
- How airlines protect against cyber-attack: “Adversaries are not systems, but people who are smart and who pursue goals”
- Secure networks for collaborative services: “Networks are the risk – meshed networks provide a segmented and secure response”
- First panel discussion: Product liability, staff training & awareness, information sharing in both safety and security…”
- Cyber security and resilience of transport infrastructure: “Current European initiatives in cyber security supporting Rail”
- Perspectives from a European railway operator: “Trains as data centres – protecting train IT as a cyber-crime target”
- Lessons learned from EU projects SECRET and CYRAIL: “Rail as critical infrastructure requires strong projects to protect it”
- Perspectives of a railway infrastructure manager: “Extensive premises, public accessibility – DB managing security risks”
- The telecommunications view: “Risk management depends on agility”
- The IT provider view: “Understand vulnerability and develop avoidance and mitigation strategies”
- Second panel discussion: “The need for co-ordinated action”
- Closing keynote address: “Achieving an EURail-ISAC, without replication or over-regulation….”
- The Way Forward: “Establishing a European Railway ISAC based on a common understanding”
- Annexe - Conference Evaluation Summary – Consensus