Mick Haynes, Technical Director of Hit Rail, addressed the theme of secure networks for collaborative services. Mr Haynes pointed out that without networks there would be few risks, and so we should be highly focused on reducing risks arising from networks – a network focus is mandatory. A range of different networks were reviewed (Internet, Internal business network and Virtual Private Networks), and it was shown that despite the many strategies deployed by business, the employees (human risk) using networks still manage to reduce resilience through common practices. These passive “insider threats” are greatly added to by connection to Internet, where cyber criminals exploit the fundamental insecurity of the Internet. Cyber criminals are tireless, and continually search for opportunities to enter any and all business systems where they may find ways to generate financial gains.
Mr Haynes then presented Hit Rail’s VPN (Virtual Private Network) as an example of how secure traffic can be ensured through segmentation of sensitive data away from other channels. The VPN is also used as part of a “meshed network” where strategies are deployed to ensure partition for highest security.
Access via a single Internet gateway ensures highest levels of monitoring for risk avoidance and has been completely successful. Only known private addresses are allowed to connect (no DNS hacking possible as there is no DNS). Virus detection is state of art, as is the Cyber Security Maturity Model. All incidents are recorded and analysed – changes of traffic /reduced activity / etc. are referred to a customer before being acted upon, and proactive recovery from incidents is assured. All assets are protected by latest measures, and no email is allowed (potentially risky traffic).
Hit Rail is failure free over the last 25 years, and its continuous review and improvement ensures keeping ahead of the risks.
It was shown how the various services in railway are protected, and how they show different levels of risk (e.g. signalling is high risk, and all services relying on Internet share the risk of easier intrusion).
Critical services are mainly:
- Control systems including signalling.
- SCADA networks.
- Sales services both passenger and freight- Infrastructure monitoring.
- Communication RUIM.
- International Communication for international services
It was noted that a range of attacks are well defended by the VPN strategy: physical access; hackers; browser hacks; ransomware; viruses; malware; denial of service (DDOS).
Even DDOS is protected against since reliance on typical Internet usage is avoided.
The business case for VPN was examined and shown to be such that just one incident would justify the costs over one year.
“CyberSecurity4Rail” Railway Industry Conference - Brussels 4th October 2017
- Welcome and overview: “Co-operation is essential in the quest to manage technology and people for security”
- Cyber security – don’t be a victim: “Information is power and control of information has unexpected consequences”
- The regulators’ view on cyber security: “Multi-modal transport requires data exchange and interconnection”
- Security in the SERA – policy considerations: “The need for common understanding, guidelines and best practices”
- The Network and Information Security Directive (NIS Directive): “A host of European actions in cyber security”
- The railway sector perspective on cyber security: “Integrated approach to security and safety without duplication”
- How airlines protect against cyber-attack: “Adversaries are not systems, but people who are smart and who pursue goals”
- Secure networks for collaborative services: “Networks are the risk – meshed networks provide a segmented and secure response”
- First panel discussion: Product liability, staff training & awareness, information sharing in both safety and security…”
- Cyber security and resilience of transport infrastructure: “Current European initiatives in cyber security supporting Rail”
- Perspectives from a European railway operator: “Trains as data centres – protecting train IT as a cyber-crime target”
- Lessons learned from EU projects SECRET and CYRAIL: “Rail as critical infrastructure requires strong projects to protect it”
- Perspectives of a railway infrastructure manager: “Extensive premises, public accessibility – DB managing security risks”
- The telecommunications view: “Risk management depends on agility”
- The IT provider view: “Understand vulnerability and develop avoidance and mitigation strategies”
- Second panel discussion: “The need for co-ordinated action”
- Closing keynote address: “Achieving an EURail-ISAC, without replication or over-regulation….”
- The Way Forward: “Establishing a European Railway ISAC based on a common understanding”
- Annexe - Conference Evaluation Summary – Consensus