The infrastructure of rail has always been complex

Today, that complexity is confronted by a new challenge – interconnectivity.

With digitalisation becoming an ever more prevalent and necessary process of change, the legacy mechanisms that remain at the core of rail are becoming interwoven with new digital & IoT components.

Automated interfaces are being introduced to help facilitate asset management. Predicted increases in weather extremity means that digital analytic tools that assess track integrity are becoming essential for safety. These are but two examples that highlight the growing role of digital technology in enhancing rail infrastructure. Digital capabilities offer new opportunities to the industry, helping to optimise the interoperability of old and new assets and strengthen the safety of rail travel. But they also introduce a new challenge. They open up rail networks to cyber-attacks. 

Ensuring the security of these systems, therefore, is essential to maintaining the efficiency and safety of rail travel for both customers and industry professionals alike.


Protect: Integrity & Identity Management

Complexity within a network typically means a diversity of assets. This has always caused operational and management challenges within the rail industry. The introduction of digital assets help to relieve these old headaches but open up potential avenues of entry for threat actors into the environment.

Critical data underpins railway networks, and it’s security is the key to maintaining safety and efficiency. Read more about the importance of data security and the solutions that maintain it below:

The security of the rail network critically depends upon the authentication and management of new technology. Recognising this, we have developed a new automated management interface that we call OKMS – or ‘Online Key Management System’ – in partnership with Network Rail in the UK.


Regulation & Compliance

To keep up with the evolving digital landscape, the sector is increasingly subject to regulatory pressures, consideration of which is becoming an essential aspect of operations.

Notable among these regulations is IEC 62443, which focuses on the security of industrial communication networks and systems, essential for the safe operation of digital railway systems. Similarly, CLC TS 50701 specifically addresses cybersecurity in railway applications, underlining the sector's unique security needs.

The Network and Information Systems Directive (NIS-2) mandates the security of network and information systems in Europe, vital for uninterrupted and secure rail operations. And the Cyber Resilience Act introduces mandatory cybersecurity requirements for products with digital elements.

These are but a few examples of the various rules and regulations that are coming into force across the rail industry worldwide. Thales specialises in turning engineering expertise towards consultancy, and are currently supporting a wide number of rail organisations in their compliance to difficult standards.


Stay on Track: Security Monitoring and Operational Technology (OT)

A comprehensive oversight of operations is essential for maintaining the defensive posture of a network. This principle is even more vital for rail given the naturally convoluted nature of its infrastructure. 
The term ‘Security Operations’ covers a vast array of solutions that differ wildly in structure and purpose, each of them appropriate in their own way to rail. These include standard SOC as a Service, Threat Intelligence & Detection & Response capabilities. 

Operational Technology, or OT, lies at the core of railway operations. Over years of engineering & security consultancy, Thales has developed a range of OT Security solutions & services, including monitoring & asset discovery, network architecture reviews & a managed detection & response solution specifically for OT environments.


Ballasts, Fasteners & Sleepers: End-to-End Security & Resilience

The ever-growing threat of cyber-attack to rail as a critical infrastructure globally has demanded a shift in design philosophy to increase the adaptive resilience of trains, their tracks, and the networks that connect them. 

Rather than treating security solutions as an afterthought secondary to network or product design, ‘Secure By Design’ or ‘SBD’ seeks to embed security awareness and - crucially - resilience into the design process itself. 

As the operations of the rail industry grow increasingly reliant upon digital technology, implementation of the ‘SBD’ set of principles tightens the impenetrability of this highly complex environment by identifying potential attack avenues early in the design lifecycle of both in-cab and trackside equipment alike.


Railway Resilience : Secure by Design

The developing threat of cyber-attack upon railway infrastructures means that the application of a ‘Secure by Design’ approach is becoming critical. 

Secure by Design

The foundational premise of ‘Secure by Design’ is to identify potential threats and vulnerabilities at each stage of the design process, . 

taking measures to build around them accordingly:

  • Rather than treating security as a supplementary addition, this approach seeks to embed security measures into the very fabric of the network’s design. 
  • To keep up with this, the tactics and approaches of threat actors are changing, too. The traditionally linear approach to infrastructure design is quickly becoming unsustainable as a result. 
  • The implementation of a ‘Secure by Design’ approach doesn’t just apply to technology, however, it involves the establishment of new risk-aware processes to facilitate an effective response to issues as and when they arise
  • What makes this approach particularly important for rail is its ultimate emphasis on resilience. Attacks are, unfortunately, inevitable, but a resilient rail network has the capacity to withstand and adapt to all kinds of disruptive events, allowing operations to continue even at risk. Modern rail environments are changing at a phenomenal rate. 
  • Fundamentally, and perhaps most importantly, the ‘Secure by Design’ approach fosters a universal culture of continuous improvement and adaptation for everyone involved in rail operations. This ongoing effort helps to ensure the efficiency and safety of our railways long-term by embedding a resilient attitude amongst its people and technology alike.

Data Security and Identity Verification within Rail: OKMS and Beyond

The introduction of digital components into a rail network affords a multitude of operational enhancements never seen before by the industry. But with each new component introduced comes a new avenue of entry for cyber threat actors. Successfully managing these newly diversified environments using human interfaces is a very difficult achievement. Doing so while ensuring the security of network data & the integrity of asset identities is nigh-on impossible. Thankfully, modern digital technology offers a range of automation systems. Critically, however, these systems must be underpinned by a robust authentication management system, which constitutes much of the difficulty in their design and rollout. 

Online Key Management System (OKMS) 

To support this challenge Thales have worked closely with Network Rail to engineer an OKMS, built from the ground up with the complexity of rail networks specifically in mind. 

Key Management solutions on top of PKI, Public Key Infrastructure Technology :

  • At its heart, the OKMS is a Key Management solution, underpinned by Thales own robust PKI technology, that facilitates, automates and secures the transmission of data between digital assets whilst simultaneously verifying the identities of those assets, enabling trust within the network. 

  • Previous key management systems in use across the industry have been restricted to offline use. The OKMS is the first of its kind, using in-built connectivity capabilities to provide a far more agile level of automation.

  • This includes the exchange of safety critical data between trackside devices and in-cab ETCS (European Train Control System). ETCS enables fast, Europe-wide train connections, and Thales have played a vital role in its design & standardization, utilising Thales KMC (Key Management Centre) as its foundation. It prevents each train from exceeding its maximum speed, enabling maximum use to be made of the line and ensuring functional safety and security at the same time.