Rail cyber

Contact us
istock-1059326084_0 See exemple

The infrastructure of rail has always been complex

Today, that complexity is confronted by a new challenge – interconnectivity.


With digitalisation becoming an ever more prevalent and necessary process of change, the legacy mechanisms that remain at the core of rail are becoming interwoven with new digital & IoT components.

Automated interfaces are being introduced to help facilitate asset management. Predicted increases in weather extremity means that digital analytic tools that assess track integrity are becoming essential for safety. These are but two examples that highlight the growing role of digital technology in enhancing rail infrastructure. Digital capabilities offer new opportunities to the industry, helping to optimise the interoperability of old and new assets and strengthen the safety of rail travel. But they also introduce a new challenge. They open up rail networks to cyber-attacks. 

Ensuring the security of these systems, therefore, is essential to maintaining the efficiency and safety of rail travel for both customers and industry professionals alike.

intelligence-detect

Comply with regulations

The rail sector is also today increasingly subject to a variety of rules and regulations. Compliance has become a critical aspect of operations and you need to get support from the right people to address it. You should ensure the compliance to local ground transportation regulations as well as international ones through local experts having a strong knowledge : IEC 62443, CLC TS 50701, IEC 63452, ISO 27001, NIS2 and many others!

Learn more
intelligence-detect

Know your system

You need to manage assets and configurations at a fine-grained level thus monitoring system obsolescence continually. It is also mandatory to conduct ongoing cybersecurity risk analysis, including safety-informed security assessments for safety-related systems. All this, will help you being aware of any Operational Technology equipment linked to your network to better assess their potential vulnerability level and secure them.

Learn more
intelligence-detect

Investigate threats & vulnerabilities

To ensure you security, you should stay informed about new vulnerabilities and their potential impacts, in order to adapt security controls accordingly as well as remediation plans. It can be supported by the subscription to a rail-specific cybersecurity threat intelligence service for proactive measures ensuring cyber resilience over time.

Learn more
intelligence-detect

Build a securely designed system

Use Secure By Design principles in order to ensure cyber security across the complete life cycle of the system and of its components. This should also incorporate security principles: defense in depth, zoning/partitioning, zero trust, least privilege… Thus, you should focus on securing safety-critical assets, through the implementation of tailored security measures as risk analysis.

Learn more
intelligence-detect

Manage events & alarm logs

To ensure an ongoing threats monitoring and response, you should collect and centralize events and logs for Security Operations Centre (SOC) analysis. This can be done through the integration of rail-specific detection functions into SOC capabilities. To complement, you will have to assess, qualify, contain, mitigate and recover from advanced cybersecurity incidents through a specific methodological framework and dedicated tools!

Learn more
intelligence-detect

Harden configurations

To secure your system, there is the need to implement best practices for hardening hardware, software and configuration data thus enforcing strict input controls, including on removable media.

Learn more
intelligence-detect

Secure identity & access

You should be accompanied in your process to put in place robust physical and logical identity and access controls while segregating and monitoring, on a a daily basis, privileged and operational accounts.

Learn more
istock-656773854_1

Protect: Integrity & Identity Management

Complexity within a network typically means a diversity of assets. This has always caused operational and management challenges within the rail industry. The introduction of digital assets help to relieve these old headaches but open up potential avenues of entry for threat actors into the environment.

Critical data underpins railway networks, and it’s security is the key to maintaining safety and efficiency. Read more about the importance of data security and the solutions that maintain it below:

The security of the rail network critically depends upon the authentication and management of new technology. Recognising this, we have developed a new automated management interface that we call OKMS – or ‘Online Key Management System’ – in partnership with Network Rail in the UK.

sample-slider-sectors

Regulation & Compliance

To keep up with the evolving digital landscape, the sector is increasingly subject to regulatory pressures, consideration of which is becoming an essential aspect of operations.

Notable among these regulations is IEC 62443, which focuses on the security of industrial communication networks and systems, essential for the safe operation of digital railway systems. Similarly, CLC TS 50701 specifically addresses cybersecurity in railway applications, underlining the sector's unique security needs.

The Network and Information Systems Directive (NIS-2) mandates the security of network and information systems in Europe, vital for uninterrupted and secure rail operations. And the Cyber Resilience Act introduces mandatory cybersecurity requirements for products with digital elements.

These are but a few examples of the various rules and regulations that are coming into force across the rail industry worldwide. Thales specialises in turning engineering expertise towards consultancy, and are currently supporting a wide number of rail organisations in their compliance to difficult standards.

istock-664994678

Stay on Track: Security Monitoring and Operational Technology (OT)

A comprehensive oversight of operations is essential for maintaining the defensive posture of a network. This principle is even more vital for rail given the naturally convoluted nature of its infrastructure. 
The term ‘Security Operations’ covers a vast array of solutions that differ wildly in structure and purpose, each of them appropriate in their own way to rail. These include standard SOC as a Service, Threat Intelligence & Detection & Response capabilities. 

Operational Technology, or OT, lies at the core of railway operations. Over years of engineering & security consultancy, Thales has developed a range of OT Security solutions & services, including monitoring & asset discovery, network architecture reviews & a managed detection & response solution specifically for OT environments.

istock-538801788

Ballasts, Fasteners & Sleepers: End-to-End Security & Resilience

The ever-growing threat of cyber-attack to rail as a critical infrastructure globally has demanded a shift in design philosophy to increase the adaptive resilience of trains, their tracks, and the networks that connect them. 

Rather than treating security solutions as an afterthought secondary to network or product design, ‘Secure By Design’ or ‘SBD’ seeks to embed security awareness and - crucially - resilience into the design process itself. 

As the operations of the rail industry grow increasingly reliant upon digital technology, implementation of the ‘SBD’ set of principles tightens the impenetrability of this highly complex environment by identifying potential attack avenues early in the design lifecycle of both in-cab and trackside equipment alike.

istock-1475900326

Railway Resilience : Secure by Design

The developing threat of cyber-attack upon railway infrastructures means that the application of a ‘Secure by Design’ approach is becoming critical. 

Secure by Design

The foundational premise of ‘Secure by Design’ is to identify potential threats and vulnerabilities at each stage of the design process, . 

taking measures to build around them accordingly:

  • Rather than treating security as a supplementary addition, this approach seeks to embed security measures into the very fabric of the network’s design. 
  • To keep up with this, the tactics and approaches of threat actors are changing, too. The traditionally linear approach to infrastructure design is quickly becoming unsustainable as a result. 
  • The implementation of a ‘Secure by Design’ approach doesn’t just apply to technology, however, it involves the establishment of new risk-aware processes to facilitate an effective response to issues as and when they arise
  • What makes this approach particularly important for rail is its ultimate emphasis on resilience. Attacks are, unfortunately, inevitable, but a resilient rail network has the capacity to withstand and adapt to all kinds of disruptive events, allowing operations to continue even at risk. Modern rail environments are changing at a phenomenal rate. 
  • Fundamentally, and perhaps most importantly, the ‘Secure by Design’ approach fosters a universal culture of continuous improvement and adaptation for everyone involved in rail operations. This ongoing effort helps to ensure the efficiency and safety of our railways long-term by embedding a resilient attitude amongst its people and technology alike.
istock-871464594

Data Security and Identity Verification within Rail: OKMS and Beyond

The introduction of digital components into a rail network affords a multitude of operational enhancements never seen before by the industry. But with each new component introduced comes a new avenue of entry for cyber threat actors. Successfully managing these newly diversified environments using human interfaces is a very difficult achievement. Doing so while ensuring the security of network data & the integrity of asset identities is nigh-on impossible. Thankfully, modern digital technology offers a range of automation systems. Critically, however, these systems must be underpinned by a robust authentication management system, which constitutes much of the difficulty in their design and rollout. 

Online Key Management System (OKMS) 

To support this challenge Thales have worked closely with Network Rail to engineer an OKMS, built from the ground up with the complexity of rail networks specifically in mind. 

Key Management solutions on top of PKI, Public Key Infrastructure Technology :

  • At its heart, the OKMS is a Key Management solution, underpinned by Thales own robust PKI technology, that facilitates, automates and secures the transmission of data between digital assets whilst simultaneously verifying the identities of those assets, enabling trust within the network. 

  • Previous key management systems in use across the industry have been restricted to offline use. The OKMS is the first of its kind, using in-built connectivity capabilities to provide a far more agile level of automation.

  • This includes the exchange of safety critical data between trackside devices and in-cab ETCS (European Train Control System). ETCS enables fast, Europe-wide train connections, and Thales have played a vital role in its design & standardization, utilising Thales KMC (Key Management Centre) as its foundation. It prevents each train from exceeding its maximum speed, enabling maximum use to be made of the line and ensuring functional safety and security at the same time.

istock-1516055460_0