Resilient Rail

18 June 2018


The UK’s Rail system is in urgent need of increased capacity and efficiency to support an estimated one billion extra journeys to be made by Britons by 2030. Whilst updates and improvements to the physical rail infrastructure continue, a technological solution is being implemented across the UK to shorten travel time, decrease delays and increase connections.

‘Digital Railway’ is the industry’s plan for digitising rail systems, to increase overall capacity and improve performance. In short, it will replace existing signalling and train controls with a digitalised system that will allow trains to travel quicker and closer to each other. This will give us more trains, with better performance, without the interruption of costly infrastructure works that have up until this point been the only solution.

The technology being used is underpinned by government policy and built on open standards that operate across Europe, with the European Rail Traffic Management System (ERTMS) currently replacing traditional signalling throughout Europe, using wireless technology and computerised in-cab signals.

What are the risks?

While this is great for all of us that have waited at a platform for a delayed train, there are security concerns railway operators and owners should be considering.

The increased connectivity of the critical systems (that under this plan will allow trains to travel closer together at higher speeds) could further increase cyber attacks potential to threaten safety and a loss of sensitive data. Threat actors’ intentions, as described by DfT’s rail industry cyber security guidance are wide and varied, “ranging from the desire to cause death, through to the desire to cause minor disruption, inflict reputational damage or steal data”.

A recent look at the news reveals that there is an appetite to target rail systems to create disruption. There have been at least two cases of railway operators suffering DDoS attacks over the past year, either affecting customers’ ability to buy tickets, or train ordering systems, resulting in travel chaos.

What is being done?

In January 2017, security experts from the Rail Delivery Group produced a Rail Cyber Security Strategy aimed at rail industry leaders to address the risks and enable the industry to reduce their impact while preparing for incoming legislation.

One such legislation is the NIS directive, which was agreed by the European Commission in cooperation with Member States. Its intent is to enhance operational resilience and consequently reduce the impact of future cyber attacks targeting the railways and other essential services. This aims to increase the security of NIS within the European Union and came into effect in the UK last month. To provide clarity on the NIS directive, the government has produced practical information for essential transport services. This guidance explains the responsibilities of organisations for both the operators of Railways and their competent authority, DfT, which itself has released rail-specific guidance. The key activity for the first year is to establish the incident reporting mechanisms within in-scope organisations and to notify the regulator of all NIS-reportable events.

It is paramount that legislation such as this is adhered to at the same pace as these digitised solutions are introduced. This will not only help avoid further disruptive attacks, but will ensure the rail industry maintains its high safety standards and has secure control systems to reduce the risk of potentially catastrophic events. For more information on this subject one of our partners, Marin Ivezic, has written a fascinating article on railway systems vulnerabilities that takes you from risks and attack history right through to actionable next steps. Please do give it a read, through the following link.

The UK rail industry is currently undergoing significant change, both through the use of new digital solutions and the creation of physically new infrastructure such as HS2. It is imperative that cyber security is baked in throughout the development lifecycle of these large-scale infrastructure programmes, rather than being bolted as an afterthought.