Rail Industry Considers its Vulnerability to Cyber Attacks

SINGAPORE – WORLDWIDE – At the 26th Intelligent Transport Systems World Congress here this week concerns were raised regarding the risk to rail transport from cyber crooks. The general consensus was that there was no 100% secure defence against determined hackers and the sector has certain specific vulnerabilities.

Rail borne traffic, be it passengers or freight, travels on a system in which there are a plethora of components, many of the generally available legacy type rather than originally manufactured equipment specific to a particular purpose.

This presents a potential hacker with a variety of vulnerable targets and the subject is one of concern for such as the Singapore Land Transport Authority's (LTA) chief information security officer Huang Shao Fei who, addressing the Congress, said:

"You do not really know how to certify the security of these components that go into these boards and cards that you put into the railway system. If you look at how [the cyber threat] is evolving, it is going to become even more nefarious, more serious.

”Hackers have the resources and capability to pose a real threat. They are far ahead of us, whether you like it or not. There will never be a situation where we can catch up with them, and really the worry is that they have something up their sleeves which we are not even aware of.”

Some of the software components which go into Singapore’s rail signalling and control systems are the product of French group Thales, and earlier this month the company, together with cyber-intelligence firm Verint, published the Cyberthreat Handbook which concludes that, after the Government/Defence, Finance and Energy sectors, transport is the fourth most at risk from cyber criminals.

This of course will come as no surprise to anyone familiar with the cases in the past year or so when two of shipping’s major concerns, AP Moller Maersk and Clarksons, were attacked causing a massive bill, particularly for Maersk.

All the speakers at the congress agreed that it is impossible to be completely immune to risk, particularly with the slough of new intelligent technologies being introduced. Whereas staff can be trained not to allow virus entry via suspect emails etc. the threats of the future are likely to come with the introduction of smart devices, autonomous cars and so forth which instantly become an integral part of a system, and therefore a 'way in'.

As prescribed with maritime threats to shipping the first priority for such as the rail industry is to look closely at educating original equipment manufacturers to try and ensure that all components introduced are able to withstand attack.

Declaring October to be ‘Cybermonth’ recently, Patrice Caine, Chairman and CEO of Thales said that ‘Cybersecurity is the new oxygen of our lives. It is an ongoing concern and a pre-requisite to do digital business’, and a download of the company’s Cyberthreat Handbook is available here.

Earlier this month Singapore's Coordinating Minister for National Security, Teo Chee Hean, announced a cyber-security ‘master plan’ to protect operational technologies devised by the Cyber Security Agency of Singapore (CSA). The plan aims to protect against attacks on utilities such as water supplies and transport systems.

Photo: The complexity of rail signalling and control systems make them a likely target for determined hackers.