UK rail network considers cyber resilience

Cyber-attacks on critical infrastructure, and how to defend against them, was a major topic of discussion at an event entitled “The Digital Railway” held in London last week.

The digital systems running the UK’s rail network are becoming increasingly automated as well as linked together, posing new opportunities and risks, speakers noted at the event, held by insurance firm RSA.

“It’s a way of thinking. It’s not just about stone and steel anymore; it’s about bytes, bits and digits,” said Peter Gibbons, chief security officer at Network Rail, the public body owner and infrastructure manager for most of the UK’s rail network.

One of the major challenges for the rail industry is one of “underlying skills and culture”, Gibbons suggested. “IT is not seen as rail, but the business is IT,” he added.

Cyber-security should be not treated as an IT topic but as a leadership issue, said Mark Newton, policing and security coordinator for the Rail Delivery Group, a lobbying group representing train owners and operators.

However, the rail industry is still “having that debate”, Newton said.

“Digital technology increases the speed and scale at which things happen, with less friction,” said Gibbons.

Gibbons stressed that “it’s already a reality that computers run the rail network”, although this perception is not universally shared.

“However, because of that, when things do go wrong, they can go wrong very quickly and go very wrong,” he added.

Automation and “hyper-connectivity” can heighten the risks, Gibbons explained, once all the systems are joined together.

He highlighted the problems of managing cyber risk within an industry where many stakeholders own different systems that all work together.

Network Rail published its first cyber strategy in 2013. While much effort has gone into preventing the likelihood of attack and protecting assets, responding to a breach is also an increased focus.

The same “hyper-connectivity” can become a major cyber risk if one system is penetrated, giving an attacker access to other systems.

In this respect, Gibbons said “segmentation” was being pursued, giving the analogy of trying to box in a physical attacker who has gained entry to part of an office building but can be challenged, and barriers erected before they access other more sensitive areas.

Managing the pace of digitisation strategies for modernising rail was a major theme at the event.

David Taylor, account director, ground transportation systems, at transportation systems technology firm Thales, noted the tendency in some other European countries attempting digital transformations of their rail networks “to be very brave, and try to do it all at once, but actually they end up doing it very slowly”.

Gibbons agreed: “There is a tendency in a lot of organisations to run headlong into digital transformation, but you’ve got to keep a strategic focus – otherwise there’s a risk of it getting really expensive and really slow.”

Making sure data are overhauled and ready to be used and integrated before embarking on projects makes sense, Taylor noted, as well as having the right talent and working culture.

“There is a human factor, about communicating and bringing the stakeholders along, which is just as important as getting the technology right,” said Taylor.

“New skills are needed,” added Taylor, referencing a talent shortfall facing the sector, and a rise in apprentice schemes, for example, to make good a shortage of engineers.