Cyber Services
How can Thales help you to upscale the cybersecurity of your railway systems?
From passenger information to CCTV and traffic supervision, IT is more than ever the driving force behind operations on both metro and main line railways. Deployments are vast: a modern Operation Control Centre (OCC) can manage hundreds of thousands networked devices.
Everything depends on IT working smoothly. But many IT systems are now 10, 20 or even 30 years old. Unless they are regularly maintained, security deteriorates – leaving systems vulnerable to cyber threats.
“Rail operators have inherited legacy IT and are looking for ways to enhance their cybersecurity posture. At the same time, they can’t simply stop their operations while remedies are applied. So you need ways to assess and propose cybersecurity upgrades with the minimum of disruption” says Thomas Baudillon, Cyber Security Authority for Integrated Communications and Supervision Systems at Thales.
Aside from the need to keep hackers at bay, rail operators must align with Cybersecurity standards such as IEC62443[1] and the future IEC63452. They are also under pressure to comply with national/regional regulations such as the recently revamped EU cybersecurity directive (NIS2) and the forthcoming Cyber Resilience Act (CRA) – both of which place new obligations on the rail sector as part of critical infrastructure.
To meet the cybersecurity needs of its metro and main line rail customers, particularly those with legacy rail systems, Thales Transport is launching Cyber Services for Railway Operations – a three-phase programme that comprises auditing, remediation and maintenance. How does this work in practice?
A deep scan of your systems
The process starts with a thorough audit of the customer’s infrastructure and network. “We perform an asset inventory to gain a clear knowledge of the systems: this is where you will probably discover missing assets” explains Lorraine Durieux, Product Line Manager for Connectivity Solutions for Railways at Thales’ Integrated Communications and Supervision Systems. “We also organise cybersecurity awareness training to strengthen the customer’s cybersecurity organisation.”
Cybersecurity awareness includes identifying risky habits. “One of these is recharging your smartphone by plugging it into a workstation. If your phone has malware, it will infect the rest of your system. This includes air-gapped systems – those that are isolated from external networks. A lot of technical mitigations are possible, but good hygiene and habits by users are vital for the safety of the system” points out Thomas Baudillon.
Shadow IT is another factor. “For example, you forgot to mention that you replaced a camera or have undocumented network equipment. This is why it is so important to have an asset inventory that is complete and up to date,” Thomas Baudillon says.
At the conclusion of the audit phase, customers are presented with a report that includes a vulnerability assessment, a risk assessment, and an obsolescence plan. “The obsolescence plan is the most important part” says Lorraine Durieux. “As railway specialists, we know which vulnerabilities are really critical for operations, so we can help our customers to prioritise what needs to be fixed and in what order.”
Fix critical vulnerabilities
The next phase – remediation – is dedicated to tackling vulnerabilities, reinforcing security and aligning with regulations. “Remediation is based on the audit phase assessment” says Lorraine Durieux. “Depending on the customer’s budget and available resources, we agree on the scope of remediation. Then we help them to carry out the actions required, such as hardening, updates or segmentations.”
Legacy systems typically have thousands of vulnerabilities. So where do you start? “The risk assessment pinpoints where the greatest vulnerabilities are. We then use our expertise to help our customers fix their vulnerabilities in a reasonable and feasible matter while maintaining service continuity” says Thomas Baudillon.
A pragmatic approach is critical. Patching and rebooting systems across an entire rail network takes time and the last thing customers want is disruption. “We understand those considerations, so we support the customer in shaping and then guiding them in implementing a prioritised plan to rectify things in the best way possible” says Lorraine Durieux.
“Even if you can never reach zero-risk, especially because of budget constraints or system age, there will always be improvements that will drastically reduce the residual risks” Thomas Baudillon says.
Keep it secure over time
Once immediate threats are safely under control, it’s time to focus on long-term security. “Cybersecurity is not only about implementing a secured infrastructure, but keeping it secure over time” emphasises Lorraine Durieux. “That means anticipating and prioritising the management of obsolete equipment, and controlling costs with a predictable cyber services budget.”
Planned maintenance and obsolescence management hold the key to combating vulnerabilities and prolonging the life of systems. Recent years have seen a big shift in thinking around cybersecurity, with an increasing focus on obsolescence factors. The European Union’s proposed Cyber Resilience Act underlines this trend, with suppliers required to manage vulnerabilities for up to five years.
But what happens after five years? Cameras, for example, can work reliably for up to a decade – and there are tens of thousands of them. “You have two choices” says Thomas Baudillon. “Either you buy new cameras after five years, which is wasteful, or you warn your cybersecurity people ahead of time so they can find mitigations – reducing cost and disruption.”
Maintaining cybersecurity means being constantly vigilant. To ensure that customers are always one step ahead of the hackers, Thales provides threat intelligence, with early warnings about new vulnerabilities. In addition, Thales can help operators to centralise their security logs – a key capability for customers looking to set up a Security Operations Centre.
Crisis training is also part of the offer. A crisis plan provides a blueprint of how to handle a cyber-attack, including communications management.
“You can always do something – no matter how old the system is,” concludes Thomas Baudillon. “As system providers and integrators, we understand our customers’ operational needs and constraints to best support them in maintaining their expected cybersecurity level.”
[1]Thales Transport already provides IEC62443 certified solutions.