Thales delivering digital trust for safety-critical systems on UK rail network
- Thales has won a new contract to implement Certificate Authority/Public Key Infrastructure across Network Rail’s estate.
- The contract to design, build, test and deliver Enterprise CA/PKI also includes a discovery phase, now completed, which has identified new systems and capability that could grow over time.
- The contract includes a three-year support period with the option of two 12-month extensions, giving the potential to develop the service further.
A newly awarded contract places Thales at the centre of digital trust for Network Rail Telecom (NRT), providing an enhanced cyber security posture across the entire Network Rail Enterprise.
This will allow NRT to assign and centrally manage digital certificates and authentication to services across the entire Network Rail operation.
Building on last year’s contract to introduce Online Key Management System (OKMS) on the East Coast Main Line (ECML), with the East Coast Digital Programme, Thales has won a new contract to implement Certificate Authority/ Public Key Infrastructure across Network Rail’s estate.
“The introduction of the European Train Control System (ETCS) on the ECML is driving the introduction of new Digital Signalling by Network Rail. Our OKMS is the enabling technology that ensures signalling data communications to trains are resilient and secure. ETCS continuously calculates a safe maximum speed for each train, with in-cab signaling for the driver, and on-board systems that take control if permissible speed is exceeded. The new Enterprise CA/PKI system supports OKMS by authenticating the origin of these ETCS signaling data communication messages.” - Guy Cleall, Thales’s Customer Account Manager for CA/PKI
NRTs Enterprise CA/PKI is a powerful cyber-security system that introduces greater digital trust through authentication, encryption and certification, protecting Network Rail’s wider infrastructure, including Information Technology (IT), software, the Internet of Things (IOT), security cameras, station information boards, as well as securing Operational Technology (OT) assets.
The contract to design, build, test and deliver Enterprise CA/PKI also includes a discovery phase, now completed, which has identified new systems and capability that could grow over time. Enterprise CA/PKI will also need to accommodate the additional services and organisations that will be introduced when Great British Railway, a new, state-owned public body, currently planned to commence transitioning from 2024 to oversee all UK rail transport operations, is formed. The contract includes a three-year support period with the option of two 12-month extensions, giving the potential to develop the service further.
Also within the contract is the responsibility to periodically generate and protect Network Rail’s CA/PKI root keys. The root key certificate (a string of alpha-numeric characters) is important because this "master key certificate" verifies all the certificates below it. The security of the root certificate determines the security of the entire Network Rail Enterprise CA/PKI system. Thales is entrusted to securely store Network Rails root CAs within its List X facility, which is a commercial site used to securely hold UK government information.
The introduction of CA/PKI will introduce greater levels of digital trust as the railway system transitions from trackside signaling to on-board digital systems. It will also give greater control to Network Rail for managing its own IT, IOT and OT assets, being able to determine the lifecycles of devices, such as laptops and mobile phones, through its own certification process, rather than relying on external agencies.
“The Enterprise CA/PKI that Thales is providing underpins OKMS operation and looks after digital trust across the Network Rail enterprise. It’s a game-changer for them and a good place to be for Thales. We’re building a very good relationship with Network Rail but now we have to deliver, and deliver well, and as a result I hope we can go further together.” - Guy Cleall, Thales’s Customer Account Manager for CA/PKI
Enterprise CA/PKI is due to be delivered in early 2023, in time for the roll-out of OKMS later next year.