Let’s start with big kudos to the authors and the International Association of Public Transport (UITP) for their recent publication, ‘Practical Guidance on Cybersecurity: Requirements in Tendering,’ which is the first of its kind in the transportation industry. The report provides an unmatched consolidation of thought leadership on cybersecurity in the public transportation industry and across the multiple modalities of passenger rail (Metro, commuters, and Tramway) and bus. It is an excellent read and well worth your time.
The publication is very timely for Railway and Public Transport Operators (PTOs), as 2022 saw an unprecedented number of cyber-attacks on critical infrastructures around the globe. In addition to the rise in the number of attacks, there is an increase in attack sophistication enabled by tools and methods now freely available on the dark web and traditionally seen only in the hands of state-sponsored actors.
The UITP’s Cyber Working Group, consisting of internationally recognized transport operators, OEMs, and solution vendors, identified the problem of lack of clarity and consistency across PTOs and the supporting supply chain to address cybersecurity. As a result, the UITP Cyber Working Group agreed to pool resources and bring forward a practical and cross-functionally applicable publication recommending cyber solutions to the problem.
There are five noteworthy areas that are addressed in the UITP guide that are best represented as needs:
- Need for more cybersecurity awareness in public transportation
- Need for PTOs to distinguish between OT vs. IT systems
- Need for commonality and reference to applicable cybersecurity standards
- Need for cybersecurity alignment of PTO buyers and vendors
- Need for more cybersecurity engineering in the V-Model
Need for more cybersecurity awareness in public transportation
Public transportation has always considered safety the top priority and cultivated the culture and engineering disciplines commensurate with this priority. Cybersecurity, on the other hand, is a relatively new discipline. Despite its relative newness, safety and security are siblings. The interdependencies between the two have grown ever more apparent over the last decade with the increased need to share data. Digitization initiatives in public transport are cross-functional endeavors touching almost every employee, from those in the legal department, procurement, engineering, and through to the maintenance worker in the depot.
No one is immune from the digital, and in public transportation, if it is not steel or concrete, then it’s a functional system with a digital element, either firmware or software. This reality that digital is everywhere drives the need for more cybersecurity awareness in public transportation organizations, including setting up the right policies, procedures, training, roles, and responsibilities so that every department contributes to improving the organization’s security posture.
Need for PTOs to distinguish between OT vs. IT systems
Digitization of the transportation industry has been primarily led in recent years by the need to share data, and this opening up of operational systems to share data invariably has introduced new cyber threat vectors. By way of example, the need to share train location information (operational system-derived data) with publicly available mobile applications network-connected to the internet.
Even though transportation systems are engineered to be inherently safe (think ‘fail safe’), the interdependencies between critical Operational Systems (OT) and business-critical Information Technology (IT) related systems make it difficult to create precise segmentation, especially in a ‘brown field’ / existing transportation operation.
The distinction between OT vs. IT is the challenge that must be addressed so a PTO can confidently state that a cyber-attack on an IT system shall not impact safe operations. Moreover, the importance for PTOs to classify systems as OT vs. IT acknowledges that they understand the material differences in the consequences of IT systems being attacked vs. an OT system being attacked, i.e., business consequences (IT) versus physical consequences (OT).
No CISO wants to wake up to learn that a phishing email or a denial-of-service attack on an IT-related system has directly impacted a traction power substation or signaling system, which is vital to the safe movement of passengers from New York to Boston, or on Metro Line 1 of Paris.
Need for commonality and reference to applicable cybersecurity standards
Public Transport and Railway Operators are very familiar with the need and benefits of standards. However, while other critical infrastructure industries (e.g., the Energy sector) have made several years of headway on contextualizing and applying relevant cybersecurity standards, PTOs are only recently addressing cybersecurity at the level commensurate with being designated as a critical infrastructure custodian. Why is this the case? The main reason is historically poor cross-functional cybersecurity awareness. Another contributing factor has been the need for more consistent and referenceable cybersecurity standards in the passenger transportation domain.
Fortunately for Public Transport and Railway Operators, instructions on how to apply the well-established industrial control system (ICS) cybersecurity standard IEC 62443 has been published by CENELEC in the form of Technical Specification TS 50701. And now the UITP Practical Guidance on Cybersecurity report provides valuable examples of how Railway procurement personnel should use TS 50701 to help write tendering documents for any Systems under Consideration (SuC).
Need for cybersecurity expectation alignment of PTO buyers and vendors
The need for common references to relevant cybersecurity standards in transport also helps to establish joint authority across multiple functional areas (procurement, engineering, supply chain) and, most importantly, between buyers and vendors.
Vendors complain that PTOs’ tendering requirements must be more explicit, specific, and applicable in the System under Consideration. In addition, PTOs need help finding within their internal organizations the expertise required to sufficiently establish the cybersecurity requirements that will meet their future needs and do so in a manner that is not bespoke, outdated, or wholly not applicable to the SuC.
There is a mutual benefit for PTOs and vendors to ensure cybersecurity expectation alignment. On the one hand, vendors who have invested in their product roadmaps to meet stringent cybersecurity certifications and standards are afforded the appropriate level of consideration during a request for qualification (RFQ). Equally, PTOs can quickly weed out vendors who cannot demonstrate that they understand or are prepared to introduce solutions into the OT environment of a safety-first critical infrastructure environment.
Need for cybersecurity engineering in the V-Model
PTO and Railway engineering professionals are very familiar with the product/systems life cycle V-Model, which provides a systematic phased approach from project/product/system concept through development and implementation to ongoing operations and maintenance. The V-model is foundational in the systems engineering discipline and is used regularly to manage risk, validate, and verify that what was intended to be realized is now performing in line with original requirements.
Security by design must also be foundational in critical infrastructures such as railways and metros. As such, there is a need to verify and validate cyber-related deterministic behavior in OT digital systems. Practically, this means that OT systems perform as designed and are not subject to external or internet-based cyber-attacks. There is indeed no such thing as 100% secure, as security is fundamentally a continuum; however, reducing the cybersecurity threat as low as reasonably possible (ALRAP) is consistent with the core principle of cyber network engineering. By way of example, this rude awakening of an IT system hack propagating to an OT safety-critical system can be engineered out of the realm of possibility with IT vs. OT segmented networks, utilizing unidirectional gateway technology.
The UITP guide highlights the need for cybersecurity engineering in the system/product life cycle and recommends that a specific Information Security System (ISS) document/chapter be included in all public transportation tender documents of relevant systems under consideration. This ISS will outline the main principles and detailed requirements for which prospective solution vendors must align themselves.
Cyber-by-design: Meeting the complexity of Passenger Transport and Rail Operations
Meeting the complexities in system designs of passenger and rail transport operations with a cyber-by-design approach is essential, and with the recent release of the UITP ‘Practical Guidance on Cybersecurity Requirements’ report, the job of PTOs tendering for a new system under consideration is now made easier.
Again, a big shout out and kudos to the authors and UITP Cyber Working Group, especially our Waterfall colleagues Serge Van Themsche, Jesus Molina, and Andrew Ginter, for bringing clarity and practical guidance on cybersecurity requirements to the transportation industry. The usefulness of this effort across multiple stakeholders will be positively received. More importantly, if the advice is followed, there is no question that the security posture within the industry will be improved.