How can cyber security impact TOCs?
Cyber security risks are considered to be an increasing source of concern for Train operating company (TOC) executives as these risks affect businesses directly.
Due to the rising number of cyber incidents that target industrial sectors such as railway, utilities and manufacturing etc., it has never been more critical that cyber risks should be treated at the equivalent level to safety and business risks by the board of a business.
Digital transformation, the Internet of Things (IoT) and other new technologies are expanding connectivity like never before. IoT is the network of physical objects/devices that are embedded with sensors and software etc., which connect to each other and other devices over the internet.
Connectivity between new train platforms as well as upgraded and rolling stock systems introduces new vulnerabilities along with the inherited risks from COTS (Commercial-off-the-shelf) and legacy on-board train systems of both new and upgraded trains, which were previously unknown. Supply chain is another key area where TOCs need to be aware of where vulnerabilities are introduced.
The rail supply chain comprises of IMs, ROSCOs, ECMs, Train builders, and TOCs’ vendors – and a vulnerability in one entity can be cascaded up the supply chain and lead to a risk that operators will be responsible for. TOCs should therefore react promptly to these cyber risks by considering a joined up cyber security approach that includes the supply chain.
What are the potential impacts of cyber-attacks?
- Delays in service and timetables – which will have high cost implications due to passengers’ compensation for every minute of delay repay
- Loss of customer data resulting in significant fines
- Reputational damage and low customer confidence
- Implications that could severely impact the safety of staff and passengers
Consequently, TOCs could be subjected to financial and regulatory penalties as well as commercial impacts.
So how can you ensure that assets and environments are secure and resilient against cyber risks?
Implementing a security-by-design concept is a key driver for resiliency, where cyber and physical security are well integrated and addressed at inception and throughout the entire lifecycle of the service. This can be achieved by monitoring and complying with regulations such as the NIS Directive, conducting regular audits to ensure safety and security, monitoring critical assets and implementing appropriate security architecture principles.
In addition, you can perform audits and coaching of suppliers to ensure their security controls are robust – where suppliers can demonstrate cyber security certifications, this can help them to become a trusted supplier by TOCs. One step further is only working with suppliers who meet a minimum standard of cyber security standards and having this binded contractually.
How can Airbus CyberSecurity help?
Railway is critical national infrastructure and TOCs are classed as Operators of Essential Services (OES) under the NIS Directive. This means that they are required to take appropriate and proportionate organisational and technical measures to manage their cyber and business risks to ensure the essential service they supply is resilient to incidents. We are supporting the rail sector by working with TOCs to identify cyber risks and understanding their real-world impact. We can help to create security matrixes that can be used for investment planning and strategic decision making, as well as partner with CISOs to build a robust cyber security programme and that will comply with the NIS Directive.
To address cyber security on rolling stock, we have partnered with a UK TOC to conduct a Red Teaming exercise on a series of their digital new build and legacy refurbished trains. As a result of this exercise, we were able to gain access to a wide range of on-board systems, identifying numerous vulnerabilities to enable the TOC and their supply chain to address specific cyber security issues over their rolling stock.
We assisted the TOC by addressing the concept of security-by-design and identifying all potential risks to these trains, before building a security improvement road map to mitigate the identified risks. This approach also enabled the mapping of cyber risks to business risks, which can help to measure the investment costs against the financial loss in the case of a cyber incident.
In conclusion, TOCs need to consider security-by-design principles throughout the lifecycle of their projects and services, including new build and retrofitting legacy trains. They must also have a flexible commercial model that considers an agile approach to respond to the on-going changes, as well as a close working partnership with suppliers in the supply chain. Finally, a set of SLAs will help to support them monitor their overall security. This will help to ensure business resiliency and recovery, as well as minimise the reputational and financial impacts of cyber incidents.
To know more about our approach for cyber security in the Rail sector, you can download our rail whitepaper.