Data centers on steel wheels: Can we trust the safety of the railway infrastructure?
In this interview for Help Net Security, Dimitri van Zantvliet Rozemeijer, CISO at Nederlandse Spoorwegen (Dutch Railways), talks about railway cybersecurity and the progresses this industry has made to guarantee safety.
Critical infrastructure has seen quite many cybersecurity incidents lately and cybercriminals have become stealthier than ever. How is railway cybersecurity fairing in this complex environment?
It is true that cybersecurity incidents are on the rise and that’s a trend that I do not foresee declining any time soon. So, in general, it is fair to say that incidents in the railway sector follow that trend and will do so over the coming years. On the other hand, if we look at Nederlandse Spoorwegen (Dutch Railways), we have been riding trains for more than 180 years and have done so with safety as a prerequisite. One could argue that security processes are embedded into our DNA and cybersecurity is just the latest strain in that helix.
If we compare railways with, for example, the banking sector then we see we have some catching up to do but given the fact that we are used to dealing with risks I am confident that this sector is fully able to develop the necessary mechanisms to stay resilient to these new emerging threats. Of course, we can fall victim to some kind of attack someday just like any other organization. It is up to us to be prepared and stay resilient; I am confident we can do that.
What has made railways an interesting target for cybercriminals?
Well, if we just look back to the pandemic years behind (hopefully) us then we see that mobility was a necessity to get doctors and nurses to the hospitals. In general, we see more and more economic services rely on proper public transport. Targeting such a vital part of an economic region could result in serious damages with long tails of consequences. So if a lot of money or lives are at stake then it pays off for cybercriminals to bring those services down. In the long run, rail transport will also contribute to the global reduction of CO2 emission preventing the earth from warming up too much. I consider that as vital too. Railway mobility, in short, sits in the crosshairs of our society.
What could be the techniques cybercriminals could apply to compromise a railway infrastructure?
Actually, any technique, tactic, or procedure (TTP) that can be used in other organizations as well. What we will see is, now that our sector is speeding up the digitization process, that the attack surface is broadening and becoming more complex. Trains will become Tesla’s on rails having many connections with other digital services such as the European Rail Traffic Management System (ERTMS) and driving via Automatic Train Automation (ATO). The obvious consequence is that we need to be able to withstand those TTP’s and plan for mitigation in our digital roadmaps. In the most ideal world, we develop our services cybersafe by design and default. There’s work to do there!
What can governments do, or are already doing, to improve railway cybersecurity and tackle growing threats?
If organizations want to use the digital highway, then I believe they all should take responsibility to use this highway safely. Since everything nowadays is connected, not having your cyber hygiene in check is a big fat no go. Supply chain risk tops the list nowadays and we spend too much time checking on each-other. Governments should set the minimum requirements to drive on that highway. Next to that they should walk their talk and eat their own dogfood first.
In Europe we see new regulations emerging fast and to my humble opinion that’s a good thing because there are too little incentives for organizations to get their digital act together, so we definitely need regulation. If we could define a basic set like the bare cyber minimum and hold execs accountable for damages, then that would certainly help to speed up the level of cyber hygiene.
What are the risks citizens could face?
Again, I do not see much difference in being a railway organization and citizens face the same risks using public transport of having their PII exposed, or their passwords leaked as with any other digital service. Of course, we have many baselines and guardrails applied to our digital environment and citizens can trust us to process all that data with due care and due cyber-diligence.
If we talk about a possible physical risk emerging from cyber threats, then I do not expect a big risk difference in the current rolling stock fleet we are operating in the near future. Yes, it is true that more and more trains will become data centers on steel wheels and we as a sector are fully engaged in preparing the right resilience in those new models. We are running several pilots and proofs of concept that aim to mitigate risks that we foresee, and it is my strong belief that passengers/citizens are and will be safe in the future. The safety that is part of our DNA does not dissolve over time, it will become more cyber centred though.
What are the challenges you have to tackle as a CISO in your daily work?
Being a CISO in the railway sector is a great job. Being part of our cyber teams is great too. Our biggest challenge is to find the right cyber colleagues with the right skill set. If we can hire the right talent, then the rest of our cyber challenges can be faced head-on.