Inadequate cybersecurity investments leave rail industry at risk
The popular notion might view the rail industry as a laggard compared to auto or high-tech manufacturing when embracing Industry 4.0. Yet railways are increasingly dependent on sophisticated connected systems to enhance efficiency and customer satisfaction.
Rail industry needs to work closely with cybersecurity vendors
With the advent of connected online systems and the convergence of Operational Technology (OT) and Information Technology (IT) systems, network and data-sharing security between IT and OT systems is proceeding to become an integral component of safety, providing new market opportunities in the rail, freight, and transit sector. Yet this also increases complexity, inter-connectedness, and cyberattacks if security measures are not taken to secure data flows between the two environments.
ABI Research forecasts that OT and IoT spending in the rail industry between 2022 and 2027 represents an average of 7.65% of total cybersecurity spending in the sector and is set to hit $300 million globally by 2027.
“This is in line with overall average levels of 3-5% OT cybersecurity spending in the industrial sector. Still, the rail sector’s high level of OT-IT convergence and the extended nature of its networks mean that more precautions should be taken to maintain OT integrity. Exclusively relying on average OT cybersecurity spending growth is not enough to ensure secure networks, especially given the sector’s OT spending was globally a meager $123 million in 2022,” explains Michael Amiri, Senior Industrial Cybersecurity Analyst at ABI Research. “The disparity indicates higher OT cybersecurity risks in the future if rail operators do not increase OT security budgets.”
Amiri stresses that, considering geopolitical tensions and hacker operations, the rail industry should actively engage with cybersecurity vendors to find tailored solutions for vulnerabilities in their vast ecosystem rather than wait for relevant solutions to emerge.
Regulatory requirements could increase spending on OT and IoT cybersecurity
OT and IoT cybersecurity spending could experience a boost through evolving regulatory requirements like the EU’s new NIS 2 Directive or the U.S. Rail Cybersecurity Mitigation Actions and Testing Directive, issued back in October 2022.
“Coupled with increasing reliance on third-party systems in the rail supply chain that increases potential breaches through the sector’s expansive network, rail cybersecurity vendors could experience an expanding market environment in upcoming years. This means market forecasts should be viewed conservatively, as the impact of future regulation on spending trends is difficult to factor in. Much will depend on whether new regulation is backed by financial penalties, which go a long way in driving compliance,” Amiri says.
“As infrastructure threats make the headlines more frequently, investment in OT security will see increasing capital flows. These attacks, alongside new regulatory requirements, are hard to incorporate into mathematical models of industry growth, but will lead to spikes in security spending,” he adds.
The secure management of data flows is an integral part of OT security. This means securing data flows between OT and IT environments from cybercriminals is key to securing OT-IT convergence in the sector. Rail operators must manage up to thousands of miles of track and other rail resources. An effective asset management system that requires OT-IT convergence and monitoring train systems at its core is the most efficient method to maintain asset health.
“The rail industry is a high-value target for malicious actors, both financially and symbolically. The symbolic status of the industry, coupled with the confluence of both IT and OT systems in the sector, provides opportunities for blackmail, state-sponsored attacks, or to bring attention to socio-political causes. This means both state-endorsed criminals and non-state actors have targeted the rail and transit sector in the past and will continue to do so” Amiri concludes.