With their increasing exposure to digital risks, our public transport authority and transport system operator clients have become aware of the importance of protecting themselves from cyberattacks, but do not always know how to approach the issue.
- Crédits : tashka2000 - Thinkstock
Cybersecurity is defined as all the technical and non-technical measures of protection that enable an information system to withstand events liable to compromise the availability, integrity, confidentiality or associated proofs (identity, authenticity, traceability) of data stored, processed or transferred. Already back in 2008, the White Paper on defence and national security had established that cybersecurity had become a major issue. Since then, cyberattacks have tended to intensify. Organised groups, but also governments, directly contribute to this development by voluntarily or involuntarily disseminating tools which can be studied, modified, reused and combined.
While cybersecurity is often reduced to its technical component, it is crucial to understand it as a global approach which does not depend purely on technical measures but also on an equal proportion of organisational measures: awareness, training, procedures, organisation and policies. It should also be emphasised that cybersecurity is not just about applying restrictive conditions on everyone without discrimination. It is a considered approach which, according to the issues at stake, helps to achieve the right balance between protection and restriction. It should also be borne in mind that absolute security does not exist and therefore firms should make careful preparations for the consequences of a successful attack. Several main principles should guide any approach to cybersecurity, among which the following:
Industrial systems are exposed to these risks, even when they are not connected to the Internet. The computer worm Stuxnet, which first appeared in 2010, succeeded in destroying a large number of centrifuges in an Iranian uranium enrichment facility, despite the fact that this site’s IT network of was physically isolated from the rest of the world. This attack is tangible proof that our worst fears on the security of sensitive installations could become reality. We could also mention damaged pumps in wastewater treatment stations in the United States in 2011, electricity blackouts in Ukraine in 2015 and 2016 or pipeline operation shutdowns in the USA in 2018: there is no shortage of examples.
Industrial systems are therefore just as affected by cybersecurity issues, and possibly more so, than other information systems. In fact, industry has adopted digital technology at the same pace as technological development, without a global vision, sometimes with insufficient technical expertise in information technology, by connecting heterogeneous systems together with the priority placed on productivity, efficiency and safety, but rarely security. It is therefore the role of the top management of these firms to fully come to terms with these issues and adopt proactive policies to reinforce the security of industrial systems by allocating the necessary material, financial, organisational and human resources to it.
To help industry players unfamiliar with cybersecurity methodology and techniques - which are more widespread in the traditional IT or banking sectors -, standardisation bodies have focused their attention on the specificities of industrial cybersecurity. Their work led to the publication, starting in 2009, of the first volumes in a series of reference technical documents: IEC 62443. Some components of this standard are still being drafted, but the main concepts are now well established: security policy, threats, risks, safety measures, maturity, security zones, security levels, etc. and act as foundations for the approaches led by each specific job discipline. Also worth noting is the simplification work conducted by ANSSI (the French national agency for cybersecurity and cyber defence) with the publication of dedicated guides offering easy access to the analysis and definition of the main necessary measures.
Meanwhile, in the rail transport field, an ingenious but reckless teenager caused the derailment of a tram in Lodz, Poland in 2009. This incident demonstrated the vulnerability of a switch system at a time when many stakeholders in this industry considered the measures that had been implemented to mitigate the risks identified by system assurance analyses were enough to protect the system. Whether at an international, European or national level, the rail transport field is now acknowledged to be a critical sector for the activities of a State. In this respect, it is subject to a set of specific measures which come in addition to best practices applicable to all information systems and more specifically to industrial systems. While the regulations are already well established, efforts in terms of research and standardisation still have a way to go. At European level, noteworthy initiatives include the formation of working group CENELEC WG26 to define a consistent approach to the management of railway systems security, and also, under the Shift²Rail programme, the CYRail project which brings together operators, infrastructure managers, suppliers and integrators to consider the threats, risk assessment, detection, countermeasures and resilience mechanisms to apply in the railway sector. All these efforts have as yet not led either to the establishment of dedicated standards or to these issues being incorporated into professional practice, which would have at least had the advantage of proposing a global approach covering both system assurance and cybersecurity. Transport specialists therefore continue to experience difficulties in fully mastering these problems.
Through its experience on many projects for operators of critical infrastructure, Egis is capable of looking at cybersecurity from a global perspective, whilst also incorporating the specificities of the transport professions. We can support an operator as part of a global approach to analyse the state of play on their network with regard to cybersecurity. Depending on the maturity of our clients, we can incorporate this issue into each of our projects. For clients that so desire, we also offer our services to assist them with homologation by contributing our specialist expertise in the procedure.