Features

UK railways had four major cyber-attacks in one year

The UK rail network has been victim to at least four significant cyber-attacks within the last 12 months, say Darktrace, a UK cyber security firm that works with most of the UK’s railway networks to ensure cyber security.

The discovery serves as a staunch warning about the realistic threat posed by gaps in cyber security, particularly as the UK’s rail networks gradually move from the use of analogue technology to digital systems. While analogue is currently most used in operational processes and is more resilient to attack, the verifiable occurrence of cyber breaches already shows the level and impact of cyber security risks, which will only increase with the further integration of digital tools.

Commenting to Infrastructure Intelligence, Dave Palmer, director of technology at Darktrace, said: “In an era of imperfect defences and increasingly complex networks, determined threats can always get in. Today, all businesses can be affected, regardless of size or sector and organisations need to be able to detect and respond to threats inside their networks even if novel or targeted,” said Palmer.

"In an era of imperfect defences and increasingly complex networks, determined threats can always get in. Today all businesses can be affected, regardless of size or sector."
Dave Palmer, director of technology, Darktrace

While the recent network infiltrations appear to be more exploratory than disruptive, the introduction of digital railway plans such as digital signalling, as a part of the European Rail Traffic Management System (ERTMS) in addition to other modernisation initiatives, will increase the likelihood of network infiltrations both in number as well as scope of impact. For rail, such infiltrations that could be used for data collection, disruptions or in extreme cases potentially derailments.

The risks of cyber security in infrastructure have been on the rise worldwide and is also worrisome as a security lapse that could be exploited by terrorists. Nick Gibbons, partner at law firm BLM, stressed the need to look to global incidents to raise awareness of the risk. "There have already been several actual or suspected terrorist attacks on railways evident elsewhere in the world," said Gibbons. "In March 2014 South Korea's National Intelligence Service said it had interrupted a hacking attempt against railway workers and closed off their email accounts.

"Switzerland is already using the ERTMS ‎digital system on some of its busiest railway lines. In March this year hackers breached the Swiss Federal Railways websites exposing how vulnerable the portals were to online attacks. The country's IT and telephone systems were also crippled. The identity of the perpetrators behind the cyber attacks still remains unclear," Gibbons said.

"In April this year in India, Al-Qaida hacked a microsite of the Railnet page of the Indian railway. The hacked page of Bhusawal division of the personnel department of the Central Railway and part of a large intranet created for the department's administrative needs, was replaced by, Al-Qaida who left a message following a similar attack on the Indian railway network a few months before,” said Gibbons.

"There have already been several actual or suspected terrorist attacks on railways evident elsewhere in the world."
Nick Gibbons, partner at law firm BLM

While many businesses do seek forms of insurance for vital data or processes in the event that cyber-attacks do occur, it is essential that businesses identify the various infiltration risks in order to put appropriate measures in place. Darryl Brophy, a specialist cyber broker and executive director at WTW, said: "Most businesses, however large, seem to have very similar problems: ineffective staff policies and procedures; a failure to address perimeter risk; ignorance about the type of cyber risks they are facing and inadequate communication between the IT team and the board resulting in very little real oversight.

"The insurance industry has already generated a number of insurance policies specifically for the potential financial loss, physical damage, personal injury and death resulting from a cyber-attack on infrastructure. My experience as a broker has been that clients benefit from an external assessment of their cyber security and exposures that is part and parcel of the insurance process even if they don’t ultimately buy a policy. In short insurers can help identify these problems very quickly,” Brophy said.

Dwight Patten, Legal Director at Association for Consultancy and Engineering (ACE) stresses that, "practitioners in the infrastructure sector need to see cybersecurity as a vital and essential consideration. Being better aware, creating preventative procedures and seeking to mitigate negative impact when breaches do occur must be priorities for all firms."

As Dave Palmer says: “Inspired by biology, and using advanced machine learning, we believe this [Cyber Security] requires an ‘immune system’ approach able to self-learn what is normal activity within a business and detect the unexpected behaviours of attacks - irrespective of the external source. Even highly innovative nation states will create ripple effects of behaviours that can be detected. Companies with an immune system are best placed to manage emerging security risks on a continual basis and respond to incidents before they become a crisis as routine.”

While much regarding the prevention and detection of cyber-attacks is ever-changing, what is absolutely clear is that businesses must be aware of all risks, and all resources that can aid in risk prevention.

Cybersecurity will and should remain a priority in infrastructure for years to come.