search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
Rail


Protecting the railways from constantly evolving cyber threats


By Mark Gibbs, train networks director, Westermo UK T


he increasing trend to converge operational technology (OT) systems with information technology (IT) solutions enables significant efficiency savings


through shared resources, but also creates network security challenges. The rail industry has seen recent exponential growth in the implementation of OT systems, with data communication technologies playing a vital role in the on-board control architecture. As the level of OT systems implementation in rail vehicles and network infrastructure continues to rise, cybersecurity requirements will also increase.


The rail industry is moving towards IP- based data communication networks, with the Ethernet/IP protocol being used to transmit information in on-board control applications. The Train Communication Network protocol was previously used, with the Multifunction Vehicle Bus (MVB) applied within each vehicle and a Wire Train Bus (WTB) connection between vehicles. MVB and WTB are both based on serial communications and were deployed when the on-board implementation of IP networks was limited to IT systems such as CCTV and entertainment.


Network innovation


The integration of intelligent IT/OT devices into a single data communication network was pioneered by Bombardier Transportation, using Westermo managed Layer 2 and 3 Ethernet switches. These switches, which comply with the EN 50155 rail standard, are optimised to meet the increasing data communications demands of on-board applications. They help to provide high-


Emergent system and subsystem firmware releases should be evaluated, and applicable releases applied to systems fleet-wide, to ensure resilience is up-to-date.


Continuous threat management IP networks with a regularly changing threat profile require continuous monitoring and quick response. Westermo has a dedicated product security incident response team that rapidly reacts to any reported vulnerabilities against emerging threats. The team also monitors the cybersecurity domain for common vulnerabilities that could affect industrial networking products. Vulnerabilities are quickly assessed, with any necessary firmware updates and security advisories published online.


performance, reliable and secure networks that support important services such as public address systems, passenger information systems, on-board Wi-Fi, video surveillance and train control and management systems. Features such as enhanced full-speed routing help to maximise network performance, while cyber threats are met by a range of security features, such as routing capacity for network segmentation, secure boot, firewalls, VPN, intrusion detection and access control. Architectures based on IP communications are now standard in new rail vehicles, but some legacy train fleets in the UK are over 30 years old and still use their original serial- based communications. There is growing demand to retrofit operational- and safety- critical systems such as driver-controlled operation onto this rolling stock. However, converging new OT systems with existing IT systems requires prudent network design and a clear digital resilience strategy.


Cyber threats and security standards IT and OT convergence increases the risk of cyber-criminals successfully attacking the operational systems that manage and control railways. Digital resilience must therefore be an important consideration


www.cieonline.co.uk


when designing systems and integrating them within larger systems.


The IEC 62443 standard has, for some time, provided guidance on IT security. In July 2021, however, a European standard specific to the rail industry was introduced, entitled ‘CLC/TS 50701:2021 Railway applications – cybersecurity’. This new standard provides guidance, requirements and recommendations to ensure that the availability and safety of railway systems and operations are not compromised should a cyberattack occur.


Holistic approach When planning modifications to on-board systems and data networks, a holistic view of the threat landscape relating to wider rail operations should be taken. One such approach is to employ systems thinking analysis, which involves taking wider system interactions into consideration, not just for systems that share a physical network, but also remote sensors, systems at trackside, and connected servers in control centres and the cloud.


Maintaining system resilience is, of course, an ongoing activity. A system’s threat profile changes over time, so seek input from those who understand the global threat picture.


Segregation and micro-segmentation Protecting functions that are essential to the safe operation of the railway requires segregation of IT and OT systems through technical and procedural methods. This is a core principle of CLC/TS 50701:2021. Segregation is necessary because it limits access to critical OT systems and prevents a potentially less secure IT system or network from becoming the pathway to a cyberattack. Additional internal separation can be applied for a single system or subsystem. This minimises potential damage by limiting a security breach to the specific part of the network where access has been gained. Taking the segregation approach further, micro-segmentation divides the wider network into VLANs. Adding firewall rules at a system level is standard practice when creating a secure network and this allows traffic within a subnet related to a single system to move freely without security rules. The introduction of further security measures across a system at a functional or sub-system level limits lateral threat movement to a very specific system segment and protects against further breaches.


www.westermo.co.uk Components in Electronics June 2022 13


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58