As one of the most popular modes of mass transportation, trains are particularly important for cities undergoing rapid urbanisation. As rail operations continue to be digitalised, train operators can use, develop, and enhance multiple applications, such as monitoring and control, for rail systems. Ethernet train backbone networks are often used to facilitate communication between devices and systems on trains and connect different IP systems. Even though there are many advantages to using the Ethernet-based network systems, a downside is that it leaves networks more vulnerable to cyberattacks.
According to Securing Industrial Control Systems – 2017, SANS Institute, the top three threats that end users are concerned with are unauthorised devices that are added to networks, internal threats such as accidental human errors, and external threats such as those posed by hackers. Cybersecurity is imperative, but how to mitigate the risks is still a subject that train operators need more information about. Several relevant security standards that offer the industry solid guidelines and suggestions are in place. Of these, the ISA99/IEC 62443 is the most commonly referenced industrial security standard, and the EN 50159 standard also outlines safety-relevant network communications specifically for rail systems. The best security practice is to enhance each connected device based on the guidelines outlined in these security standards. However, it is not always feasible because of the high costs incurred and the maintenance efforts required.
In order to simplify security onboard trains, we should consider if there are any rules of thumb that train operators can refer to when enhancing network security. Read on to discover the four most important features that cybersecurity experts within the rail industry recommend.
Securing rail networks requires robust network communications with enhanced security functions, layered-design protection for wireless networks, defense-in-depth secure network architecture, and, last but not least, easy-to-use network management software. It is crucial to determine whether these countermeasures are effectively used in order to ensure that rail networks are protected against cyberattacks.
The most effective method of enhancing the security of devices is to ensure that they cannot have their settings altered in a way that puts the devices and ultimately the network at risk. Many cybersecurity experts view the IEC 62443 standard as the most relevant publication for how to secure devices on industrial networks. Below are the top priorities that should be implemented on network devices deployed within the rail industry.
• Authorisation
One of the first steps that has to be taken in order to enhance security is to ensure that only the necessary people are authorised to change network settings. Account management is often ignored because it is comparatively easier to share the same login credentials to all network administrators. However, this becomes a major vulnerability if people with malicious intent are provided with an opportunity to corrupt the network.
• Network Access Control and Authentication
Use control can be implemented via authentication to ensure that the right person has the correct level of access to alter network settings. If there is no access control or authentication method, it will be just like opening a gate and giving everyone unrestricted access to the critical areas.
• Data Integrity and Confidentiality
When multiple devices and systems are connected to the network and the data becomes key to monitor or control rail systems, the data must be transmitted safely and securely. There are various ways to ensure data integrity, for instance, using SSL or VPN.
• Layered-Design Protection for Wireless Networks
Passengers on trains expect to be able to connect to reliable onboard Wi-Fi networks. Rail operators will generally offer this as an added option for passengers who want to pay extra to take advantage of this offer. However, this is not risk free. When passenger’s devices are connected to onboard APs, they all access the same network and it becomes easier for people who have malicious intent to steal other passenger’s personal data. Therefore, wireless client isolation is essential to prevent passenger’s personal devices from directly communicating with each other on the same network.
Defense-in-Depth Secure Network Infrastructure
When designing a network, many system operators have observed that one of the most effective ways to secure a network is to use defense-in-depth security architecture, which is designed to protect individual zones and cells. The first step that should be taken when building a defense-in-depth rail system is to segment networks so that the traffic can be isolated to protect against intentional cyberattacks or human error. With firewalls, network administrators can define zone-to-zone interactions in order to scrutinise network traffic. Based on train operations, networks can be preconfigured to only allow communications between certain devices or zones to mitigate security risks.
After determining that the network devices and topology are secure, a network management policy needs to be established to ensure that system operators can see an overview of the entire security status of the network. It is of paramount importance that these issues are addressed before trains are deployed, as huge fines can be levied against train companies if the trains are forced to stop during their journey. Therefore, train operators have to be able to leverage network management software to gain an overview of the security status of the network. After the operators have an overview of the security status of the train network, it is easier to determine which areas need enhancements to avoid cybersecurity threats from materialising.
Moxa provides network devices with security functions that reference the IEC 62443 cybersecurity standard, and security management features such as RADIUS authentication that help prevent against unauthorised access, known security leaks, and unknown attacks. Furthermore, in order to keep the expanding onboard networks safe, Moxa offers firewall, VPN, and NAT all-in-one secure routers to help train operators segment rail networks and protect critical data from potential risks. Moxa also offers onboard wireless APs that support client isolation to grant a layer of protection to wireless networks.