Rail cybersecurity: the invisible heroes keeping rail travel secure

How often do you think rail travelers worry about a cyberattack disrupting their journeys?

If the answer’s “never,” Eddy Thésée, Alstom’s Vice President of Cybersecurity Products and Solutions, would say he and his team are doing their job. Like an army of invisible superheroes working behind the scenes, hundreds of rail cybersecurity specialists and their peer railway engineers, are cooperating with customers, regulators and technology partners day by day to learn about the evolving threats, understand how they can impact operations, and build the tailored solutions that will keep them at bay.

A unique approach for a unique environment

Tailored really is the operative word in the unique world of rail systems. From steam-powered locomotives to driverless electric trains, rail systems have come far over the past two centuries, and progress has accelerated in the last decade. Of course, this brings new challenges. Eddy explains, “As we’ve introduced more digital technology, our systems have become more interconnected – the boundaries have started to vanish between the different onboard, trackside, communications and passenger systems. Trains have become very complex nested systems of systems that are more vulnerable to threats from the outside world.”

Because rail uses mainstream IT like Wi-Fi, these threats include “classic” cyberattacks like denial of service or malware that could disrupt service and the quality of the traveler experience – not to mention potentially bringing a country to its knees, since rail is considered as a critical infrastructure on the same level as healthcare, energy and telecommunications facilities. However, in the unique environment of the rail sector, “classic” solutions fall short of needs. “Rail systems aren’t built in a day, but over decades. You have layers of traditional engineering combined with state-of-the-art technology. We have to embrace new technology and features that are improving the performance and reliability of our systems. But at the same time, we need to manage cybersecurity in a way that’s suited to the specificity of railway.”

Cooperation on global standards

Alstom is also working with regulators to help set up standards. As Eddy says, “Although railway is a highly regulated environment, cybersecurity regulation is currently a weakness. One of the obstacles we’ve been facing is that you have one regulator per country or even several for different local regions, so we absolutely need global standards to provide guidance and enable different countries to learn from each other.” Again, the notion of a common language is critical. “We’ve been working since 2016 to define a common position and methodology in collaboration with organisations such as CENELEC, UITP, UNIFE, and IEC. In a very competitive market like ours, it’s important to avoid interpretations that can introduce distortions. If what’s requested is very clear, then everyone has the same targets and the competition is fair.”

Another important group of partners is clients, who are in the frontline of operations. “It’s essential to listen to our customers and appreciate their concerns.” For example, many clients are anxious about driverless trains, cloud technology and open-source technology. At the same time as gathering knowledge and finding solutions, Alstom aims to share insights with the industry as it advances. “We believe it’s very important to give back and provide the industry with whatever we’ve learned. This is necessary to make railways more stable, resilient and able to face the threat of cybersecurity.”

Keeping one step ahead

The work of Eddy’s team is never done when it comes to building an effective defense mechanism based on people, processes and technology. “If you don’t reassess the situation and reinforce your defense strategy on a regular basis, it will become less efficient because the attacker will start to learn it.” This notion of regular reviews and updates to anticipate and adjust to new threats is quite new to the rail culture, but the challenge has been readily accepted by Alstom and is now part of the company’s DNA.

Consequently, no two days are ever alike for Alstom’s team of rail cybersecurity experts, who ensure that risk mitigation processes are built into 100% of the company’s solutions and continually evolve. “We feel we have a mission to protect society. We’re not only protecting trains, we’re protecting a way of life.”

This mission is above all intrinsically motivating, as Eddy points out: “Cybersecurity must be invisible to passengers, operators and maintainers. If it has a noticeable impact on the passenger experience – for example, by adding a lot of control procedures – we’ve failed. Passengers shouldn’t notice any insecurity. There’s no doubt that rail is the safest mode of transport today, and if we can keep saying this, if people can forget about cybersecurity, then we’ve been successful.”