Rail cybersecurity: the invisible heroes keeping rail travel secure
At Alstom, more than 300 rail cybersecurity specialists and their peer railway engineers cooperate with customers, regulators and technology partners to protect rail networks from the disruption of cyberattacks. Travelers’ peace of mind depends on these trusted partnerships.
With a background in mathematics, telecommunications, and information technology, Eddy Thésée joined the railway signalling business at Alstom 20 years ago.
After several positions in IT methods, tools and continuous improvement, he now leads cybersecurity for Alstom’s products, solutions and services portfolio. Besides waking up every morning to secure mobility for millions of people, Eddy can often be found cheering on his favorite football or basketball teams.
Connect with Eddy on LinkedIn.
How often do you think rail travelers worry about a cyberattack disrupting their journeys?
If the answer’s “never,” Eddy Thésée, Alstom’s Vice President of Cybersecurity Products and Solutions, would say he and his team are doing their job. Like an army of invisible superheroes working behind the scenes, hundreds of rail cybersecurity specialists and their peer railway engineers, are cooperating with customers, regulators and technology partners day by day to learn about the evolving threats, understand how they can impact operations, and build the tailored solutions that will keep them at bay.
A unique approach for a unique environment
Tailored really is the operative word in the unique world of rail systems. From steam-powered locomotives to driverless electric trains, rail systems have come far over the past two centuries, and progress has accelerated in the last decade. Of course, this brings new challenges. Eddy explains, “As we’ve introduced more digital technology, our systems have become more interconnected – the boundaries have started to vanish between the different onboard, trackside, communications and passenger systems. Trains have become very complex nested systems of systems that are more vulnerable to threats from the outside world.”
Because rail uses mainstream IT like Wi-Fi, these threats include “classic” cyberattacks like denial of service or malware that could disrupt service and the quality of the traveler experience – not to mention potentially bringing a country to its knees, since rail is considered as a critical infrastructure on the same level as healthcare, energy and telecommunications facilities. However, in the unique environment of the rail sector, “classic” solutions fall short of needs. “Rail systems aren’t built in a day, but over decades. You have layers of traditional engineering combined with state-of-the-art technology. We have to embrace new technology and features that are improving the performance and reliability of our systems. But at the same time, we need to manage cybersecurity in a way that’s suited to the specificity of railway.”
The power of partnerships
That’s where partnerships come in. “Alstom is a leader in mobility and we’re well placed to become a leader in rail cybersecurity. So how do we achieve this? By mixing our internal expertise in rail with external expertise in cybersecurity.” Over the past 10 years, Alstom has developed a team of more than 300 internal experts with a dual cyber and rail culture, or a broad understanding of both cyber and physical security. This means they can identify the IT risks while speaking the same language as rail operators, in terms of reliability, operational efficiency and long-term commitment to performance. “At the end of the day, whether they’re family-run businesses or huge national companies, our customers are operators. They don’t expect to become cyber experts. They just want to know if they can keep operating or not.”
When Alstom started building its cybersecurity team in 2013, its partnerships with cyber experts were focused on gaining knowledge on cybersecurity processes, learning from best practices in other industries. After a few years, the internal assets had been acquired, the processes set up and the impact on engineering identified. That’s when the company started looking for new partnerships, aiming to bring cyber solutions that would bridge the gap between the two worlds. Here, the key to success has been clear, transparent communications on needs, combined with flexibility regarding the solutions. “It’s very important to describe our problem in an agnostic way to avoid bias in the solutions our partners can propose. We’re quite open about how we organise our cybersecurity, our key processes, templates and project management procedures, so they can provide skills that are immediately applicable to our system. On their side, our partners need to be ready to adjust their solutions to rail.”
Cooperation on global standards
Alstom is also working with regulators to help set up standards. As Eddy says, “Although railway is a highly regulated environment, cybersecurity regulation is currently a weakness. One of the obstacles we’ve been facing is that you have one regulator per country or even several for different local regions, so we absolutely need global standards to provide guidance and enable different countries to learn from each other.” Again, the notion of a common language is critical. “We’ve been working since 2016 to define a common position and methodology in collaboration with organisations such as CENELEC, UITP, UNIFE, and IEC. In a very competitive market like ours, it’s important to avoid interpretations that can introduce distortions. If what’s requested is very clear, then everyone has the same targets and the competition is fair.”
Another important group of partners is clients, who are in the frontline of operations. “It’s essential to listen to our customers and appreciate their concerns.” For example, many clients are anxious about driverless trains, cloud technology and open-source technology. At the same time as gathering knowledge and finding solutions, Alstom aims to share insights with the industry as it advances. “We believe it’s very important to give back and provide the industry with whatever we’ve learned. This is necessary to make railways more stable, resilient and able to face the threat of cybersecurity.”
Keeping one step ahead
The work of Eddy’s team is never done when it comes to building an effective defense mechanism based on people, processes and technology. “If you don’t reassess the situation and reinforce your defense strategy on a regular basis, it will become less efficient because the attacker will start to learn it.” This notion of regular reviews and updates to anticipate and adjust to new threats is quite new to the rail culture, but the challenge has been readily accepted by Alstom and is now part of the company’s DNA.
Consequently, no two days are ever alike for Alstom’s team of rail cybersecurity experts, who ensure that risk mitigation processes are built into 100% of the company’s solutions and continually evolve. “We feel we have a mission to protect society. We’re not only protecting trains, we’re protecting a way of life.”
This mission is above all intrinsically motivating, as Eddy points out: “Cybersecurity must be invisible to passengers, operators and maintainers. If it has a noticeable impact on the passenger experience – for example, by adding a lot of control procedures – we’ve failed. Passengers shouldn’t notice any insecurity. There’s no doubt that rail is the safest mode of transport today, and if we can keep saying this, if people can forget about cybersecurity, then we’ve been successful.”
Eddy’s 5 keys to successful cybersecurity partnerships:
- Communicate needs clearly in terminology everyone understands
- Be open-minded and solution-agnostic to enable cybersecurity experts to provide the best possible solutions
- Listen well to operators’ and regulators’ concerns, understand their perspectives and share your knowledge
- Embrace constant adaptation to new threats and solutions, shaping the evolution through shared long-term vision
- Enjoy the challenge of charting a new course and finding innovative ways to keep rail travel safe and on time!