26

CYBERSECURITY AND THE RAILWAY INDUSTRYLEROY

BIG DATA, CLOUD COMPUTING, INTERNET OF THINGS (IOTS), ARTIFICIAL INTELLIGENCE (AI)… PROGRESS IN THE FIELD OF DIGITAL ELECTRONICS HAVE LED IN THE RECENT YEARS TO A TECHNOLOGY SHIFT TOWARDS EVERMORE “INTELLIGENT” EMBEDDED SYSTEMS, ABLE TO CONTROL A WIDER SPECTRUM OF FUNCTIONS AND SUBSYSTEMS IN DAILY EXPLOITATION. THIS LEADS TO AN INCREASED QUALITY OF SERVICE, FASTER AND SAFER MOBILITY SOLUTIONS, AND ULTIMATELY EASIER COMMUTING FOR PASSENGERS FROM THE DEPARTURE POINT TO DESTINATION.

To sum up, digital mobility drives a sizeable improvement of transportation availability and efficiency on a global scale, combined with a lower ecological footprint and an upgraded passenger experience. Furthermore, digital mobility, combined to the break-through of high-end digital electronics, handle move and store tremendous amounts of all types of Data – a new goldmine for IT and Business Analytics companies, ready to surf on new topics such as predictive maintenance.

However, recent technology shifts towards faster and more efficient communica-tion protocols also come with their share of potential risks and vulnerabilities: the generalization of IP-based network, Ether-net-based protocols places security at the center of customer concerns: how do you guarantee that a system is immune against ill-intended actions?

There is no easy answer to such a question, but is there a single available solution that addresses all aspects of cyber-security? Who does really know about and master this topic? This is not rocket science – unfortunately!

Loss of availability could potentially lead to loss of comfort functions or disturbances in safety critical features. Applying best prac-tices in the field of cybersecurity becomes critical when applied to safety–related func-tions, as human lives are at stake. But this is not the only case that makes cybersecu-rity a critical element of new developments. Cyber-criminality has evolved in parallel with the development of communication technology, and its manifestations have taken new forms: cyber-attacks on websites and data storage centers are no longer the sole weapon used by hackers. Pirates also attack telecommunications infrastructures and have developed increasingly elaborate means of entering systems in order to para-lyze them. As railway technology is increa-singly “intelligent” - meaning connected -, train operators strive to propose increasing amounts of services to passengers, thus requiring more and more network capabi-lities, which leads to extended integration of passenger information network with the Train Control and Monitoring System (TCMS) infrastructure. Consequently, ex-posure to external threats is increased as there are more access points to the critical

Defining cybersecurityThe French National Agency for Security of Information Systems (ANSSI) defines cybersecurity as:

“A sought-after state for an information system allowing it to resist events emerging from cyberspace that can potentially threaten availability, integrity or confidentiality of stored, processed or transferred data and related services offered by this system or rendered accessible by the said system. Cybersecurity relates to information technology security techniques and leans on overall fight against cyber criminality as well as the implementation of cyber defense mechanisms.”

In railway applications, this definition aims primarily to the safety of people, but also to the availability of the system, and the inte-grity of transferred and stored data. However, although safety and availability are largely impacted by cyber security topics, it is impor-tant to differentiate them from safety matters, which depend on a separate (and very specific) field. Safety and particularly Safety Integrity Level (SIL) matters refer to a relative level of risk-reduction provided by a safety function and will not be addressed in this article.

27

functionalities of data transmission. The need for faster and ever-increased performing com-munication networks raises the question of its intrinsic protection, and therefore underlines the critical role of cybersecurity at all levels, from the confidentiality of the development documentation to the protection of passengers’ personal data, going through the whole chain of conception, development, manufacturing, integration, commissioning, commercial operation, and maintenance. What does this mean for train manufacturers and OEM integrators? They must ensure that the control electronics installed on-board and wayside trains are not only robust, but also suffi-ciently protected to discourage potential pirates to tamper with their intended functions. They must also guarantee that personal data collected via the different services offered during the transportation “experience” is unavailable to external third parties whether malignant or not.

How does this impact the industry? Protecting all stakeholders from piracy is no easy task. It requires a common effort from all actors of the train manufacturing and exploitation chain in order to secure as many aspects of the value chain as possible. This starts at the earliest stages of a project, during the design phase of the train architecture and associated infrastructure. Addressing all aspects in a single news article is unrealistic; we will therefore narrow the topic down to our core activity: control products. The first key element of developing a secure product is to ensure confidentiality, integrity and availability. All documentation related to a new product’s architecture, design and development must be thoroughly protected. Along with obvious intellectual property matters, making sure that all technical documentation related to the development of a new product is not easily available makes it harder to ill-intended people to understand its inner workings, thus making it more difficult to find security weaknesses. Secrecy is a tool against piracy. Although “secret does not means secure”, confidentiality helps making the products harder to hack. However, secrecy should be used with great care, as it can contribute to a false sense of security and drive development teams to neglect other and more important aspects related to cybersecurity. It is therefore not only an insufficient policy, but also a double-edged sword for developers. A corporation developing new cyber security features should be able to publicize its documen-tation without allowing hackers to tamper with the product itself by doing so.The second element resides in the design of the product. Choice of cybersecurity dedicated components makes it harder to access the critical information stored in electronic products, and therefore adds a protective layer against potential threats such as (but not limited to) reverse engineering and/or side channel attacks. Elaborate software design also reinforces product protection: cryptology elements ensure that critical data is not easily accessible; suitable software architecture can also prevent large scale or automated attacks. Cybersecurity risks are taken into consideration during the design phase, and shared with the RAM (reliability, availability and maintainability) and SAFETY teams in order to measure the potential impacts on product availability and safety in accordance with recommendations of EN 50129 standard dispositions. The third element resides in the human factor. The latter is often the weak link of the chain, as elaborating hardware and software architectures can be seriously harmed by a lack of knowledge of cyber-security best practices. Sharing administrator credentials via unprotec-ted means, using generic default passwords such as the famous “admin – admin” can ruin all efforts put in the security of the product upstream. Informing and training key stakeholders in charge of installation, commissioning and maintenance of products is just as important as the elaborate design efforts previously mentioned. We can therefore observe two distinct “places” of cybersecurity implementation, that both have dis-

tinct characteristics: cybersecurity “around” the product (i.e. design best practices, credential management, access to the elements related to the products) and cybersecurity “inside” the product (i.e. products internal mechanism aiming to make it robust against ill-intended attacks).

Finding the right balanceAnother key aspect related to cybersecurity is availability and flexibility of the proposed solution. If you place the cursor at the highest degree of product security recom-mended by the IEC 62443 standard, you may end up with a (almost) perfectly secure product, but that will be almost unusable in an industrial environment, the impact on the RAM and SAFETY aspects of the product making it improper for exploitation. Protec-ting your product against reprogramming makes it harder to attack, but also much harder to update. How do you upgrade your product software if you cannot reload it remotely? Can final customer remove all your product fleet from a train in commercial operation? That sounds very unlikely. Thus the needs for a distant access to your product by one means or another, which is synonymous to opening ground to a potential threat. A good practice in this field is to identify the access points to the product, whether intended and managed as systems interfaces or unintended. The former must be addressed via appropriate protection measures (secured log on, implementation of password to access the product, encrypted communication), while the latter must be thoroughly identified and categorized (available by system design or resulting of a physical intrusion) in order to apply factor-in protection against intrusion.There is no golden rule to define where frontier between operational practicality and sufficient level of protection lies. It is a very delicate balance that only experience, thorough research, development efforts and careful architecture design can help to reach. In addition, this balance is not a stable one, as external elements such as safety

28

assessments, reliability and availability topics and evermore-demanding customers challenge it on a daily basis. Besides, potential threats evolve with time and the security elements included at the beginning of a project may no longer be valid by the end of the development.However, best practices do exist, they have been transposed into norms (EN 62443, ANSSI guidelines for instance) and their integration at the early stages of the product development process help reinforce the cybersecurity preparedness of the solution.

How does it apply to railway electronic products?Leroy Automation, a key supplier and manufacturer of rail automation and train control systems, is duly aware that its own products hold a very critical position in the cybersecu-rity value chain. Control products are among the core elements in TCMS architectures, and suppliers shall provide its partners with innovative solutions that enable them to deploy fail-safe and secured train architectures, by selecting state-of-the-art electronic component featuring strong cybersecurity capabilities, participating to the intellectual efforts aiming to establish design guidelines for the railway industry standards, and applying cybersecurity best practices at all levels. This does not mean to pretend that we are a “cyber-stronghold”, as there is no way to guarantee oneself totally against cyber criminality, but this means that we keep cyber security at the core of our reflection and corporate practices, whether in our management system, in our product design and development, or during the whole lifespan of our products. Careful choice of components, best practices in safe and secure development, staff training and awareness and constant technological monitoring are among the stepping stones of our strategy to help you feel protected against cyber-attacks. We also make sure that we are aware of the latest issues of IEC 62443, ISO 27000 and ANSSI (French National Cybersecurity Agency). However, being up to date with the latest revisions of those standards is not sufficient; companies must also analyze the contents and divergences between the recommendations and/or requirements listed in these documents. For instance, ANSSI issues guidelines, and articles of French law, thus impose to companies to abide by these recommen-dations. These laws can potentially be conflicting with the recommendations or requirements of ISO 27000 or IEC 62443 standards, therefore superseding the latter referential. Another case that could occur is that IEC 62443 and ISO 27000 recommendations conflict with each other. Our subject matter experts are therefore in a position to arbitrate between the recommenda-tions, and apply the ones best suited to our core business and field of expertise. An asset analysis is a powerful tool to breakdown the proposed system design, and evaluates the criticality of the components in the overall architecture. The RAM and SAFETY teams use this analysis to evaluate the impact of unexpected failures or compromising at system-level. Choice of components in the early stages of development is a key element to allow fast reac-tion time to potential threats. Identifying and evaluating cybersecurity zones and conduits and product partition allows building a cybersecurity risk analysis that will serve as an entry document for further development activities. This analysis is submitted to the RAM and SAFETY teams and will be used to define a risk acceptance matrix. The required protection level is a combination of the technical controls embedded in the system and the cybersecurity management measures discussed by the product designer and users. This is implemented in the product through refined authentication procedures and a strong rights management policy, secure boot capabilities, secure remote update thanks to the use of asymmetrical encryp-tion keys, repudiation capabilities allowing to deny further access to the product in case of threat; and the deployment of all tools and techniques comprised in the cybersecurity lifecycle.

This analysis will also feed user recom-mendations in order to ensure that the cybersecurity capabilities embedded in the product are cascaded at all further stages of the product life, i.e. during the integration, operation and maintenance phases.

In addition to the steps taken to protect our product against external threats, we want to protect our Intellectual Property (IP) thanks to the deployment of anti-counterfeit measures. This is achieved thanks to the implementation of cybersecurity measures all along our manufacturing chain and well managed rights from the very early stages of manufacturing.

Cyber threats constantly evolve in their form and source. In order to stay up to date with the latest technologies and potential threats, a team of Leroy experts is constantly honing its command of this particular field, making sure they integrate the latest research in cybersecurity in the codes of practice used by the development teams at all stages of product development. Experts also provide recommendations related to the internal processes, quality management, safety and organizational aspects impacted by the potential threats, in order to maximize the company’s awareness and readiness against as many forms of cybersecurity threats as reasonably possible.

Based on this expertise, we are able to cascade best practices to customers, giving them recommendations for the most efficient and cyber secure usage of our products at later stages of product lifecycle. This allows passing on our best practices all along the value chain to the end user, and making sure he is aware of the best practices required to support cyber security elements embedded in the products by the application of best practices on the exploitation side.

As stated in the beginning of this article, this is not rocket science… Offering hardware platforms with predispositions to cyber- security with crypto features and fail-safe mechanisms is for sure one-step towards a big great Data world! We can only foresee a bright future to the cyber-security since we are the premise of building its awar-eness. Hop along and step on the cyber- security train with us!

29