The intersection of rail safety and cyber security

Technology is prevalent throughout the rail network, making it susceptible to cyber attacks. IMAGE:Bounpaseuth/stock.adobe.com

Anchoram and Certifer Solutions are bringing each organisation’s expertise to assist Australia in improving cybersecurity on the rail network.

Technology is present in every part of our lives, and the railway sector is no different. The efficiency and quality of service provided by rail operations have improved with the integration of digital systems.

The safe operation of new technology presents its own set of challenges given that the railway network may be vulnerable to cyber threats that could disrupt services and jeopardise safety.

Sophisticated control systems are essential to modern railways for scheduling, train control, and signalling. Due to their frequent connections – either direct or indirect – to the internet and other networks, these systems are open to cyberattacks. If such an attack is successful, it could result in data breaches, unauthorised access to control systems, disruptions to train services, and serious harm.

As the railway industry continues to evolve, the collaboration between technology experts, regulators, and rail operators will be essential in developing resilient systems that can withstand the challenges of the digital age.

Anchoram and Certifer Solutions see four pillars where assessment and gap analysis can prove valuable, both during projects and during the operations and maintenance phase. This includes governance, standards compliance, independent assurance and risk management – all of which have an impact on safety if not performed with due diligence.

When looking for subject matter expertise Anchoram and Certifer Solutions can provide an integrated approach to the assessment of cyber risk, safety assessment and independent certification that will provide railway operators with a proactive approach to ensure the safety and reliability of their rail operations.

Started in 2019, Anchoram provides professional services and experience that are well-tailored to critical infrastructure. Headquartered in Canberra, with people spread across all major locations in Australia and a growing presence in India, Singapore, and New Zealand, the company is rapidly expanding.

IMAGE: David/stock.adobe.com

Australia based Certifer Solutions is part of the French Certifer Group founded over 25 years ago. A rail industry focus is its strength, ensuring its services areat the cutting edge of innovation and in-depth, constantly updated knowledge of regulatory frameworks.

What role do standards and regulation play?

The Rail Safety National Law, which imposes obligations on all parties involved in the Australian railway sector, is a framework laid out to support the safe operations of the rail industry.

A safety management system outlining the methods for managing and controlling safety risk is a requirement for all Rail Transport Operators (RTOs) as a safety control measure.

The law acknowledges the need to record security risks and put safeguards in place against dangers like sabotage.

Many nations and organisations have created standards and guidelines to reduce these risks because they understand the importance of rail cyber security.

For example, RTOs can manage cyber security risks using the framework provided by the Australian Standard AS 7770:2018 – Rail Cyber Security. This standard and industry guidelines describe what is needed to have a strong cyber security posture within the rail industry.

More recently, TS 50701 provides guidance on how to implement an IEC 62443-based compliant design to railway systems and ties in with Reliability, Availability, Maintainability and Safety (RAMS).

These generic processes ensure cyber risks are thought of with more traditional rail operational risks and are due to become the dedicated International Electrotechnical Commission (IEC) Standard 63462 in 2025.

The IEC has created IEC 63452 in response to the digital revolution in the rail industry. This standard is at the forefront of efforts to strengthen cybersecurity within railway networks, reflecting the growing significance of safeguarding our rail infrastructure from cyber threats. The standard was also created as a result of the combined efforts of the IEC Technical Committee 9/PT 63452, which consists of more than a 100 industry professionals, including prominent figures from rail companies and the suppliers.

The standard is designed to address the unique cybersecurity requirements that emerge from the increasing interconnection of railway operations.

A cyber attack has the potential to cripple Australia’s rail network. IMAGE: Prime Creative Media

The primary goal of IEC 63452 is to offer a robust, understandable, and useful set of guidelines that will strengthen the security of rail system components, such as infrastructure, control systems, and trains.

In order to provide the railway sector with a comprehensive cybersecurity strategy, it aims to expand upon the foundation of current cybersecurity protocols.

Crafted with a worldwide scope, IEC 63452 is intended to resonate with various international regulations and operational standards. This global perspective is crucial for a standard that will be used in many different countries and with different regulatory frameworks.

What’s the Australian view on cyber risk in rail?

Some rail operators may have regulatory obligations as part of the Security of Critical Infrastructure Act of 2018.

This includes the requirement to adopt, maintain and comply with a written critical infrastructure risk management program (CIRMP) that encompasses all hazards, of which cyber risks are one facet.

This program should identify, and as far as is reasonably practicable, take steps to minimise or eliminate the ‘material risks’ that could have a ‘relevant impact’ on the rail asset. This is even though a broad definition shows that there is a depth of assessment to cover all aspects of a modern rail operation including rollingstock, signalling, power control, tunnel ventilation, track and any other area of modern transport networks.

Delivering Safe Outcomes

The structured management of cyber security risks sits well with the management of railway safety with recognised standard processes such as EN50126 being adopted for the systematic approach to railway safety risk management. This standard provides the lifecycle path for safety management through the delivery phases of a project and onwards to the operations and maintenance phase.

With the complexity of digital systems increasing, it is essential that the processes adopted for assuring safety are appropriately scrutinised for effectiveness.

For major railway projects in Australia, ONRSR recommends the use of Independent Safety Assessment (ISA) to review and challenge safety risk management and outcomes.

An effective ISA requires an understanding of both safety management processes and principles, coupled with technical knowledge of the engineering domains and disciplines to provide pragmatic and valuable support to a complex railway project.

Augmenting ISA, independent verification that a project has delivered its design, installation and testing in accordance with its original requirements can provide an RTO with assurance that a project is delivering against the specified standards. Such standards can often be part of the RTO’s safety management system, providing the engineering controls that manage safety risk.

Independent verification provides assurance to an RTO that a project has delivered against the contracted specification and implemented the specified risk controls. For some projects, verification activity can result in certification of the project works.

The intersection of rail safety and cyber security is an area that requires continuous attention and investment. Anchoram and Certifer Solutions are continuing to work with the rail industry to support cybersecurity improvements.

The post The intersection of rail safety and cyber security appeared first on Rail Express.

Leave a Reply

Your email address will not be published. Required fields are marked *