IT/OT Convergence in Rail Systems

Operational technology (OT) has revolutionised the management, monitoring, and control of critical infrastructure such as water treatment, power generation and transportation systems. Increasingly, there is a trend to converge operational systems with information technology (IT) solutions. By sharing resources this enables significant efficiency savings to be realised, but at the same time creates several challenges, especially in relation to network security. 

IT systems are typically focused on the end user and are required to optimise their performance and prevent data privacy from being compromised. In contrast, OT systems are dedicated to the reliable and safe operation of industrial and critical infrastructure, with secure and time-sensitive communications essential to command-and-control actions. While both technologies are complementary and have converging interactions, they have very different priorities regarding cybersecurity. 

Rail applications

Within the rail industry, the implementation of OT systems has grown exponentially in recent years, with data communication technologies playing a key role in the onboard train control architecture. Obvious examples are the fully automated Docklands Light Railway and the European Train Control Systems currently being deployed throughout the UK to help increase the range of available services and capacity of the existing rail network. With increasing research into autonomous vehicles and demand for technological innovation, the implementation of OT systems in railway vehicles and network infrastructure will continue to grow. As a result, this increases the network of interconnected cyber-physical systems and the level of security required. 

To support these solutions, the train industry is rapidly moving to IP-based communication networks, using the Ethernet/IP protocol to transmit data in on-board train control applications. Prior to the use of Ethernet/IP, the Train Communication Network protocol was used, which the Multifunction Vehicle Bus (MVB) applied within the vehicle and a Wire Train Bus (WTB) connection between vehicles. Both MVB and WTB are based on serial communications and were deployed at a time when on-board implementations of IP networks were limited to IT systems, such as CCTV and on-board entertainment. 

Bombardier Transportation (now Alstom) pioneered the integration of intelligent IT/OT devices into a single physical data communications network using Westermo managed Layer 2 and 3 Ethernet switches. This revolutionary train network, based on IP communications, carried multiple data types needed for control, security, and passenger information. This included data for surveillance cameras, passenger announcements and to control the operation of the train doors, propulsion, and lighting. 

Interconnected infrastructure

Mixed system IP based architectures are now standard in new rail vehicles, however there is increasing demand to retrofit operational and safety critical systems onto legacy fleets, such as Driver Controlled Operation. The associated convergence of new OT systems with existing IT systems requires careful network design and a clear digital resilience strategy, particularly when the same physical network is shared across multiple systems with many stakeholders.

In most cases, on-board technology such as the passenger comfort systems and operational command and control, will be connected `off-train’ to a server, either at a control centre or in the cloud using a service such as AWS. 

With so many on-board systems requiring connections to the internet, it is common for a single mobile communications gateway to be used for both operational and non-operational data transfer. When creating a digital resilience strategy, this introduces further complexity.

Increasing threat horizon 

As engineering professionals, building in digital resilience should be at the forefront of our thoughts when designing systems and integrating them within larger systems (system of a system). Guidance to the industrial community on IT security has been available for some time in the form of the standard IEC 62443, however a standard specific to the railway industry: `CLC/TS 50701:2021 Railway applications – cybersecurity’ was released in July 2021. 

Whilst consistent with IEC 62443, the new specification offers tailored guidance, requirements, and recommendations to ensure that the reliability, availability, maintainability and safety characteristics of our railway systems and operations are not compromised in the event of an intentional cyberattack.

Systems thinking

A core consideration when planning any modification to onboard systems and data networks, is to take a holistic view of the threat landscape that encompasses wider railway operations. This will ensure that appropriate cybersecurity methods and practices are utilised, implemented, or changed at every level. One overarching holistic approach is to employ systems thinking analysis, which requires a wider view be taken on system interactions and how these might change over time and with respect to other larger systems. Systems thinking provides a structured approach to managing complexity, is not specific to any one industry, engineering discipline or technical environment, and can be applied across a range of scenarios where interactions take place. 

When looking to protect an on-board system, it is important to consider wider system interactions, not only for those systems that share the same physical network, but also remote sensors, systems at the trackside, and connected servers in operational control centres and the cloud.

Keeping a system resilient is not a one-off activity

The potential for changes to the threat profile over the life of the system must be acknowledged and input from those responsible for sensing the global threat picture should be considered. In addition, it is important to evaluate emergent system and subsystem firmware releases and ensure that applicable releases are applied to the systems fleet-wide, ensuring resilience is up to date. 
Systems thinking in practice

A continuous monitoring and response approach is especially applicable to an IP network where the threat profile can change regularly and requires a fast response. A vulnerability exploited by attackers recently was the key reinstallation attacks, known as KRACK. This focused on the inherent weakness in WPA2 authentication and allowed attackers to steal data that was previously assumed to be encrypted. This event required a fast and positive response and demonstrates the need for continuous management of the threat environment to ensure that legacy systems are protected against emerging vulnerabilities and threats. 

To combat new threats and risks, Westermo has a dedicated product security incident response team to rapidly respond to any reported vulnerabilities. As well as reacting to reports, the cybersecurity domain is monitored for common vulnerabilities and exposures that could affect networking products in any way. All vulnerabilities are quickly assessed, and necessary firmware updates or mitigation published online. Security advisories are published for moderate and high-risk issues related to Westermo products. 

Network segregation and micro-segmentation

In a complex system of systems, there needs to be a controlled and methodical approach whenever new interconnected functionality is introduced to that existing environment. It should not be assumed that existing elements within legacy systems are secure, especially when introducing OT functionality into a potentially less secure IT environment. In the UK, there is a significant amount of rolling stock that is over 30 years old and still uses its original serial-based communications. These vehicles will have been modified throughout their working life, with various IT and OT systems added, some of which will be standalone systems, while others will have functional or physical connectivity on-board and to the wayside. 

To protect functions that are essential to the safe and reliable operation of the railway, it is necessary to segregate IT and OT systems through technical and procedural methods. This is a core principle of the CLC/TS 50701:2021 standard and a carry-over from IEC 62443. Segregation limits access to a critical OT system, blocking the path of an attack through a potentially compromised and less secure IT system or network. In addition to segregating IT and OT systems, additional internal separation can be applied for a single system or subsystem that will limit the exposure of a security breach to a specific part of the network to which the attacker has gained access, limiting the damage that can be done.

To take the approach a step further, micro-segmentation divides the wider network into VLANs. Adding firewall rules at a system level is standard practice for creating a secure network and this allows traffic within a subnet related to a single system to move freely without security rules. By introducing further security measures across a system at a functional or sub-system level, this limits lateral threat movement to a very specific system segment and provides a level of granularity and complexity which makes further breaches more difficult for an attacker. 

Conclusion

With further convergence of IT and OT rail systems, coupled with an increase in targeted cyber threats to our railway network, the need for a holistic and coordinated approach in the protection of our transport systems and assets has never been greater. The global cybersecurity threat landscape is constantly evolving. It is vital that digital resilience processes enable our industry to sense and react to emergent threats with a controlled response and a holistic view of the systems and segments affected. 

Westermo has extensive experience of implementing secure railway data communication networks to support the most advanced on-board and train-ground systems.

• More information on Westermo train and trackside solutions
• Receive security advisory emails about Westermo products