Building Rolling Stock Resilience: Considerations for Cyber Risk Assessments

Onboard cyber risk assessments are hugely valuable in assessing and managing cyber security risks associated with trains, particularly in the context of new trains and major refits. However, undertaking such on-train Operational Technology (OT) cyber risk assessments is not straightforward, and there are many challenges to overcome.

1. Incomplete Threat Models

Failure to comprehensively model potential threats and their impact can result in underestimating risks or overlooking emerging threats.

Assessments may not consider threats from authorised personnel within third-party companies. For example, a system vendor employee with legitimate access to onboard systems could use that access for malicious purposes.

2.  Incomplete Scope and Context

Assessments can focus narrowly on certain aspects of cyber security, such as technical vulnerabilities, while neglecting other crucial areas like human factors, third-party risks, or regulatory compliance.

Assessments may also fail to consider the broader organisational context, including business objectives, rail-specific threats, or the evolving threat landscape. 

3.  Inaccurate Impact Assessments

Risk assessments may underestimate the true impact on passengers, operators, and asset owners. Thorough stakeholder engagement is crucial to ensure accurate severity scores.

Furthermore, the loss of availability or integrity of “non-critical” systems can have a far greater impact than might be initially assumed. Consider real-world scenarios: inappropriate messages (e.g. bomb scares) displayed on a train’s Passenger Information Systems (PIS) could cause panic amongst passengers - with significant safety implications. While the unavailability of onboard CCTV systems could lead to regulatory fines or even, for example in the case of Driver Only Operation, prevent passenger services from operating.

4. Outdated Information

A focus on purely historical data may result in low risk probabilities being assigned to some threats.  But this could overlook the emerging impact of the increasing digitisation and connectivity of newer fleets, which could leave them vulnerable in an evolving cyber threat landscape.

5.  Inappropriate Target Security Levels 

Target Security Level’s (SL) may be set to SL1 or SL2, when in fact SL3 might be more appropriate. 

These levels are determined by the sophistication of the threat actor - SL2 for example, would indicate an individual threat actor with limited means and sophistication. However, for major public transportation systems, it may be more appropriate to assign the threat as a target SL3, indicating a more sophisticated threat actor. 

A low target Security Level might lead to overlooking certain threat types that a system could face. For example, persistent threats might be disregarded due to an untested assumption that there will always be a lack of sophistication in the attack.

6.   Relying on Idealised Configurations and Incomplete Documentation

This is especially true when a high-level risk assessment is conducted at the detailed design stage. 

It’s crucial that a detailed risk assessment is subsequently performed on the fully implemented vehicle. This is because documentation gaps - where configuration does not match the documented system - can lead to vulnerabilities being missed. 

For example, undocumented remote access, especially on third-party systems, creates vulnerabilities. 

A reliance on an idealised zone and conduit model can be misleading, as real-world implementations may lack proper segmentation and segregation.

7. Lack of Physical Threat Testing

While physical testing is usually infeasible at the design phase, wherever possible it should be done at the detailed risk assessment stage.

8. Incorrect Handling of System Boundaries

An overreliance on the assumption that third parties have robust security controls can be misplaced, for instance assuming that there are well-controlled maintenance processes and properly secured service laptops, This can lead to a failure to adequately assess threats that could exploit weaknesses at system boundaries.

9. Lack of Consideration For Safety Implications

Safety assessments require a nuanced approach beyond the traditional categorisation impacts of Confidentiality, Integrity, and Availability. These categories may not fully capture the potential safety impacts of cyberattacks on rolling stock. 

10. Lack of Consideration of Supply Chain Risk 

Over-reliance on supplier audits and quality assurance (QA) creates a gap in cyber risk management. While these processes are important, additional controls and procedures are necessary to fully address vulnerabilities within the supply chain.

11.  Overemphasis on Technology

Cyber Risk Assessments may focus excessively on technical controls and neglect other critical aspects such as governance, policies, procedures, and employee awareness.

12.  Failure to Monitor and Review

Effective cyber Risk Assessments should be part of a dynamic process that is regularly reviewed and updated to reflect changes in the threat landscape, evolving technologies, and the business environment. Outdated assessments leave organisations vulnerable to emerging threats and unforeseen cyberattacks.

Addressing the above deficiencies in railway cyber risk assessments requires a holistic approach encompassing technology, processes, people, and governance. By continuously improving risk assessment practices, organisations can build resilience against the ever-evolving threat landscape of cyber security.