Data centers on steel wheels: can we trust the safety of rail infrastructure?

In this interview for Help Net Security, Dimitri van Zantvliet Rozemeijer, CISO at Dutch Spoorwegen (Dutch Railways), talks about railway cybersecurity and the progress the industry has made in ensuring safety.

Critical infrastructures have recently experienced numerous cybersecurity incidents and cybercriminals have become more stealthy than ever. How is rail cybersecurity doing in this complex environment?

It’s true that cybersecurity incidents are on the rise and it’s a trend that I don’t expect to decline any time soon. So, in general, it is fair to say that incidents in the rail sector are following this trend and will do so over the next few years. On the other hand, if we look at Nederlandse Spoorwegen (Dutch Railways), we have been driving trains for over 180 years and we have done so with safety as a prerequisite. You could say that security processes are built into our DNA, and cybersecurity is just the latest stump of that helix.

If we compare the railways with, for example, the banking sector, we see that we have some catching up to do, but given that we are used to managing risk, I am convinced that this sector is fully capable of developing the mechanisms needed to remain resilient to these new emerging threats. Of course, we may one day be attacked, just like any other organization. It is up to us to be prepared and to remain resilient; I am convinced that we can do it.

What has made railroads an attractive target for cybercriminals?

Well, if we look back to the pandemic years (hopefully), we see that mobility was a necessity to bring doctors and nurses to hospitals. In general, we see more and more economic services relying on appropriate public transport. Targeting such a vital part of an economic region could cause serious damage with long tails of consequences. So, if a lot of money or lives are at stake, it pays for cybercriminals to take down these services. In the long term, rail transport will also contribute to the global reduction of CO2 emissions by preventing the Earth from heating up too much. I also consider this vital. Rail mobility, in short, is in the crosshairs of our society.

What could be the techniques that cybercriminals could apply to compromise railway infrastructure?

In fact, any technique, tactic or procedure (TTP) that can also be used in other organizations. What we will see is that now that our industry is accelerating the digitization process, the attack surface is getting wider and more complex. Trains will become Teslas on rails with many connections to other digital services such as the European Rail Traffic Management System (ERTMS) and driving via Automatic Train Automation (ATO). The obvious consequence is that we need to be able to withstand these TTPs and build in mitigation measures in our digital roadmaps. In the most ideal world, we build our services cybersafe by design and by default. There is work there!

What can governments do or are already doing to improve rail cybersecurity and address growing threats?

If organizations want to use the digital highway, I think they all have to take responsibility for using that highway safely. Since everything is connected these days, not controlling your cyber hygiene is a big deal. Supply chain risk is at the top of the list these days and we spend too much time vetting each other. Governments should establish the minimum requirements for driving on this highway. Next to that, they should follow their conversation and eat their own dog food first.

In Europe we are seeing new regulations emerging rapidly and in my humble opinion that is a good thing because there is too little incentive for organizations to organize their digital act so we definitely need some regulation . If we could define a baseline set as the cyber minimum and hold leaders accountable for damages, that would certainly help to speed up the level of cyber hygiene.

What are the risks that citizens might face?

Again I don’t see much difference in being a rail organization and citizens face the same risks using public transport of having their PII exposed or passwords leaked as with any other service digital. Of course, we have many baselines and safeguards applied to our digital environment and citizens can trust us to handle all of this data with due care and cyber-diligence.

If we are talking about a possible physical risk arising from cyber threats, I do not expect a big difference in risk in the current fleet of rolling stock that we operate in the near future. Yes, it is true that more and more trains will become data centers on steel wheels and we as an industry are fully committed to preparing the right resilience in these new models. We are running several pilot projects and proofs of concept that aim to mitigate the risks we foresee, and I strongly believe that passengers/citizens are and will be safe in the future. The security that is part of our DNA does not dissolve over time, but will become more cyber-centric.

What challenges do you face as a CISO in your daily work?

Being CISO in the railway sector is a great job. Being part of our cyber teams is good too. Our biggest challenge is finding the right cyber colleagues with the right skills. If we can hire the right talent, then the rest of our cyber challenges can be met head-on.

Ramon J. Espinoza