On 19 March UIC hosted the opening meeting of ARGUS, the essential project which prepares and secures the response of the railways to cyber crime. Specialists from DB Netz, RFF, SNCF, ÖBB, NSB and UIC to which ADIF and Network Rail joined via audio-conference held an initial exchange of views aiming at establishing the overall strategy, work objectives, priorities and sharing of expertise to reach the first concrete results over a period of 24 months.
Mr Jean-Pierre Loubinoux, UIC Director General, opened the meeting and underlined the importance of the project in the context of railways being obliged to “open” their IT and communication networks with huge impact to efficiency and development of services, but with obvious risks. Railway safety can be targeted by cyber attacks with consequences on transport availability, deteriorating operations and hence, huge losses. More than 80% of railway safety today is built on software, in full respect of the fail-safe principles and on the existing safety standards. The railways shall maintain the philosophy of building and maintaining their safety structures historically conceived.
These have proven to be very efficient to protect the system against unavoidable random technical failures or operating failures. Cyber attacks are now a world threat, more “efficient” as a classical weapon; the enemy is not known and the attack methods are rapidly changing. “We live in a changing world where we shall face new risks. The role of UIC is to anticipate, to create awareness of threats, to federate the applicable knowledge and create alliances with all potentially similar interests and structures, to share best practice and achievements. UIC is also the vector to include the railways in the global structures of the fight against cyber crime”.
When presenting the scope and achievements of the SECRET project (security against electro-magnetic attacks on railway structures) Jacques Colliard, Head of the UIC Security Platform, underlined the complementary work and synergy between the two domains: security and safety.
The participants also presented their current work, the interest and the commitment to pursue the research aiming at increased immunity of safety structures and limitation of effects, especially the preservation of safe service and efficient operation, when cyber attacks could target the railways.
G. Barbu (UIC Rail Department, coordinator of the CCS & operations sector) characterised the overall framework and the challenges of the project work. ARGUS is extremely important and, even if until now no cyber attack has affected the railways, the task of awareness, protection and creation of efficient means is for today. Tomorrow or the day after tomorrow, it could be too late!
Ms Yuen Mon Hon (DB Netz) showed the work started at DB when defending the approach of “Embedding security to safety” which shall be applied to all layers and phases of the V – cycle of systems’ development, implementation and operation. It will be unavoidable to link the supply industry to the ARGUS objectives and findings because the development platforms of suppliers can easily be the “penetration gate” of malware.
In her short presentation, Ms Y. Garnier (SNCF and also on behalf of RFF) underlined that French Railways are aware that rapid transitions in IT and telecommunications (where Internet Protocols prevail) face the railways with new challenges. The expectations from ARGUS are to provide a common approach to the profile of threats and the consequent analysis of risks. Obviously, it is expected that the efficient response to threats and risks shall increase the opportunities of using the open networks for critical applications and to raise the awareness in the supply sector.
Prof. D. Shaljagin (RZD) emphasised the role of human factors – the staff and agents of the railways. Even if technical measures are susceptible to increase the immunity and/or provide the redundant safe structures, humans are the essential ring of the operation safety chain. Their awareness and education to face the new challenges is also of prime importance.
Mr L. Cuppari (NSB) showed that the fight against cyber crime has become an aspect of life, a part of the cultural behaviour. Inclusion of this culture shall be added to the safety culture of the railways.
Dr. M. Antony (SNCF and UIC RSD) defined the potential scope of ARGUS and the project’s unique opportunity to join railway specialists and other specialised structures to provide workable and efficient responses to the identified challenges. ARGUS will not only be a two-year project, but shall cover a permanent activity and vision, adapted to the changing world.
G. Barbu summarised the positions and conclusions to identify strategy and the immediate objectives of work.
The strategic objective would be to create synergy between security and safety and – in particular for the IT and Telecom – create the opportunity and framework to include the threats definitions into the future system developments and operations.
Currently, three work pillars have been identified:
- Study of vulnerabilities and of the overall institutional and alliance framework (work to be conducted by UIC staff)
- Opportunities to include security in the standard V-cycle development where specific interfaces may be identified and created to increase immunity (work to be conducted by DB Netz)
- Human factors in the railway system as a primary active element of protection – addition of the security culture to the safety culture (RZD will study the opportunity to take over this work.
The participants agreed to meet again on 27 August at UIC to deploy the intermediate results and accurately define the outputs.