Over the past seven years, Northern has worked with supplier RazorSecure to develop an ambitious programme of cybersecurity risk management, the operator’s Onboard Systems Manager Marc Silverwood tells Tony Miles.
Today’s railway is far more than a network of tracks and trains; it is now an infrastructure of connected devices, sharing data with each other and with central hubs.
Across a train operator’s fleet there may be tens of thousands of separate assets generating terabytes of data every day, all requiring secure management at rest and in flight. If not managed effectively, this data is vulnerable to loss of availability, integrity or confidentiality, and may affect safe operation.
Furthermore, there is the additional risk of cyberattacks on rail operations and equipment through malware and Distributed Denial of Service assaults.
The UK’s 2018 Network & Information Systems Regulations place an obligation on railway operators to ensure the industry has a high level of cyberresilience and a strong cybersecurity culture, with regulations specifying the network and information system security obligations for operators of essential services.
Northern’s new approach
In light of this evolving policy, risk and regulatory landscape, Northern Trains has adopted what it believes is a novel approach in the UK industry to embrace ‘full-circle’ cybersecurity, and over the past couple of years it has developed a comprehensive methodology for the management of cyber risk.
Northern operates around 350 trains totalling approximately 1 000 vehicles. Handling some 108 million passenger journeys a year, this fleet generates several terabytes of data a day.
Recognising the significant responsibility posed by handling such data, Marc Silverwood, Northern’s Onboard Systems Manager, explains that a train these days ‘is pretty much like a mobile data centre. It’s made up of multiple systems each providing passengers with a range of information and ensuring the connectivity of the train itself, providing remote condition monitoring, CCTV and more. As critical national infrastructure, we are obligated under NIS regulations to protect and make our trains safe. We must be able to monitor activity and respond to unusual behaviour, and apply security controls autonomously to protect those onboard systems.’
Even before the arrival of the NIS regulations, Northern was already exploring means to enhance the security of both its trains and its passengers. Cybersecurity had been a key focus as far back as 2016, and by the time the NIS legislation came into force, the company was already making progress on a journey which some other operators had only just began.
Northern has adopted a collaborative approach to achieving cyber-resilience by working with specialists from RazorSecure. ‘When we first met RazorSecure, they were the only company who could provide us with intrusion detection on the train’, Silverwood reports.
Functionality without connectivity
The two companies have developed a toolkit that monitors data flowing both onto and away from a train, looking for anomalies and working independently on each formation. The system remains operational even with limited connectivity, which is vital given the difficulty in maintaining continuous data links through demanding terrain and remote areas.
‘Because RazorSecure doesn’t need to be connected back to base it can work independently on the train; that makes it a unique product in the world of cybersecurity’, Silverwood adds. ‘We have a large fleet of trains firing out vast amounts of data as they become more digitalised. In the next few years, they will be replaced by more advanced digital trains. Streams of data are growing, encompassing everything on a train that has a digital “heartbeat”.’
Article continues below ↓
The UK’s cyber regulatory environment
The UK’s Network & Information Systems Regulations 2018 (the ‘NIS Regulations’) came into force on May 10 2018.
They provide a framework to boost the overall level of security (both cyber and physical resilience) of network and information systems that are critical for the provision of digital services, including online marketplaces, online search engines and cloud computing, that operate in essential industries such as transport, energy, water, healthcare.
In 2022, the UK government launched a consultation on updating the NIS regulations, which led to proposals to bring Managed Service Providers into the scope of the legislation to keep digital supply chains secure; MSPs are third-party companies that remotely manages a customer’s information technology infrastructure and end-user systems.
The RazorSecure technology looks for unexpected events across all the data flows, identifying unusual behaviour and enables Northern to respond appropriately. This approach also makes use of artificial intelligence techniques to learn about patterns of behaviour.
While GDPR legislation requires that passenger data is protected, the moral duty to keep passengers safe reinforces the importance of cybersecurity. Drivers taking control of a train are required to log into onboard systems using passwords and personal ID numbers. Elsewhere, the telemetry between the train and the fleet controllers includes information about the functionality of onboard systems, like heating, toilets, doors and fuel consumption. ‘On our trains we have 25 000 digital assets, including CCTV cameras, video recorders, data switchers, wi-fi access points, media screens, equipment for passenger information, and so on’, says Silverwood.
In practical terms, RazorSecure allows Northern to monitor the behaviour of individual systems and traffic across the full network in real time, to quickly detect, alert and respond to malicious activity and security violations that are outside of normal operation patterns.
‘If a malicious outsider is attempting to use the wi-fi to talk to CCTV systems, RazorSecure effectively puts a blanket over that to prevent it, and will also flag unsuccessful attempts. Such is the level of security that even a member of staff downloading CCTV images for legitimate purposes will create an alert and they will need the right access controls and authentication to gain entry’, he adds.
‘Everything is monitored on a 24/7 365 days a year basis and any determined efforts to breach the train’s security will see Northern intervening and the potential hacker blocked on the company’s network. This is a far more complex process than some may imagine. Many devices log on to a network cycle through their security processes, and this has to be differentiated between a safe activity, someone with perhaps a little additional knowledge “experimenting”, and a determined hacker with a high level of intent to cause mischief.’
Intelligent Trains programme
Northern is now in the process of launching its ‘Intelligent Trains’ programmeNorthr, with a number of test units that monitor the state of railway infrastructure and provide additional data feeds covering LiDAR, radar, thermal and acoustic reporting, G-shock, pantograph cameras and other information.
These additional feeds and sensitive information are protected by RazorSecure. ‘Our evolution into intelligent trains and our drive to push this forward is largely due to the support of RazorSecure, who are protecting everything on our trains and securing our systems and data’, Silverwood says.
Silverwood reflects that not only was Northern well on the way to compliance ahead of the arrival of the NIS legislation, but its early start on the journey has put it at the forefront of handling cybersecurity in the UK rail industry.
‘Some rail companies are now coming to us to ask, “How can we do it better? How can we maintain this network? How can we analyse our data better?” Other companies are just developing their understanding of cyber security, so they come to us to understand what their trains need, what they’re doing, or where they need to focus their efforts. We frequently host and attend seminars and events where we openly tell people within the industry how best to protect themselves, having turned what was a heavy engineering rail company into an efficient and secure digital rail company, and we want to continue leading the market as pioneers in digital rail.’
