Automating cybersecurity for rail

Aug. 18, 2020
Automation not only helps keep costs down, but it may also help railroads stay ahead of attackers.

In most parts of the world, the digitalization of railways is moving ahead quickly, which is bringing efficiencies but also increased risks. Digital technologies reduce costs, optimize resources and help  better serve passengers, while also expanding the potential cyberattack surface of Information Technology (IT) and Operational Technology (OT).

Is there a danger that all the gains made by going digital will simply be offset by the additional resources needed to secure new digital systems? While that is unlikely, it is possible to reduce the number of security resources needed by automating cybersecurity systems. Automation will not only keep costs down, but it may also be required to stay ahead of the attackers.

The number one concern of all railway operators is the safety of passengers and operational personnel. Safety systems are engineered to account for all known threats, which in the physical world is a relatively limited set. Once designed and implemented, they tend to be quite stable and change little over time.

Dynamic and unpredictable

Cybersecurity is different. For one, it is novel for railways, which have not typically assigned many people to it. And, unlike safety, it is more dynamic and unpredictable. The ever-shifting state of cybersecurity is reflected, for instance, in the ongoing efforts of regulators to keep up.

The European Union’s NIS Directive and EU Cybersecurity Strategy was a wakeup call and has been key for ensuring that there are budgets available for cybersecurity. But standards such as EN50701 – which will be available in early 2021 – being based on best practices such as IEC62443, are constantly evolving and the industry is relatively short of best practices for combating the latest threats.

Traditional approaches to cybersecurity have tended to treat the problem in an analogous way to security systems in the physical world, by securing the perimeter. In the early days of computer systems, the wide area network played a small part — so a firewall was sufficient as the primary security tool.

As railways embrace Internet of Things (IoT) and the cloud, the numbers of sensors and data points will grow exponentially. With the addition of each new digital sub-system, new potential attack vectors open. Attacks can come from anywhere inside or outside the network. They may also be automated. Some of the most notable in recent years have taken control of hundreds of thousands of IoT devices across the internet — some even within the networks under attack — to carry out distributed denial of service (DDoS).

Traditional security is not enough

The lessons learned are that traditional security management, which defends against known threats, is not enough on its own. Existing security information and event management (SIEM) must be complemented by cognitive security analytics for context-aware detection and response. Analytics-driven defenses take a more holistic approach to collecting and analyzing data from a wider range of sources. This gives them the ability to contextualize threats for more accurate identification and improved response times. In some cases, it even enables them to anticipate threats.

For example, a DDoS attack is hard and expensive to neutralize because it overwhelms the defenses by attacking from so many sources at the same time. Alternatively, by collecting data from all over the internet, cognitive analytics can understand the larger pattern and recognize it as an attack, regardless of whether it is coming from inside or outside the network and no matter how many endpoints are involved.

Cognitive analytics are also important for achieving automation. Security operations, analytics and response (SOAR) can automate response workflows to make threat-related analytics data immediately available to stakeholders, as well as prioritizing which threats need to be addressed. Based on AI and machine learning, these programs can also learn from historical data patterns to better predict potential issues before they happen, enabling a proactive approach to system security.

Defense in depth

Security analytics can be implemented end-to-end with security-related data being collected from across the network, connected devices and the cloud. Beyond the operation of the communications network, a security strategy should also cover business processes, incident response plans, regulations and policies. SOAR-based security approaches can measure compliance across multiple systems in real time and automate the updating of networks and devices to meet the best-practice standards set by regulators.

The digital railways of the future are already being built today. But operators must embrace both the light and dark sides of this shift. Streamlined, efficient operations, automated trains and a 360° view of the passenger’s digital experience must go hand in hand with a strong digital defense. This means closing the digital skills gap, complying with new security regulations and implementing best cybersecurity practices – borrowing, if necessary, from other industries that have a longer digital operations history.

As part of defense, in depth, analytics and automation of cybersecurity systems are critical for handling the complexity, affordably, keeping ahead of the threats and ensuring the safe operation of the digital railways of the future.


Karsten Oberle acts globally as head of Rail within Transportation Sales in the Nokia Enterprise TEPS (Transportation, Energy and Public Sector) Division. As head of rail, he is responsible for expanding Nokia’s business in the railway sector with a current focus on the future of rail communication (e.g. FRMCS, 5G), cybersecurity for railways and IoT for railways. This includes building and managing new sales programs, steering of global business development activities and guiding regional sales and marketing teams on customer engagements.