Cyberattacks pose serious threat and cause problems to rail operations, say experts

Cybersecurity threats to rail operations are a pressing issue that will get more serious, a panel of experts said on Tuesday (Oct 22).

These threats, which are exacerbated by issues such as legacy components in the transport system, will need to be addressed to safeguard the safety of commuters on trains, said the panel, which includes the Land Transport Authority's (LTA) chief information security officer Huang Shao Fei.

Mr Huang, along with SBS Transit's head of rail development Jeffrey Sim and Thales' cyber-security expert for transport Benoit Bruyere, were speaking at a panel discussion on cybersecurity for rail at the 26th Intelligent Transport Systems World Congress on Tuesday.

Thales, a French company that offers services such as software manufacturing, supplies the signalling system for the North-South Line and East-West Line in Singapore.

[[nid:463508]]

The discussion was moderated by Associate Professor Park Byung Joon of the Singapore University of Social Sciences.

The experts' comments come in the light of Transport Minister Khaw Boon Wan's call for more attention to cybersecurity in intelligent transport systems.

During his opening address at the congress on Monday, Mr Khaw said these systems can be vulnerable to cyberattacks that can compromise personal data or public safety.

Speaking on Tuesday, LTA's Mr Huang noted that transport systems, especially the legacy systems, were not designed for digitalisation.

He added: "If you look at how (the cyberthreat to rail operations) is evolving, it is going to become even more nefarious, more serious."

Although he did not say whether such attacks have happened on Singapore's rail system, he said hackers have the resources and capability to pose a real threat.

"They are far ahead of us, whether you like it or not," he said.

"There will never be a situation where we can catch up with them, and really the worry is that they have something up their sleeves which we are not even aware of."

[[nid:463398]]

He also said that another concern was with the supply chain in train systems, given how suppliers sometimes depend on other firms to manufacture certain parts in their products.

"But that is really one of the worries right, you do not really know how to certify the security of these components that go into these boards and cards that you put into the railway system," he said.

According to The Cyberthreat Handbook by Thales and cyber-intelligence firm Verint that was published earlier this month for cybersecurity stakeholders, the transport sector is the fourth-most targeted sector by cyberattackers.

It comes behind the government/defence, finance and energy sectors.

SBS' Mr Sim said that beyond defending against cyberattacks, operators will have to prepare to respond when their defences are breached.

Staff should be trained to identify signs of cyberattacks and take appropriate steps to contain the threats, he said.

"For example, you might think it is a signalling incident that caused line-wide disruption perhaps, but at which point would you then have your (cybersecurity) instinct kick in and say this is perhaps something more pervasive?"

"Looking at an issue from a cyber-security perspective is totally different from looking at it from a system fault perspective," he said.

[[nid:465276]]

In separate presentations and panel discussions on cybersecurity in transport systems on Tuesday, experts at the congress discussed the security backlash that might come with advances in transport technology.

They warned that smart vehicles linked to transport infrastructure are another node in interconnected systems that bad actors or cyberattackers can physically access.

This means that instead of trying to enter a network through malicious software or other established cyberattack methods such as phishing, criminals can enter networks illegally from these vehicles.

In a presentation, the CEO of transport cybersecurity firm Arilou Technologies, Mr Ziv Levi, said: "What this means (is that) because cars are actually in the public domain, so a hacker, an attacker or an enemy can get physical access really easily. You can think about it as if the hacker always has physical access to your network.

"So unlike an internal organisation network or cloud services, where you assume somebody needs to hack something remotely, in the case of the automotive environment, in many cases, somebody can just buy a car... and he's immediately part of your network."

He added that when it comes to cybersecurity, teams designing systems in the transport field need to always assume bad actors have access to all the required data they need to enter their networks, and thus design them with security in mind.

But the experts agreed that when it comes to cybersecurity, it is impossible to eliminate risk and guarantee that a system will not be breached.

Instead, governments, companies and other stakeholders should invest in ways to reduce and manage that risk.

Mr Josh Johnson, director of the critical systems department at American research organisation Southwest Research Institute, said: "It is a false assumption to think that we can ever be 100 per cent secure.

"It is about picking the low-hanging fruit, doing a risk assessment on the most critical risks and vulnerabilities, and addressing those."

This article was first published in The Straits Times. Permission required for reproduction.