It wasn’t long ago that cybersecurity was merely an afterthought for railway organizations. Today, leaders in the European railway industry have launched a variety of innovative initiatives to improve their security posture. However, as the threat of cyber attacks continues to rise, there is still much to be done to fortify railway safety.
Our first guest on our “Conversations With Industry Experts” series is Antonio Lopez, a railway veteran with 40 years of experience in the European railway system including in Spain, and former CSIRT Workstream leader of 4SECURail, a two-year Shift2Rail initiative that brought cybersecurity to the forefront of European railways.
Antonio, who launched 4SECURail in January 2020 in Barcelona, has been serving as General Manager of HIT Rail for the past 7 years. HIT Rail facilitates secure and efficient data sharing and communications for the European railway community. With a career spanning four decades, Antonio has experienced first-hand the evolution of railway technologies, and the ways advanced systems expose railway organizations to cyber risk.
Our VP of Customer Relations, former CISO of Israel Railways, and the former advisor on behalf of Cervello to the 4SECURail initiative, Israel Baron, sat down with Antonio to ask him about the current state of railway cybersecurity, and what measures are necessary to improve it.
Note: This interview has been lightly edited for length and clarity.
Israel Baron: Hello, Antonio. Thanks for taking the time to chat with us. Can you start by telling us about your background and professional expertise?
Antonio Lopez: Thanks, Israel. My name is Antonio Lopez and I’ve been working in the European Transportation Sector for the past 40 years. I began in the airline industry and, for the next 30 years, I made the switch to railways. My background is in IT. I worked in the Spanish railway system in different positions for several years, and eventually joined HIT Rail, providing connectivity and IT services to the European railway sector.
IB: You must have seen vast change as the industry transitioned from legacy railway signaling environments to IoT devices, IT networks, DTCS, GSM-R, and cellular communication lines. What do you think are the advantages and disadvantages of this technology shift?
AL: There are four big advantages. The first is that the digitalization of the railway simplifies system integration, which then improves the efficiency and sustainability of railway processes. The second advantage is that these upgrades have made the industry more competitive for railway operators. The third is the cost-saving element; even if digitalization may require some initial investment, it is worthwhile in the long run. Finally, the fourth big advantage is that it will improve operational efficiency.
Meanwhile, there are two major disadvantages. The first is in the operational area, in which the systems are quite old and the cost of adapting these legacy systems is significant. The second is, of course, the increased risk of cyberattacks –and without proper cybersecurity protocols in place, this will become a serious problem.
IB: Do you view all of the systems in the railway environment as isolated or connected? I’ve spoken with many high-level managers in the industry who still believe that each system stands alone, and that there is no internet connection in the signaling systems. As a result, they don’t recognize the threat of cyber attacks. What’s your take on it?
AL: They are not wrong in that; there is still a strong separation between the operational technology (OT) systems and the IT systems. But mostly, I believe the issue lies in the different mindsets at play between railway operators and infrastructure managers.
Infrastructure managers want to maintain safety and operational activities — business has to run as usual. Meanwhile, the goals of railway operators are to be strong competitors in the transportation market. The big question is how these two stakeholders — railway operators and infrastructure managers — can cooperate at a national level to protect systems against cyberattacks.
Cooperation between those who work in the IT and in the OT is crucial, because even though each system may belong to a different vendor, the systems are somehow interconnected; they need to exchange messages and work together for the railway system to perform more efficiently. If infrastructure managers and railway operators don’t work together to secure their systems from cyber threats, it leaves all mission-critical assets vulnerable to cyber attacks.
The main problem between the IT, OT, and signaling systems is that there are a lot of assets distributed all over the railway tracks, which are spread out all over the continent. They are quite isolated, without any centralized control, and all systems are not prepared for cyber attacks.
IB: What happens when there is a cyber attack on the mission-critical railway assets? Who is responsible then? Is the security manager responsible for both the IT and the OT?
AL: As I said, those systems are still acting as separate entities. As far as basic cyber procedures for dealing with incidents, in OT and IT, those exist and the people responsible for the security are very dedicated and good at dealing with the day-to-day incidents in order to keep the business running.
However, these teams are usually more reactive than proactive. They react to attacks instead of preventing potential attacks. They strongly depend and put the responsibility on the suppliers of the attacked systems because, even though the infrastructure managers are responsible for running the systems, they believe the suppliers are responsible for securing them. Another issue with the way railway cybersecurity is being handled is on the side of the “threat intelligence” — analyzing the information we have, connecting the dots, and setting up the process to integrate more sophisticated cybersecurity measures is essential and it’s not yet where it needs to be in Europe.
IB: I’m seeing that governments and companies alike are engaging in cybersecurity discussions. They are up-to-date on the news and aware of the severity of a potential threat. But when it comes to action, they don’t do much to change the situation. What do you think needs to happen for policymakers and organizations to wake up and take cybersecurity more seriously?
AL: On the organizations’ side, basically what I believe is stopping them, is the lack of in-house expertise to run the necessary processes, this prevents them from making the investment. The breaking point between awareness and implementation is the lack of expertise and it’s becoming very critical in the railway industry. The best way to enforce a cybersecurity practice is with security-by-design, meaning it should be included in the design of the system. There is also a strong need to change mindsets. Organizations are more concerned about safety and the operational situation, but I agree that cybersecurity isn’t fully included in the plans and it needs to be.
Now, on the government’s side, I think policymakers need to establish clear standards, clear regulations, and provide enough resources to help the industry upgrade its existing legacy systems. There is a huge amount of investment dedicated to tracks, software, and hardware. We need to push for a massive investment in updating these systems so they are connected but also protected. Governments need to provide organizations with the right tools and resources, and encourage them to be proactive about their cybersecurity — not just wait for an attack to happen. They have to look at potential events and think like the hackers in order to set up the right cybersecurity measures.
IB: If organizations had the right tools to check their security posture, and perform threat and vulnerability assessments to have a clear understanding of their system, would it be easier for them to implement countermeasures?
AL: Absolutely. It would definitely help to start with understanding the consequences of possible attacks. But at the moment, there is still a gap between strategy and implementation. The latter needs people, expertise, processes, and money. Typically, however, when organizations have a clear goal, finding the money for it isn’t a big issue.
IB: This is touching on a very relevant point. I’ve witnessed that companies usually don’t have the capabilities to understand what they face and so, they won’t invest in it. But, if you go to CISOs and to the board with a very clear threat assessment report, you will get the money.
AL: Yes. Another important challenge is how to find the right balance between maintaining railway operations and efficiency while boosting cybersecurity. Imagine you have to keep the railways running, be efficient, and be cyber secure — that is something that is very difficult and daunting to railway operators and infra managers.
IB: Yes, but you know, I worked in the Israeli Ministry of Defense and we were responsible for securing many military systems. We understood that cybersecurity could never be allowed to stop systems from operating. The cybersecurity systems operated in the background, but the priority was always on the operational capability. We know that with railways, it’s the same. The operational capability cannot be jeopardized by cybersecurity.
What do you think is the next step for European railway organizations?
AL: The next step is establishing clear standards, clear policies, and a change of mindset. These three layers must work together. Cybersecurity needs to be integrated in the overall body of the operation, not just act as an additional box in the middle of nowhere. You can’t just rely only on the suppliers. It is a mindset and it needs to be part of everyday business processes.
Thank you to Antonio for your time and perspective. If you are interested in participating in our “Conversations With Industry Experts” series, please fill out the form below.