Rail cybersecurity: beyond the basics
There has been a groundswell of practical activity on UK rail’s cyber assurance work so far in 2024, says Rock Rail’s George Bearfield.
George BearfieldDirector of Health, Safety and Cyber Security, Rock Rail, and Chair of Asset Integrity Group, RSSB
George Bearfield’s experience in rail safety and risk management stretches back decades. But five years ago, he joined Rock Rail, where cybersecurity also became a part of his remit. We caught up with George, who’s also chair of the cross-industry Asset Integrity Group, to glean any valuable insights from this learning curve.
What does your role as Health, Safety and Cybersecurity Director at Rock Rail entail?
My background is in safety and risk management. I’ve been working in this field for around 25–30 years, including 13 at RSSB, where I was the safety director.
Rock Rail is a rolling stock leasing company and asset manager. It’s building assets for the future—for at least 30 years from now. I came on board here to ensure that health and safety were considered through the whole lifecycle of a project—sort of baked into the assets—and part of the strategic requirements and objectives for our train fleets.
My other areas of focus are cybersecurity, and environment, sustainability, and governance. Basically, I’m involved in the areas where we have a strong organisational purpose and legal and contractual compliance to manage.
What was the attraction of moving to Rock Rail?
I wanted to keep developing and learning new things, and that’s exactly what the role offered. My role here allows me to use the skills I developed in previous positions in a slightly different way, while also learning new skills.
Also, Rock has a direct ‘stake’ in the railway, so I’m closer to the railway than I’ve been previously. A small example: we get the chance to go to depots and manufacturing sites to engage firsthand with rail assets and the workforce. That’s so much more productive than just reviewing documentation.
Was cybersecurity the new experience you were looking for?
Yes, but not intentionally. I am always horizon scanning for future risks. When I joined Rock five years ago, I began looking at the risks that might emerge over the life of its assets. Rock’s newer generation of trains have a lot of on-board and wayside communication networks, so cybersecurity was one of those future risks. I therefore needed to develop a good understanding of the topic. This is also something the whole industry is having to grapple with and start building competencies in—and that’ll continue well into the future as it’s such a dynamic area.
What have you learnt about cybersecurity since you joined Rock Rail?
I’ve learnt about some of the technical aspects of how you make assets secure. I’ve also learnt a lot about the nature of the threat.
We’re living in a difficult geopolitical environment. So, we need to understand the world around us, how it’s developing, and the associated risks. Rolling stock is critical national infrastructure and is therefore of interest to those with malign purposes.
As the National Cyber Security Centre has recently warned, other countries are sounding out our assets and our defences, trying to work out what footholds they can get in them for strategic advantage.
You said ‘the whole industry is having to grapple with’ cybersecurity. What are you seeing?
In the last few months, I’ve noticed a groundswell of focus, interest, and activity. This year I’ve really seen how rail companies are now looking to make practical improvements.
Should industry still be focusing on cybersecurity fundamentals, e.g., password management?
Absolutely. I’ve dug deep into systems to try to understand what the issues are. But what I’ve realised, at one level, is that rail companies need to start with the basics. Cybersecurity fundamentals—for example, password management, staff vetting, phishing awareness—are still relevant. Doing the basics well should be most people’s priority.
Whether you’re talking about the cybersecurity of trains or an office environment, a lot of the issues are the same. But the industry does have a long-term strategic need to understand how we protect the hard technology with additional controls, too.
Does Rock Rail have cybersecurity insights that rail companies can tap into, even if they’re not one of your clients?
The most important one is to get incentives aligned. Rock has been helping to create a safe environment where the industry can talk about cybersecurity without fear of the information leaking out. Having such a space can facilitate collaboration on defences to make sure rail companies are up to the task of staying secure.
Is the Asset Integrity Group, which you chair, a forum to have these conversations?
It’s one of them. The Asset Integrity Group (AIG) and RSSB, which facilitates it, are doing work on cybersecurity. They’re looking to develop cybersecurity guidance for duty holders and suppliers so they understand the industry’s strategy to manage cyber risk. Rail standards, underpinned by RSSB research, could be developed over time.
I would describe the AIG as a supporting group, though, which does complementary work on cybersecurity and seeks to encourage collaboration and good practice sharing. The Rail Cyber Security Strategy is currently being re-cast by the Rail Cyber Security Committee, which is chaired by Peter Gibbons of Network Rail, so that should be the focal point for shared industry work.
Over time more rail companies seem to be working closely with the National Cyber Security Centre (NCSC), too. The NCSC, which is essentially the expert government group for critical infrastructure, facilitates a lot of the cybersecurity conversations. This structure gives everybody the confidence to put their cards on the table and have detailed discussions in an environment that’s secure. The NCSC also brings expertise to the table, which complements rail industry expertise.
So, it’s a question of how the rail industry works with the NCSC, and others, to leverage expertise and ultimately to get the most secure rail assets.
If someone wanted to join these cybersecurity conversations, where should they go?
The Rail Information Exchange, which is facilitated by the NCSC, is a good place to start.
Are there any cyberattacks industry can learn from?
All trains operated by Danske Statsbaner (DSB), the largest train operating company in both Denmark and Scandinavia, came to a standstill in 2022 due to a ransomware attack on a subcontractor. This is the type of threat GB rail must prepare for.
Having a significant number of inoperable trains jeopardises safety. It can cause detraining, slips, trips, and falls, overcrowding, and passenger assaults. What’s more, there’s the potential train accidents caused by more trains approaching red signals.
If we were to see high-profile cybersecurity incidents in the next few years, I would expect them to be like what DSB experienced, rather than anything operationally dramatic around the function of the trains, signalling, or signalling systems.
However, unfortunately, attackers are looking to do all those things. So, we must be vigilant about all sorts of attacks.
Find out about the AIG and the work they do.
Visit page
Our report provides key aspects of cyber security for railway asset managers.