Protecting your assets
Cyber security on the railway and software as a solution
Lewis OatenChief Technology Officer, RazorSecure
We interviewed Lewis Oaten, CTO at RazorSecure, to get a technology-led perspective on interlinking rail safety and cybersecurity through safe and effective software development, installation, and (digital) maintenance. RazorSecure focusses on enhancing railway cyber security, by protecting and monitoring networks and key systems.
Before joining RazorSecure you worked for a global engineering company, Lockheed Martin (LM). What similarities and differences have you seen in the way that they operate, and how did you end up moving from one to the other?
In one of my roles at LM, I was the technology lead for a cyber security innovation cluster with more than 70 companies under my remit. LM created this ecosystem to accelerate innovation through its supply chain. This gave me an opportunity to see best in class cyber security software and hardware solutions from high tech companies, of which RazorSecure was one. While every company in the cluster developed incredible technology, RazorSecure stood apart in its deep understanding of the industry context. That was eight years ago, and to this day it's still that rail context that underpins every one of our successful deliveries.
Development of safe and secure software can't be done in isolation, we need to build on collective knowledge, which is where standards and processes come in. But improvement of how we develop software, particularly accelerated timescales, requires a forward-thinking innovation and compatible framework. This ability to adapt is essential in the rapidly changing digital landscape, in transport and across wider society.
This is one of the reasons we are pleased to have the opportunity to be an RSSB member organisation. It also allows us to directly engage with the development of standards, shaping them to meet industry’s needs, today and in the future while creating a framework for future product developments that enhance cyber security in rail.
What are the big changes you’ve seen in resilience and security during the past five years?
Internal and external focus on cyber threats to the sector have increased. Although these have always been a risk, it is only recently that discussions on resilience and security have really started to take form with practical mitigation being put into place rather than suggestions for approaches on how cyber security risks may be reduced.
While there is a commercial and financial risk with trains being unable to run leading to penalty payments, there is also significant reputational risk for operators being unable to provide train services. This has heightened the awareness for robust cyber resilience to keep train services operational and protect operators.
I also see more and more software, hardware, and design patterns to technology transition from traditional IT into the operational technology environment. No longer is a modern train’s control and monitoring system, or signalling system, exclusively built on bespoke components. However, the context in how this technology operates is still radically different to IT environments, and as such the approach to securing it is different as well.
In your opinion, what are the threats to the rail sector and are we ready for the new, modern, and complex cyber-attacks?
Modern trains are becoming increasingly digitalised. Most on-board systems contain some form of software and external connectivity and with over 100 distinct networked devices on a modern train, there is an increasing number of opportunities for malicious activity. For example, the UK has seen a rise in urgent rail safety alerts due to the increasing complexity of software compatibility challenges and shortcomings in existing digital maintenance practices.
We have seen cyber security attacks lead to a variety of critical issues for the networks including service disruption and downtime, increased operational and compliance costs, reputational damage, data loss, and safety hazards. More than half of all cyber security incidents are caused by internal threats – whether from inadvertent poor practices (such as password sharing and human error) or malicious internal activity by employees.
To address the cyber security challenges in the rail sector, there are ongoing efforts to establish new standards and guidelines. One of these emerging standards is the IEC 63452, which focuses on cyber security for operational technology in automation and control systems. There is also the Network Information Security (NIS) Directive which was the first EU-wide legislation to cover cyber security in rail. Also in the US, there have been new Transportation Security Administration Security Directives aimed towards protecting higher-risk freight railroads, passenger rail, and rail transit. RazorSecure continues to provide individual experts to support these programmes.
RazorSecure plays an active role in shaping and defining cyber security standards for the rail industry, with some of my colleagues serving as members of drafting groups and committees for key domestic, European, and International standards.
Like RSSB, you are a partner in the UK Rail Research Innovation Network. How important is this type of collaboration for the rail industry?
Partnerships such as our partnership with UKRRIN play a vital role in the rail industry. Our collaboration provides a way of looking forward, which is particularly important when it comes to cyber security threats and understanding those which present the most risk to industry.
We have also been in a memorandum of understanding with the Birmingham Centre for Rail Research since summer 2022. One of our key collaboration projects has been our Transport Research and Innovation Grant funded Digital Maintenance project, under DfT and Connected Places Catapult funding. That has led to the development for our new secure digital maintenance product, the Digital Maintenance Gateway (DMG), and we’ve been shortlisted for this year's Rail Industry Association's RISE Innovation award.
What problems are you seeing while working with the rail industry, and how do you see that changing in the future?
We are witnessing a significant step-change in the rail industry’s approach to cyber security infrastructure. As rail becomes more digitised, there is an increasing number of cyber threats facing rail networks. Additionally, we have seen issues around legacy infrastructure which may not have been designed with modern cyber security in mind, leaving them vulnerable to cyber attack.
However, the expansion of new cyber security standards and regulations is seeing a widespread adoption of more efficient and secure policies and practices in relation to cyber security. There is a heightened awareness of the cyber risks facing rail stakeholders. Our work with customers is enabling an improved ability to identify, detect, protect, respond, and recover from any cyber security impact.
Our collaboration with the industry has been leading to an expansion in our products and services from Rail Asset Discovery and Monitoring, Rail-specific Intrusion Detection, to securing railway engineering practices through our new DMG. We are seeing a rapid uptake in interest towards our new DMG product, which I anticipate will be a big part of our contributions in the coming years. Enabling secure digital maintenance practices and reducing maintenance time and costs, the DMG is attracting interest globally. This solution is capable of integration with legacy and new build rail vehicles. We have recently exhibited at various events including Cyber Senate US, Middle East Rail, and the UK Smart Fleet Maintenance Summit, with interest in the DMG across various markets internationally.
Over the next few years, we hope to see the rail industry prioritise cyber security as the digitalisation of rail infrastructure continues. With the emergence of new cyber security regulatory standards over the coming years, we will continue to work collaboratively with customers to ease the burden of rapidly increasing cyber security demands.
How do standards support the work you do at RazorSecure, and what is your involvement in their development?
RazorSecure plays an active role in establishing and defining cyber security standards for the rail industry. These standards have been the benchmark for our comprehensive product portfolio. They have been developed holistically to align with established cyber security frameworks, ensuring smooth and efficient functioning of rail operations. Additionally, we are often ahead of the curve in terms of new standards being introduced, as the software and cyber security environments change rapidly, but the fundamentals of the standards are embedded in our business processes.
We contribute to domestic, European, and International standards and colleagues at RazorSecure are members of drafting groups and committees. These include GEL/9/-/6, the mirror committee for standards relating to cyber security, AI, and machine learning, and IEC TC 9 PT 63452, which is developing an international standard for railway applications cyber security based on CENELEC technical specification (TS) 50701.
What is the one message you would give to those in industry, from entry to executive level, to help keep their businesses secure in the years ahead?
To industry professionals of all levels in the rail industry, I would emphasise the importance of making small incremental changes. Cyber security is an ongoing, long-term journey, so don’t plan on solving everything at once. Begin by analysing the threat landscape through cyber risk analysis to gain valuable insights into the nature of the risks your business may face. The next move would be to implement ways of measuring the threat. This may come in the form of asset monitoring and intrusion detection systems to gain real time visibility into potential threats and vulnerabilities. From here you would be able to prioritise, implement, and monitor your mitigation efforts.
While technology is clearly an essential part of the solution, I would also encourage those in the industry to foster a culture that emphasises cyber security within your organisation, alongside having robust systems and adhering to regulatory standards. RazorSecure was founded on these principles and continues to uphold them. Working collaboratively with customers and industry partners, our solutions are strengthening the cyber infrastructure of the rail industry and we continue to grow, having doubled our size in the past year.