16 Oct 2023

From IT security to resilience: holistic thinking arrives in the rail sector

Resistance to external disruptive factors must be thought of holistically - cyber security a central topic at IT-TRANS

End of October 2022, the Danish State Railways (DSB) have to stop all operations on Zealand for several hours. Hackers have cracked the test environment of an operation-critical train driver app. As it cannot be ruled out at first that other areas are affected, train services are shut down as a precaution - a nightmare for DSB.

Digitalisation and security: Where processes are left to computers, the risk of hacker attacks unfortunately also increases - this has long been clear to the railway sector, too. In the meantime, however, risks are no longer only prevented with cybersecurity concepts. Instead, the term "technical resilience" is doing the rounds. This is understood to mean security concepts that are far more comprehensive than before. "Today’s security concepts must be far more comprehensive than ever before. The topic of resilience will therefore take centre stage at the upcoming IT-TRANS 2024. Many of our exhibitors offer sophisticated concepts – and IT-TRANS is the proven route to connect suppliers, customers and partners who can learn from each other and identify synergies," says Markus Kocea, Senior Product Manager of IT-TRANS. About 280 exhibitors are expected to present solutions in the areas of cyber security, big data and artificial intelligence in public transport, among others.

On the topic of rail traffic, Frauscher Sensortechnik from St. Marienkirchen in Austria presented a good example this summer: Together with the University of Applied Sciences St. Pölten, the company has developed a solution to fend off attacks on sensors on axle counters. The system learns with every attack - this is made possible by machine learning and deep learning, methods of artificial intelligence (AI). It is also becoming increasingly important for medium-sized companies to offer such solutions. One reason is that large vehicle manufacturers such as Siemens Mobility and Alstom - which are working intensively with AI - are demanding more and more proof of cyber security from suppliers.

An effective strategy to overcome such challenges is called security by design. This means that security is already considered during product development instead of being retrofitted as a solution. Security by design is also playing a growing role in the rail sector, says Gottfried Greschner, CEO of INIT - the company offers security IT for the mobility sector. However, one should not forget that the railway sector is in a "transitional period". Also due to their long service life, many old systems are still in use "that do not map these safety-relevant processes". The topic of retrofitting will therefore continue to accompany the rail industry.

Server Raum mit Quellcode

Neue Lösungen digitaler Konnektivität drängen jedoch schon heute in den Markt. Wichtig sind sie etwa, um moderne Zugbeeinflussungssysteme wie ETCS oder den digitalen Zugfunk FRMCS auszubauen. Zudem bieten Cloud Computing oder neue Mobilfunkstandards nicht zuletzt den Fahrgästen mehr Komfort. Damit die Infrastruktur entlang der Strecke und im Fahrzeug für solche Lösungen nicht mehrfach aufgebaut werden muss, hat Unternehmen Sysgo eine Plattform gebaut, auf der jeglicher Datenaustausch zentral gesteuert werden kann. Dabei werde Informationssicherheit und Datenübertragung durch eine „strikte Kapselung und Trennung aller Kommunikationskanäle“ gewährleistet, sagt Oliver Kühlert, Head of Innovation Lab bei dem Unternehmen. In der Autoindustrie ist Sysgo mit einer solchen Plattform bereits erfolgreich unterwegs.

Der Begriff der Resilienz bezieht sich allerdings nicht ausschließlich auf digitale Sicherheit. Vielmehr wird darunter auch der Schutz analoger kritischer Infrastruktur wie Schienen oder die gesamte Betriebstechnologie verstanden – Fachleute sprechen hier von operationaler Sicherheit (OT). Dass auch hier Risiken bestehen, zeigte etwa der Anschlag im Oktober 2022 in Norddeutschland, bei dem Lichtwellenkabel beschädigt wurden, und so die Kommunikation zwischen Leitstellen gestört wurde.

Im Bahnsektor wird deshalb inzwischen dazu übergegangen, das Thema Sicherheit ganzheitlicher zu denken – die Rede ist von der IT/OT-Sicherheit. Mit der Thematik hat sich etwa auch schon das Deutsche Zentrum für Schienenverkehrsforschung (DZSF) beschäftigt. Das Ergebnis einer DZSF-Studie: Viele Bahnunternehmen wünschen sich eine prominentere Rolle des Bundesamtes für Sicherheit in der Informationstechnik (BSI) im Schienensektor, weil geltende Normen wie KritisV oder EN 50657 als zu allgemein empfunden werden.

Dass zumindest IT-Sicherheit den Bahnsektor auch künftig stark beschäftigen wird, ist sicher. Eine Umfrage von Trend Micro, Anbieter von Cyber-Sicherheitslösungen, ergab: 63 Prozent der befragten Unternehmen wollen mehr in ihre IT-Sicherheit investieren. Wirklich effizient kann das aber nur sein, wenn die OT-Sicherheit Schritt hält. Doch das Bundesverkehrsministerium und die Deutsche Bahn haben bereits Maßnahmen angekündigt: Auch auf Grund der Anschläge in Norddeutschland sollen Kameras und Sensoren an Strecken aufgebaut werden sowie die Sicherheit durch Polizei und Wachdienste verstärkt werden. So wachsen IT- und OT-Sicherheit immer stärker zusammen.

Egal ob Pandemie, Energiekrise, Hackerangriffe oder andere unvorhergesehene Ereignisse: Das öffentliche Verkehrswesen kann sich, gerade dank moderner Softwarelösungen immer umfassender auf Krisenfälle vorbereiten, Modelle durchspielen, um in Ernstfall schnell einsatzbereit zu sein oder ihre Infrastruktur oder IT-Systeme zu schützen. Auf der IT-TRANS sind unter anderem Ausstellende wie Funkwerk Security Solutions oder Stahl Computertechnik vor Ort, um ihre Lösungen rund um Sicherheit in der IT vorzustellen.

However, the term resilience does not refer exclusively to digital security. Rather, it also refers to the protection of analogue critical infrastructure such as rails or the entire operating technology - experts refer to this as operational security (OT). The attack in October 2022 in northern Germany, in which fibre optic cables were damaged and communication between control centres was disrupted, showed that there are risks here as well.

In the railway sector, therefore, there is now a move towards thinking about security in a more holistic way - we are talking about IT/OT security. The German Centre for Rail Transport Research (DZSF), for example, has already dealt with this topic. The result of a DZSF study: many railway companies would like the Federal Office for Information Security (BSI) to play a more prominent role in the rail sector because current standards such as KritisV or EN 50657 are perceived as too general.

It is certain that at least IT security will continue to keep the railway sector busy in the future. A survey by Trend Micro, provider of cyber security solutions, showed: 63 percent of the companies surveyed want to invest more in their IT security. But this can only be really efficient if OT security keeps pace. But the Federal Ministry of Transport and Deutsche Bahn have already announced measures: also due to the attacks in northern Germany, cameras and sensors are to be set up along routes and security is to be strengthened by police and security services. In this way, IT and OT security are growing ever closer together.

Whether it's a pandemic, energy crisis, hacker attacks or other unforeseen events, modern software solutions mean the public transport sector can be better prepared to react, and protect its infrastructure and IT systems. Exhibitors such as Funkwerk Security Solutions or Stahl Computertechnik will be on site at IT-TRANS to present their IT security solutions.

Find out more about our exhibitors HERE!