Beyond Safety: Addressing the Security Gap in Railway Software Standards 

The railway industry operates under strict regulations, with software solutions expected to meet both safety and security requirements. While considerable focus is placed on safety-critical software, it raises the question: is security given equal priority? How is the industry managing the “elephant in the room”, tackling the significant challenge of bridging gaps in software standards and best practices related to security? Lucia Capogna, our Cyber Security and Software Assurance Team Leader, sets the scene and examines the current landscape surrounding these issues. 

Digitalisation has been introduced exponentially across railway solutions in recent years. 

The prevalence of this new technology means the rail network is more flexible and inter-connected. Railways are more advanced than ever before – they are easier to enhance and customize and more responsive to sub-system failures. 

But with this digital evolution comes new and diverse risks that evolve over time – particularly in regard to cyber security. 

What are the threats to the railway from cyber security? 

The digital risks for the railway are higher than they ever have been. They are dangerous, with the potential to be highly damaging. 

The ENISA 2023 report identified one of the biggest threats comes from supply chain compromise of software dependencies. This is when malicious actors may exploit flaws or defects in software or inject malicious code into open source libraries – causing shutdowns of crucial services and infrastructure. 

For the railway, this can play out through attacks on digital signalling, remote access for electrical isolations and even with the provision of Wi-Fi on trains. 

The digital risk comes from the fact rail systems are built to achieve targets around safety, reliability and functionality – but cyber security is addressed separately from system design and engineering. 

Software standards in general do not address the cyber security requirements and often fail to provide recommendations on the development lifecycle and related activities. 

Put simply, there is not a direct relationship between security levels (SL) and the safety integrity levels (SIL) protecting people from system failures – however, if it’s not secure, it’s not safe. 

The current operational technology regulations for manufacturers and developers do not go far enough. They are high level requirements that are not specific for railway applications, which makes it difficult to align with associated software development lifecycles. 

What is needed to address cyber security risks? 

As the existing standards illustrate, generalised, high-level requirements for secure coding are not fit for railway purposes. 

It means there needs to be a defined approach for different levels and stakeholders along the process. 

For manufactures and product suppliers, they need to integrate secure coding practice within the software development lifecycle. 

Teams must identify software vulnerabilities in the software dependencies or existing software versions, and consider end of life or end of support for those dependencies. 

Asset owners in turn need to add specific security requirements for software development lifecycles and best practice. 

And the industry, as a whole, will need to develop a standard or guideline that covers both safety and security aspects apportioned to software components. 

SYSTRA’s approach to cyber security integration 

SYSTRA specialists provides a diversified set of services from policy and strategy definition, planning and process definition and also risk assessment. 

We recognize cyber security threats and vulnerabilities span all lifecycle phases of a railway system, from the planning and design through to in-service use. 

Poor implementation of digital assets can easily and unintentionally create cyber security vulnerabilities between infrastructure and rolling stock; between operations and asset data; and even interrupt operations along the project design and build supply chain. 

Our Cyber security and Software Assurance team operates cross-industry and across all organisational levels. This includes setting strategic vision to the definition of operational processes and the tactical review of designs/deliverables produced by others. 

We carry out the work either as independents to support a third line of defence assurance regime or as acceptance of design and deliverables on our projects and programmes. 

Managing cyber security and defining security requirements at the start saves time and costs down the track. 

The rail industry needs to shift from a position where cyber security is an afterthought and an additional layer placed around a system, to one that is integrated throughout the design, build and ultimately operation of a system. 

Cyber risks and threats are continually evolving. Failure to stay up-to-date in relation to the changing threat landscape means the rail industry risks not achieving value for money, best practice and an assured solution.