Insider: How Physical Security can Make Or Break Cyber Security

Meta:Explore the intricate relationship between physical security at railway sites and cybersecurity. Learn how protecting physical infrastructure safeguards digital assets in the rail industry.

The Interconnected Nature of Railway Systems

I have worked across the railway for over 10 years now, and in that time I have visited countless railway sites up and down the UK. What is clear to me, is the level of security for those sites, and how easy it is to gain access to our railway depots and other ‘secure’ sites, varies significantly. 

I have visited sites with great security, that require you to show personal or work ID at the gatehouse and who will only grant access if a meeting has been scheduled with somebody on site, who will come and collect you from the gatehouse. I have also visited sites (as recently as last month), where the security in the gatehouse waved at me and said good morning as I walked into the site, without asking who I am, why I am there and who I work for. 

Modern railway infrastructure is a complex web of physical and digital components working in harmony. Gone are the days when trains simply ran on tracks controlled by manual switches and signals. Today’s railway systems are highly integrated, with digital systems overseeing everything from train schedules to track maintenance.

This integration, while incredibly efficient, also creates potential vulnerabilities at the physical-digital interface. For instance, a seemingly innocuous physical breach could potentially compromise the entire digital network. It’s like leaving a window open in your house – it might seem small, but it could allow access to your entire home.

Physical Access: Gateways to Cyber Security Threats

When we think about cybersecurity, we often focus on computer networks, firewalls and antivirus software. However, the truth of the matter is, the human element of technology is what ALWAYS facilitates an attack.

Whether that be a design or configuration decision made during setup that later gets exploited, a judgement call on a vulnerability mitigation that backfires, or your physical security not matching your cyber security, it is always a human that lets it down somewhere. 

In railway systems, securing physical access points are just as crucial. These could be control rooms, signalling cabinets, or even vehicle maintenance locations. All of these locations are considered ‘secure’ sites, but I have witnessed first hand the poor levels of security on all of them. 

Unauthorised physical access to these locations can lead to serious cyber breaches. Imagine someone gaining entry to a control room – they could potentially access the entire railway region from there. It’s not just a hypothetical scenario either. There have been real-world incidents where physical security lapses led to cyber incidents in railway systems.

For example, in 2008, a 14-year-old Polish boy hacked into the Lodz tram system using a modified TV remote control. He gained physical access to the tram system and was able to change track points, causing chaos and even derailing four trams. This incident highlights how physical access can be a gateway to cyber threats, which can then go on to compromise physical safety.

Security & Physical Access: The First Line of Defence

The first line of defence in railway cybersecurity is often the physical protection of hardware. This includes control rooms, data centres, vehicles, depots, signalling and communication equipment to name a few. These locations are home to the backbone of the railway’s digital infrastructure, and their security is paramount.

Strategies for physical hardware protection can range from simple locked cabinets to security guards (who actually stop and interrogate purpose) and sophisticated biometric access control systems. It’s not just about keeping unauthorised people out – it’s also about ensuring the equipment is protected from environmental threats like heat, dust, and moisture.

As mentioned above, I recently visited a railway depot ( I was there for a scheduled meeting a hasten to add), but I was not challenged at the gate and I was waved through, all because I was wearing an orange high-visibility vest and I walked with confidence. Once on the site, I had open access to various rail vehicles without hinderance. This kind of lackadaisical approach to physical security directly undermines the safety and security of the whole network those vehicles, and any vehicles for that operator manages, operate on.

Personnel Security: The Insider Threat

While we focus on hardware, software and external attackers, we can’t forget about the rogue employee factor in railway security. The people who have access to sensitive areas of the railway system are both its greatest asset and potentially its biggest vulnerability.

Rigorous vetting processes for railway staff with access to sensitive areas are essential, but yet none exist. This isn’t just about background checks – it’s about ongoing monitoring and regular security clearance reviews.

To liken the railway to aerospace for a second. If you wanted to gain unfettered access to an aircraft, at the very least you would need to have achieved ‘Security Clearance’ (SC) in national vetting, have had a background and credit check, and have been sponsored and authorised for airside access. All this because it is recognised that compromising an aircraft, that may go wrong at 35,000 feet and kill 250 people, cannot be allowed to happen because physical security was lacking. 

So tell me…. what checks are done for gaining access to a train that may be carrying 750 – 1,000 people at 125mph when it goes wrong? – Well, in simple terms, nothing. Thats right. There are no mandated security clearances, background checks or anything to gain access to a train or the wider railway network as an employee. It is down to each operator to define their own employment checks, if they bother with them at all. – Scary right!

We should be moving to an SC clearance level for all staff who have access to ‘sensitive’ sites, equipment or who work at an operator. This clearance should be reviewed on a regular basis and should be valid only as long as the person needs access to complete their role. 

Training programs on physical and cyber security awareness are also crucial. Staff need to understand the importance of security protocols, the potential consequences of lapses, and most critically – how to report a breach. It’s not enough to have rules – people need to understand why those rules exist.

Implementing rigorous access control systems and protocols is another key aspect of personnel security. This could involve key cards, biometric scanners, or even multi-factor authentication for accessing sensitive areas or systems.

Surveillance and Monitoring: Bridging Physical and Digital Security

Advanced CCTV systems play a vital role in bridging physical and digital security in railway systems. These aren’t just passive recording devices – modern systems can integrate with cyber threat detection systems to provide a comprehensive security overview.

The integration of physical surveillance with cyber threat detection is a game-changer in railway security. For instance, if an unauthorised access attempt is detected in the digital system, the physical surveillance system can immediately focus on relevant areas to identify potential intruders.

24/7 monitoring for both physical and digital threats is crucial in this integrated approach. It’s like having a vigilant guard who’s watching both the physical premises and the digital landscape simultaneously.

Disaster Recovery: Physical Preparedness for Cyber Resilience

When we think about cybersecurity, we often focus on preventing attacks. However, being prepared for physical disasters that could impact cybersecurity is equally important. This could include natural disasters like floods or earthquakes, or man-made issues like power outages.

Having robust backup systems and redundancy in both physical and digital realms is crucial. If one system goes down, there needs to be a backup ready to take over seamlessly. This ensures continuity of operations even in the face of unexpected events.

Off-site secure locations play a vital role in ensuring this continuity. These locations can house backup systems and data, ready to be activated if the primary systems are compromised. It’s like having a spare key hidden outside your house – it ensures you can still get in if something goes wrong with your main access.

Conclusion

As we’ve seen, the physical security of railway sites is inextricably linked to cybersecurity in our increasingly connected world. By fortifying our physical defences, we create a robust foundation for digital protection. Remember, a chain is only as strong as its weakest link – and in the case of railway security, that link could be physical or digital. So, the next time you see a locked gate at a railway facility, know that it’s not just keeping trespassers out – it might just be safeguarding our entire digital railway infrastructure! Let’s work together to ensure our railways remain secure, both in the physical world and the cyber realm.


If you like this content and you would like to know more about securing critical infrastructure, then please visit our Homepage or contact us at [email protected]

You can also keep up to date with relevant news and discussions by visiting our LinkedIn Newsletter Pride_Sec_Weekly

Leave a Reply