More than 200,000 victims across 150 countries were affected; and although a coding glitch allowed it to be intercepted after just a few days, the attack served as a startling warning that our physical assets are just as vulnerable to cyber invasion as our virtual assets.
Since WannaCry, a lot has happened to warrant further concern. We’ve seen internet connectivity being added to thousands of new assets to improve their efficiency and functionality. The number of internet of things (IoT) devices grew 31 per cent year-on-year in 2017 and by 2020 as many as 30 billion devices could be connected to the internet.
Within rail, the IoT revolution has been particularly pervasive; and is set to be more so with the rise of automation and new and enhanced capabilities such as fifth generation (5G) broadband.
“The reliance on wireless networks to manage assets, including their critical safety features, exposes the rail industry to new levels of risk”, says Dr. Ernest Foo, Senior Lecturer at the University of Technology, Queensland – ahead of the RISSB Rail Cyber Security Conference.
“Once a hacker has successfully penetrated a network, they may gain control over the physical infrastructure also. This may manifest as altering the function or speed of a train, perhaps preventing its brakes or doors from operating. We’re talking significant dollar values worth of potential damage and human lives at stake”.
“As demonstrated by the WannaCry attack, it is not unrealistic to imagine a scenario in which entire train systems are hijacked by ransomware and held hostage”, he adds.
Aurizon’s Şebnem Kürklü is also concerned about the risks to the industry. “Recently we’ve seen a growing trend in the adoption of IoT and data analytics through Software as a Service (SaaS) within rail. While both these capabilities have enormous benefits, procurers do need to be mindful of the providers they choose”.
“Target markets often determine the level of sophistication and security capabilities included in these products and services. It’s important to read the fine print and understand how the risks are mitigated in such contracts”.
Şebnem adds, “It’s logical, but many companies overlook this when beginning their digital transformation process. The emphasis on achieving business outcomes, such as faster transformation, greater profit, improved safety etc. may lead executives to choose certain IoT devices or SaaS providers who are promising these things, but who may not be as advanced in terms of cyber security capabilities”.
However, Şebnem adds that it’s important the sector isn’t held back by fear. “If the rail industry hadn’t moved on from steam trains back in 1950s then it would have been disrupted years ago. Instead of pulling back and inhibiting our progress, we need to collaborate together on this shared problem and work out how we can balance the trade-off between improved customer experience and risk aversion”.
“In doing this, I would really encourage rail organisations to make sure that all members of staff are savvy in this space and fully aware of the types of risks they need to be mindful of when driving business improvement outcomes”.
Dr. Ernest Foo and Şebnem Kürklü are among a lineup of industry experts to address the RISSB Rail Cyber Security Conference, held 11-12 September 2018 in Brisbane; where discussions will focus on the very latest risks threatening the sector and the strategies being used to overcome them.