Transport operations are being shaped by the accelerated developments in technology and the realized benefits of the Internet and data. The challenge lies in achieving a digital transformation without jeopardizing the operational safety or exposing it to security vulnerabilities, all while addressing cybersecurity concerns and being cyber resilient.
Transport operators are under pressure to improve all elements in operations and service delivery while being measured on profitability. In a digital age, especially as connectivity becomes more widespread, stakeholders in the transport sector require accurate and timely information that allows them to make informed decisions faster.
Two concepts are commonly referred to in the cybersecurity world: (1) Security Levels and Maturity Levels from the IEC 62443 standard, and (2) the defence in depth concept.
IEC 62443 is a series of international standards for securing Industrial Automation and Control Systems (IACS). An increasing range of technologies and processes are designed to comply with such standards, where every stage of the value chain and stakeholder is covered to enable standardized risk assessments and mitigation measures.
Recognizing that not every system is equally critical, IEC 62443 defines four security levels (SL): from SL 1 (resistant to coincidental violations) to SL 4 (resistant against nation-state attacks). This applies to the component or system level and is something that many railway experts recognize as the security equivalent of the Safety Integrity Levels (SIL). Similarly, Maturity Levels (ML) are defined from ML 1 (ad-hoc processes) to ML 4 (evidence of documentation, process, practice and continuous improvement). These levels allow a clear and easily understood expectation of an organisation’s security posture.
We can improve our cybersecurity posture by applying a defence in depth approach. Defence in depth is the concept of protecting a network with a series of defensive mechanisms such that, if one mechanism fails, another will already be in place to thwart an attack. Because there are so many potential attackers with such a wide variety of attack methods available, there is no single method for successfully protecting a network.
Applying a defence in depth strategy will significantly reduce the risk of having a successful and likely very costly attack on a network. As the leading actor for accidents and faults, the “people” aspect is paramount to drive strong processes, the next pillar. “Processes” and standards need to be properly defined to protect against unintentional errors and form a baseline for the handling of threats and managing controls. “Technology” is the use of hardware (such as data diodes) and software solutions and strategies to achieve a cyber secure system.
An overall defence in depth approach builds on a union of people, processes, and technology. Each pillar and its implementation will be unique to every organisation as they will have security levels and maturity levels. As we push and strive for innovation and transformation in our transport sector, we must recognise the importance of a holistic cybersecure strategy.
Image: Pillars of Cybersecurity – People, Process and Technology. Source: Siemens