- As part of the 2017-18 Railway Safety Act Review
Prepared by: Critical Systems Labs
A study was undertaken to assist the 2017-18 Railway Safety Act (RSA)Review in assessing the treatment of cyber-security threats on rail safety by the RSA, its associated regulations, and supporting standards. This study reviews and examines:
- railway safety in a cyber-threat environment;
- existing railway regulations and standards; and
- cyber-security actions in other countries and transportation sectors.
The jurisdictions reviewed include: Canada, the US, the United Kingdom (UK), and the European Union (EU).
The typical rail control system is described and analyzed using a cyber-security perspective. This includes the types of attacks that these systems (e.g. Rail Control Center, wayside, or onboard) may face. Vulnerable bi-directional information communicated to wayside systems could be intercepted and used for physical terrorist attacks. Examples of attacks on safety-critical systems are provided.
An examination of international cyber-security efforts in other transportation sectors (e.g., aerospace, maritime and automotive) reveals that the EU is implementing cyber security legislation in 2018, while the UK and US have published cyber-security guidance for critical infrastructure (including railway transportation). In 2010, Public Safety Canada released two documents: the National Strategy for Critical Infrastructure and Canada’s Cyber Security Strategy.
Currently, no cyber-security standards exist for rail systems except for guidance documents from the American Public Transportation Association (APTA) and the UK Department for Transport. Although not specific to cyber-security, Transport Canada addresses rail security through a Memorandum of Understanding (MOU) with the Railway Association of Canada and through proposed changes to the transportation of dangerous goods (TDG) regulations.
This study makes five recommendations for changes to the RSA and its associated programs to address cyber-security:
- determine if existing transportation legislation covers cyber-security;
- clarify Transport Canada’s role within Canada's Cyber Security Strategy;
- establish a transportation sector cyber-security working group;
- publish cyber-security guidance for Transportation Systems; and
- extend the Railway Security MOU and proposed security amendments to the TDG regulations to require a cyber-component to rail operators’ security plans.
In conclusion, railway systems can be subject to cyber-attacks that can potentially disrupt railway operations and impact safety. They must integrate safety and security and be managed at the system level, not solely at the information technology (IT) level. While documents for Industrial Control Systems / Critical Infrastructure are available and generally applicable to railway control systems, they do not address the impact of cyber-security threats on safety.