Railway system hacking
News and information from the Advent IM team.
Earlier this week, The Times reported on apparent cyber attacks on our rail networks. Advent IM Security Consultant, Chris Cope, gives us his opinion.
Hacking attacks against rail infrastructure should come as no surprise. The move to connect industrial control systems to corporate networks has opened up a range of vulnerabilities. Many industrial control systems were designed in an age where security was not a top priority, but given that they had little or no connectivity to the wider organisation, let alone the internet, their inherent vulnerabilities were manageable. However, the drive to connect these control systems to corporate networks has now bridged that virtual gap and that makes hacking attacks more likely.
Its not just the railways that will suffer from this problem, power plants and other utility providers have encountered the same. Across the board, many industrial control systems are running obsolete software which is too expensive to upgrade and little work is undertaken to scope the potential risks that are created when they are connected to corporate networks, and thus the internet.
The networking of industrial systems is perhaps a natural progression. Such practices allow for the concentration of staff at fewer locations and could potentially save money on operating costs. However, organisations must ensure that they are fully aware of the risks they are taking when making such connections. Even without the threat of an external, deliberate attacker, the risks posed to industrial systems by users on the wider network, are considerable. High profile utility and transport companies will always be a target for someone and even a reconnaissance trip can cause unintentional damage. In many instances, the presence of an operator can avert disaster. Yet it should be considered that an increasing number of systems are now fully automated. Modern systems may be designed with security in mind and can support full automation more securely, but how are they connected? Wider connectivity to older systems may undermine the integrated safeguards. Organisations must properly scope the requirement for making such connections and ensure that identified risks are mitigated. The potential impact on the general public is too significant to ignore.