SINGAPORE: Obsolete and legacy infrastructure are two of the challenges faced by rail operators and regulators when implementing solutions against cyber threats, said a panel on Tuesday (Oct 22).
For example, while rail contracts may require vendors to provide the most up-to-date technology, these may already be obsolete by the time a rail line is up and running in three to four years' time.
“So you have to face that, you have to be prepared to manage obsolescence, and to replace part of your solutions,” said Mr Benoit Bruyère, head of cybersecurity for French firm Thales, who was part of the panel taking part in the discussions at the 26th Intelligent Transport System (ITS) World Congress.
Thales is behind the communications-based train control (CBTC) system installed on the North-South and East-West lines.
The implementation of such cybersecurity requirements must be done with an eye on ensuring that the daily operations of the rail network are not affected, said Mr Jeffrey Sim, head of SBS Transit’s rail development.
“While we can take the necessary strategies and steps to make the system more robust, we should know that operations must resume, and we must minimise the risks as far as possible,” said Mr Sim.
Noting that the various systems that make up the rail network come from different suppliers, he pointed out that this also means that there are various weak points that need to be identified and protected.
While some cyber attacks are motivated by thrill seeking and profit, others are more malicious in intent, such as those who seek to do “really bad things to the country”, said Mr Huang Shao Fei, chief information security officer at the Land Transport Authority (LTA).
On its part, train operator SMRT is working with LTA and the Cyber Security Agency to install a “robust framework of measures to counter cyber risks”, said Mr Lee Fook Sun, deputy chairman of SMRT Trains.
“It is critical for SMRT to be protected against cyber threats and vulnerabilities,” he added.
Speaking to reporters following the discussion, Mr Bruyère noted that there were already examples of rail systems that had faced cyber attacks.
He pointed to the example of the San Francisco Municipal Transportation Agency, which in 2016 saw its fare terminals hit by a ransomware attack.
Signalling systems, as well as other important rail infrastructure, could also be vulnerable “in principle”, he noted.
“So this is why you need to monitor, to be proactive and prevent (such attacks),” he added.
The need to defend rail networks against cyberattacks was highlighted by Minister for Transport Khaw Boon Wan on Monday.
At the opening of the ITS World Congress, Mr Khaw noted that while the increasing use of sensors and cloud computing allowed for more efficient rail operations, it also opened this previously "walled garden" to cyber attackers.
In the most recent SMRT Trains Operations Review, released earlier this month, the rail operator noted various systems on its rail lines – the North-South, East-West and Circle Lines, as well as the Bukit Panjang LRT – had been identified as part of the Critical Information Infrastructure (CII) sectors.
CII refers to sectors that are responsible for the continuous delivery of essential services in Singapore, and that includes the Government, infocomm, energy, aviation and transport, among others.