Safety paves the way for security

15 March 2017

Whenever Stefan Persson watches a disaster movie at the cinema where a train is involved, he shakes his head while others scream. He knows how improbable it is for a train to derail or for someone to hack into the system and take control.

 

Double – and even triple – safety systems, with various levels of redundancy ensure that this cannot happen. And, in the unlikely event that something does occur, other systems are in place which brake and stop the train.

 

"Then again, there are other causes which mean we have every reason to take these threats seriously. Safety is of the utmost importance for our customers, and foreign locomotive manufacturers have experienced incidents.

Stefan Persson, Head Systems Engineer at Bombardier

 


Incidents which have occurred mainly involved someone managing to hack into a train's infotainment system and altering information, or expressing political or harassing messages.

 

 

It may not seem as serious in comparison but, for example, camera surveillance is becoming increasingly ubiquitous, and we do not want the wrong people taking control of the cameras or accessing the video images. Although it would be easier to gain access to this than to critical functions in a train.

Stefan Persson, Head Systems Engineer at Bombardier

 

 

System interconnection increases vulnerability

A reason for infotainment systems being particularly vulnerable is their myriad links to other systems. They interface with other trains to display current connecting trains and possible delays. They gather information from many sources and compile this accordingly so as to be of use to passengers.

 

 

Here, we have a major advantage over companies in other industries. We have worked with other types of safety and security issues for so many years that we have developed processes with superior functionality. Now, at a time when net-based security threats are growing, we are able to manage these comparably, within our existing systems. Essentially, the same questions need to be asked, even if the solutions are different.

Stefan Persson, Head Systems Engineer at Bombardier

 

 

Considering security early saves money

The most important lesson learned from many years of safety and security work is to think about safety from an early stage in development.

 

 

Security is included at all stages during the development of new systems. Security always constitutes some form of compromise, but doing it this way enables us to make conscious choices. And, it becomes cheaper.

Adding security features retroactively is often exorbitantly expensive. In practice, it can have to do with practical issues – like where to place various devices on the train.

A modern locomotive is brimming with electronic control equipment and some systems are more sensitive than others. These are placed in the most secure areas possible, which makes it easier to do early on in the development process.

Stefan Persson, Head Systems Engineer at Bombardier

 

 

Notwithstanding their extensive experience, Bombardier selected Combitech to assist them in improving their security.

 

 

They have helped us to implement IT security processes. This can be rather complex and it's valuable to have someone to back you up. It also lends extra weight when we say to our customers that we've had IT experts inspecting the systems. It assuages their concerns to a greater extent than if we say we did it ourselves.

Stefan Persson, Head Systems Engineer at Bombardier

 

 

 

Aiming for self-sufficiency

In the long-run, we'll be self-sufficient in this area as well. But, until then, I must admit that this has been a highly informative journey. I have personally learnt so much by discussing these issues with a third party who understands our situation, but who still has novel approaches.

Stefan Persson, Head Systems Engineer at Bombardier

 

 

Bombardier places great emphasis on having the correct approach from the very start, as their locomotive systems must, in many cases, have lifespans counted in decades. A great deal is taking place within safety and security at present.

 

 

It's about designing systems which can be gradually upgraded in terms of security. It may involve embedding some elements deeper into the security architecture, or a design which enables the rapid reinforcement of access security in the form of several firewall layers, for example. Sometimes, it may be better to strengthen the surrounding protection instead of altering critical components.

Stefan Persson, Head Systems Engineer at Bombardier

 

 

In the future, Stefan may no longer be the only person sitting in a cinema shaking his head. He sees that interest in IT-related security issues is on the rise within the industry – and customers are no exception.

 

 

It's a sign of the times. Now, we can jointly discuss which security level we desire and customers are willing to pay for IT security. This was not the case ten years ago.

Stefan Persson, Head Systems Engineer at Bombardier

Hans Danielsson

Business Area Manager

hans.danielsson@combitech.com

+46 (0)13 18 00 17

Other news

19 July 2022

Framework agreement in crisis preparedness and civil defence

The Swedish Civil Contingencies Agency (MSB) has signed an agreement with Combitech for consultancy services related to crisis preparedness and civil defence.

29 October 2020

How do you know if your system is secure, if it has never been tested?

Combitech contributes to a safer and more secure society. An important part of this work is performed by our penetration testers. Their work is to simulate hacker attacks in order to find vulnerabilities and weaknesses in networks and systems. Three of Combitech’s sharpest pentesters, Christoffer Olsen at Combitech Denmark, Michael Johansson at Combitech Sweden and Olav Sortland Thoresen from Watchcom in Norway explain what they do, how they do it and why their work is vital to many companies.

3 April 2019

A Holistic Approach to Cybersecurity

The capabilities and motivations of attackers to go after operational systems in infrastructures critical to society’s resilience are omnipresent. But these sectors are traditionally not prepared to deal with such security threats. It is time to wake up!

Want to know more?