The Device Chronicle interviews Eddy Thésée, VP Cybersecurity Products & Solutions, Alstom, on security technologies and standards in rail transportation.
Alstom is a leading global provider of high-speed trains, metros, monorails, trams, turnkey systems, services, infrastructure, signaling, and digital mobility. Passenger safety is a paramount concern in the rail transportation sector. So in a complex supply chain of OEM providers, integrators, and operators, technology advancements are embraced carefully.
.jpg?width=295&height=196&name=Portrait%20of%20Eddy%20THESEE%20-%20VP_161333%20(1).jpg)
We interviewed a cybersecurity expert from rail transportation to explain how cybersecurity has affected the rail transportation sector. Eddy Thésée leads the defining and execution of the Cybersecurity strategy and positioning for Alstom's products and solutions portfolio. He also leads the product vulnerability management strategy and develops the associated product vulnerability management program.
Alstom’s cybersecurity strategy
Eddy begins by outlining Alstom's cybersecurity strategy, describing the increasing connectedness and volume of software in trains witnessed over the last ten years. He goes as far as to say that the train can now be considered a collection of "data centers on wheels," with up to 500 computers with several networks on board. In light of this growing computing complexity, Eddy describes how Alstom needed to put in place a process to analyze its products to ensure implementation of the proper levels of cybersecurity while taking into account the need to manage equipment and projects over a life cycle of 30 years all while factoring in the safety regulations.
To achieve this, Eddy and his colleagues developed three key axes in their strategy:
- Apply good cybersecurity recipes for integration into Alstom products in the future.
- Analyze the installed base for threats in light of the very long product and project life cycles lasting 10 to 40 years.
- Educate and support customers through this connected product and cybersecurity transformation journey.
Overall, putting the defenses and safeguards in place and making them sustainable over time was critical.
Vulnerability management and remediation
Regarding software vulnerability management and remediation, Eddy describes the primary challenge as ensuring the correct security posture of the products over the long life cycle. Eddy established a security team to develop a mechanism to assess the products' software bill of materials (SBOM), ensuring that all the software components in the build are known and adequately monitored. Open-source software is a special consideration in vulnerability management. Also, Alstom's suppliers had to be carefully considered and brought under control as part of this vulnerability management program. Alstom receives components from other suppliers and integrates them into its products. Each component piece received has to have its software system analyzed. The team assessed how to monitor the open-source software and any software provided by a 3rd party efficiently. The team also created a plan for how vulnerabilities would be corrected and managed at the system level, e.g., does a vulnerability in a component have an impact? Yes or No. If yes, how will it be taken off within the life cycle of the Alstom product?
Alstom provides a service for customers to subscribe to receive information on newly discovered vulnerabilities. If it is agreed between Alstom and its customer that exposure to the vulnerability will impact the customer's operations, only then will a remediation plan and action plan to mitigate the vulnerability.
Achieving progress through collaboration
Another critical challenge in the industry is achieving effective collaboration between components-, product providers, and operators in this complex, interdependent rail transportation environment. Before cybersecurity emerged as a significant topic, collaboration was not critical as it is now. Before, each provider was working on their product line with just a few essential standards for interoperability that had to be adhered to. But now, each vendor must have a process to protect their products from external threats and coordinate with other providers across the value chain – suppliers, competitors, and customers. This concept is new and developing. Collaboration and coordination are only possible in the presence of alignment around standards. What was needed was common standards to have a common framework for all parties to work to. Eddy points out that only five years ago, there were no standards in rail transportation for cybersecurity; now, there is one clear standard in the form of the TS 50701 and its evolution in an international IEC to come in 2025 with the release of the IEC63452.
Eddy explains that within these standards, there needs to be clear rules regarding the different security levels for devices. What are the various threat models? What are the acceptable risk levels depending on the product’s environment? What are the various operational impacts across all systems?
Collaboration comes through community. Eddy says a couple of industry-level cybersecurity working groups facilitate a technical discussion between the regulators, operators, and OEMs providing products and integrated solutions. “Having standards, a common language, common threat models, and dedicated work groups with professionals from across these companies helps anticipate significant developments and provides a longer view of cybersecurity across the sector.”
Rail-specific cybersecurity standards
The first key standard for cybersecurity in rail was issued in 2021 is CENELEC’s CLC/TS 50701 Railway applications – Cybersecurity developed by CLC/TC 9X Electrical and electronic applications for railways. The standard takes inspiration from different sources (IEC 62443-3-3, CSM-RA), adapting them to the railway context. It covers numerous vital topics such as railway system overview, cybersecurity during a railway application life cycle, risk assessment, security design, cybersecurity assurance and system acceptance, vulnerability management, and security patch management.
Since mid 2021, the working group, of which Alstom is part of, have worked to create an international standard succeeding and extending the TS 50701. So Eddy and his peers succeeded in establishing an IEC group to deliver the future railway cybersecurity standard (IEC63452) and this group will issue the future railway cybersecurity standards. The first draft of these new standards is ready now. The group will publish this draft for comments before the end of Summer 2023, and stakeholders will vote on the recommendations for the standard within 12 months, and then an official standard should be in place by Q1 2025. Eddy remarks “From nothing in 2016 to a standard by 2025 is an outstanding achievement.”.
Security by design
Eddy outlines that the product design should ensure maximum security when Alstom dispatches the product to the customer and that the customer can maintain this level after the product goes into operation. Eddy defines this as "security by design". It does not mean that the product is "security bulletproof forever"; instead, it means delivering a secure product at a certain high level, and the system can manage and handle regular software updates, extract security logs easily, and have some other security controls implemented.
OTA software updates
Eddy concludes by pointing out that in rail systems today, technically, these systems can benefit from over-the-air software updates. In the absence of remote updates, physical systems would have to be updated individually and this is not practical. The critical question is how can the remote updates be carried out safely within the operation. “The update must not disrupt the tight software configuration in place and the performance of the update must comply with the rigorous standards for safety.” Eddy remarks that in aviation, it is very challenging for intruders to access systems capable of taking updates. Train systems are much more accessible, so special defenses are needed. Eddy keeps telling his team, "We are still inventing rail cybersecurity."
We wish Eddy and his team well on their journey to ensuring rail cybersecurity.