Singapore

Cyber threats in rail industry to worsen, warn experts

Cybersecurity threats to rail operations are a pressing issue that will get more serious, a panel of experts said yesterday.

These threats, which are exacerbated by issues such as legacy components in the transport system, will need to be addressed to safeguard the safety of commuters on trains, said the panel, which included Land Transport Authority (LTA) chief information security officer Huang Shao Fei.

Mr Huang, with SBS Transit's head of rail development Jeffrey Sim and Thales' cybersecurity expert for transport Benoit Bruyere, were speaking at a panel discussion on cyber security for rail at the Intelligent Transport Systems World Congress yesterday.

Thales, a French technology company, supplies the signalling system for the North-South Line and East-West Line in Singapore.

The experts' comments come in the light of Transport Minister Khaw Boon Wan's call for more attention to cyber security in intelligent transport systems.

Mr Huang noted that transport systems, especially older ones, were not designed for digitalisation.

He added: "If you look at how (the cyber threat to rail operations) is evolving, it is going to become even more nefarious, more serious."

He did not say whether such attacks have happened on Singapore's rail system.

But he noted that another concern was with the supply chain in train systems, given that suppliers sometimes depend on other firms to manufacture parts in their products. It is difficult to determine the security of these components, he said.

According to The Cyberthreat Handbook by Thales and cyber intelligence firm Verint that was published earlier this month for cybersecurity stakeholders, the transport sector is the fourth most targeted sector by cyber attackers, behind sectors such as finance.

Mr Sim said that beyond defending against cyber attacks, operators will have to prepare to respond to successful attacks.

"Looking at an issue from a cyber security perspective is totally different from looking at it from a system fault perspective," he said.

Experts at the congress discussed the security backlash that might come with advances in transport technology.

They warned that smart vehicles linked to transport infrastructure are another node in interconnected systems that bad actors or cyber attackers can physically access.

Instead of trying to enter a network through malicious software or other cyber attack methods such as phishing, criminals can enter networks illegally from these vehicles.

But the experts agreed that when it comes to cyber security, it is impossible to to eliminate risk and guarantee a system will not be breached.

Instead, governments, companies and other stakeholders should invest in ways to reduce and manage that risk.

Mr Josh Johnson, director of the critical systems department at American research organisation Southwest Research Institute, said: "It is about picking the low-hanging fruit, doing a risk assessment on the most critical risks and vulnerabilities, and addressing those."

Transport