In most of the ISA discussion, Cyber Security Assurance issues overshadowed by Safety Assurances Issues. It is but natural to assign highest priority to Safety Concerns but changing business environment no longer accord such luxury. Sensitization about ‘Why-to-Security-Assessment’ is essential over ‘How-to-Secure/Maintain-Cyberspace /Cyber System’. Metro Cyberspace is as vast; if not more, as Metro Railway system itself. Pain Points are all pervasive and Attacker can be invisible.
Of late Public Transport system came under constant attack; not only in physical terms but through Cyber-attacks also. Considering Metro Railway as Stand-alone is no wise thinking as Cyber-attacks no longer limited from remote external source / Internet based but can be from within system; may be intentionally or unintentionally.
Cyber-security is security of Cyber space ( all forms of networked digital activities) which includes contents of digital network as well as actions executed through digital network.
Metro Railway Transportation system swamped with increased use of electronics and software components. Order of the day is for Automation, use of COTS components, use of PLC etc to attain better efficiency and effective system deployment. Name any subsystem of Metro system; Cyberspace is there. While IT and Software infusing efficient use of critical resources but along with it creeping in menaces of white Rogue-hackers, Cyber-attackers.
Though Safety and Security are two different concept but security compromise can lead upto safety compromise. Operation Control Room to on-Board Train equipments; a number of electronics and Software working in expected manners to provide desired performance. Authority to Operate, Authority to Proceed, Authority to Access etc extended through Cyber means. Any undue, unwarranted interferences; intentionally or unintentionally, can vitiate the service and safety parameters.
It is important to appreciate all available electronics ( Hard ware ); from Workstations, Laptops ,Mobile sets, Switches, Routers, Servers, PLC, Sensors, etc to various Software; application software, Firmware, firewalls, protocols etc. Any one out of these inventories can be window of Vulnerability for the System. Various fault lines can take place at interfacing and integrations stage; however robust a subsystem is claimed to be. Cyber security Assessment of Cyber space is further complicated in Metro Railways system just because it is not limited at any one subsystem ( RST,TCS, TVS ,ECS,AFC,TPS, OCC etc ) but all pervasive and mostly integrated. Effects of security compromise can be suffered from vitiation of service to disruption /withholding of services.
As Assessment is to convince both Technical Team and Non-Technical Team; approach should be such to make both parties understand and appreciate the Narrations. Like Safety Assessment of other system; Cyber Security Assessment can also be approached in two part – Technical and (Non-Technical) (here as Security). Technical part can cover Software Design, Development, Application, Maintenance; Use of IT Standards, Best practices of the IT Industry etc and Non-Technical part can cover Security Risks. ALARP principles can be administered to assess Security Risk with evaluating Security Hazards, Frequency and Effects. Safety related Cyber system can be subjected to Safety Case.