SCEPTICS

Summary

The SCEPTICS project aims to help the owners & operators of large-scale Industrial Control Systems to identify elements of their infrastructure that are vulnerable to cyber attack, and to prioritise those systems for further, detailed analysis.

The rapid pace of development in Information and Communications Technology (ICT) over the last 30 years has changed the way the rail industry operates. Commercial pressures and the need to share operational information between stakeholders to facilitate cross-border services etc. have gradually pushed the industry away from more expensive, bespoke systems and towards Commercial Off The Shelf (COTS) solutions. Nowhere is this more evident than in the area of industrial control, where examples of the move to standard technologies include the European Train Control System (ETCS) in the signalling domain, and the provision of remote condition monitoring via Supervisory Control And Data Acquisition (SCADA) networks.

Although the move away from bespoke systems has allowed the industry to become more agile, reduce the risks of vendor lock-in, and deliver “more for less” in terms of underlying investment, it also risks increasing the attractiveness of the railways to cyber attackers; much of the off-the-shelf hardware is IP based, and therefore subject to many of the same attack mechanisms as any other modern ICT system. Furthermore, common platforms share common vulnerabilities, meaning exploits that have been realised in one industrial sector, could by easily transferred to similar technology in another.

While the rail industry in the UK and worldwide recognises that there will be an increased risk of cyber attack in coming years, many railway undertakings are unsure of how to begin building an understanding of the extent of the problem they face, or the steps required to address it.

The SCEPTICS project is developing a set of common processes that can be applied by ICT professionals within the rail industry to scope their own industrial control systems, allowing them to get a broad understanding of the potential risks of cyber attack, and delivering sets of priority areas / systems to investigate using more detailed threat analysis tools and approaches.

Project members

Tom Chothia is a Professor in Cyber Security for the School of Computer Science at the University of Birmingham. His research involves the development of new mathematical analysis, and the application of these techniques to cyber security problems.

He has previously held appointments at CWI (Amsterdam), Ecole Polytechnique (Paris) and Stevens Institute of Technology (Hoboken). He obtained his Ph.D. from the University of Edinburgh (Scotland)

Clive Roberts is Professor of Railway Systems at the University of Birmingham and Director of the Birmingham Centre for Railway Research and Education.

Over the last 14 years he has developed a broad portfolio of research aimed at improving the performance of railway systems. He leads the University’s contribution in a number of large EPSRC, European Commission and industry funded projects. He works extensively with the railway industry in Britain and overseas.

Clive’s research interests lie in the areas of: systems engineering; system modelling and simulation; traffic management; fault detection and diagnosis; and data collection and decision support, applied to railway traction, signalling, mechanical interactions and capacity.

John Easton is a Lecturer working with the Birmingham Centre for Railway Research and Education at the University of Birmingham.

His research interests centre on methods for the storage, processing and display of railway related datasets – in particular data representation and exchange via ontologies, manipulation and integration of data relevant to the multimodal transport system, and cyber security in industrial control systems.

Since joining the rail group in 2009, John has been involved in a wide range of projects including the TRIME third-rail monitoring system, which in 2012 was the joint winner of the Stephenson Award for Engineering Innovation at the National Rail Awards, EU-funded work (Interail, Automain, OnTime, and Capacity4Rail), and the EPSRC-funded SCEPTICS project (part of the RITICS research institute). John sits on the executive committee of the Institute of Engineering and Technology’s Railway Network, and has recently been seconded to the cross-industry Digital Railway programme.