The Simulation Exercise was co-organised by Metro de Madrid (MDM) and ETRA. The event brought together around 60 representatives from the SAFETY4RAILS consortium participating physically in Madrid and online. Among these participants, representatives from eight end-users attended: CDM (City De Milan in Italy), MDM (Metro De Madrid), EGO (Ankara Metro), RFI (Rail Infrastructure Manager in Italy), PRORAIL (Rail Infrastructure Manager in the Netherlands), TCDD (State Railway in Turkey), FGC (Rail operator in Barcelona) and UIC (the Worldwide Rail Organisation).
The main objective of this event was to demonstrate how the SAFETY4RAILS Information System (S4RIS), together with its main tool components, can help rail and metro operators manage a combined cyber-physical attack targeting a metro station based on a simulation scenario taking place in Madrid. Even though the attack focused on a specific metro station, S4RIS applied a holistic approach with mitigation measures considering the Smart City paradigm, public authorities, interconnected infrastructures and cascading effects across the whole metro system.
The simulation exercise was organised around the resilience stages defined during the project: Prevention (activities performed before the incidents, including identification and protection), Detection & Response (activities performed during the incident), Recovery (activities performed to ensure MDM services come back to normal operations and improve long-term resilience).
The S4RIS, with a combination of 11 tools addressing the scenario, was demonstrated leveraging operational data relevant to each resilience stage. 13 technical partners, led by ETRA, coordinated their efforts to tackle novel emerging threats: ETRA, FRAUNHOFER, ELBIT, STAM, TREE, INNO, WINGS, RINA, RMIT, ERARGE, NCSRD, IC, UNEW.
During the prevention phase, the capabilities of 8 tools were showcased:
- BB3d (BomBlast3d): the tool provided bomb blast simulation to evaluate out-door bomb blasts and how they affect buildings and metro structures. This is intended to help the experts from the civil construction department for building more resilient physical structures.
- CAMS (Central Asset Management System): Based on maintenance data, CAMS spotted the most damaged assets/components (due to ageing degradation), i.e. the ones which would be most affected from a hazardous event. Assets from both the cyber and physical domain were evaluated. Analyses should improve the preparedness and help proactive planning for the maintenance department.
- SecuRail (Security Risk Analysis of railways infrastructures) was used to perform an off-line risk analysis of the infrastructure in order to understand the risk level of each critical component in the metro system. The results should provide the security managers with information on where and what more attention needs to be paid (e.g., by introducing more appropriate security measures).
- TISAIL (Threat Intelligence Service for the Railway sector) /OSINT (Open Source Intelligence) identified existing vulnerabilities in the cyber domain, related to workstations, PCs, CCTV systems and power grid. After analysing the threats, extracting some Indicators of Compromise (IoC’s) and enriching the information, an alert is created in order to warn Infrastructure Managers, Railway Undertakings and other stakeholders.
- DATAFAN (Data Artificial InTelligence-based Analysis Forecasting and ReliAbility EvaluatioN) was used to run a set of what-if scenarios to understand the flow of passengers in the station, as well as possible delays. This information was then shared in the CAESAR tool, described below, in order to identify critical components.
- CAESAR (CAscading Effect Simulation in Areas for increasing Resilience) was used to assist security operators in identifying the weakest/most critical components that they should pay closer attention to protect and understand the resilience level of the infrastructure.
- iCrowd simulated different crowd movement scenarios to optimise camera’s location and reduce blind spots in the station during the evasion of a malicious actor. It also generated crowd congestion and pressure levels after an explosion close to a station. For this, bomb blast results generated by BB3d were used (e.g. damage on structures and people).
- RAM² (Risk Assessment Monitoring & Management and Decision Support System) provided the security operator with a complete picture of the identified vulnerabilities and security gaps in the infrastructure. Identified vulnerabilities were accompanied with suggested mitigation actions to fix them and increase the resilience level of the metro infrastructure.
During the simulated detection & response phase, several tools enabled enhanced situational awareness thanks to the added-value provided by their alerts: TISAIL/OSINT detected a spear-phishing campaign and CCTV camera vulnerability using open internet sources, CuriX (Cure infrastructure in XaaS) detected anomalies in the sound intensity levels, in the state of the doors and also malware operating patterns on the system, WINGSPARK (WINGS Big Data and Predictive analytics tool) detected anomalies in train speed and identified overcrowded areas, DATAFAN detected an anomaly regarding the passenger flow in the station.
All events were presented to the operator in the S4RIS (RAM2 GUI), where correlation between existing and incoming alerts were performed and details of the alerts presented. The Security Coordinator received the warnings and took immediate action, supported by the advanced crisis management capabilities of S4RIS Decision-Support System (RAM2).
During the response phase, the tools helped to decide which stations should be closed, considering the trade-off between security and business continuity. Based on station closures, DATAFAN was used to inform the mitigation engine (CAESAR) regarding the predicted change in passenger flow in real-time, taking into account passenger load for surrounding stations. CAESAR produced a ranking of best mitigation measures based on cascading effects computation, which helped the security operator decision-making.
For the impact analysis, iCrowd provided estimates of the consequences of the incident on the passengers, leveraging the information regarding the passenger flow in the station and the status of key assets affecting mobility (e.g. doors, turnstile…).
Finally, during the recovery phase, S4RIS evaluated (through CAMS) the fragility of physical and IT assets after the incident. This allowed the operators to define budgetary measures to improve resource deployment and control financial loss in the future. Furthermore, BB3d informed the civil construction department to create countermeasures to improve the resilience of structures – such as protective hardening, safety distance.
These two days were very fruitful and very useful for the end-users to understand the possibilities of the tools and the added value of their combination and integration in the S4RIS platform.
Next exercise will be held in Ankara organised by ERARGE (R&D Centre in Istanbul) with EGO (Ankara metro operator) and the support of TCDD (State Railway in Turkey) on 22-24 March. In the meantime, feedback from the end-users will help to improve the tools and reach a new step with another set of operational data and even more tools integrated in S4RIS platform.
The information appearing in this article has been prepared in good faith and represents the views of the author. Neither the Research Executive Agency, nor the European Commission are responsible for any use that may be made of the information contained in this abstract.