The second simulation exercise of the SAFETY4RAILS EU project was co-organised by ERARGE, EGO and TCDD. The event took place online on the 27th and 28th April 2022 with 58 representatives from the SAFETY4RAILS consortium.
The main objective of this event was to demonstrate and evaluate the functioning of the latest version of the SAFETY4RAILS Information System (S4RIS) platform with its contributory tools, based on a scenario of a combined cyber-physical attack on one Ankara metro station. The simulated attack was designed around two key events: an intrusion in an important room leading to a cyber-attack and an explosion of a luggage abandoned by a terrorist. The simulation involved technical capabilities to address the four stages of the resilience cycle:
- Prevention: activities performed before the incidents, including identification and protection of key assets
- Detection & Response: activities carried out during the incident
- Recovery: activities undertaken to return metro and rail services to normal operation and improve long-term resilience.
To demonstrate this, several S4RIS tool provided simulations of their capabilities to respond to the scenario. The exercise involved 9 tool providers:
- CAMS (Central Asset Management System): based on maintenance data, the tool helped to sort out the most damaged assets/components of the metro system (due to ageing and degradation). During the Ankara scenario CAMS showcased the most affected assets, from both the physical and the cyber domain. In terms of the resilience cycle, CAMS analyses should act on the prevention and recovery phases by improving the preparedness and help proactive planning for the maintenance department.
- iCrowd: the simulation-based situational awareness tool provided prediction of different crowd movements and behaviours in the metro station and therefore helped detect hazardous situations and bottelnecks and malicious movements and analyse risk mitigation measures. Focusing on the prevention and recovery phases, the tool identified possibilities for analysing improved CCTV systems positioning and improved evacuation routes.
- SecuRail (Security Risk Analysis of railways infrastructures): aims to support railway infrastructure managers to perform quantitative risk assessment of each critical component in the metro system in a simplified and structured manner. At the Ankara scenario it performed an off-line risk analysis of the infrastructure. The results identified capabilities on offer to security managers in the prevention stage by providing information on which components and processes would be priorities for attention.
- CAESAR (CAscading Effect Simulation in Areas for increasing Resilience): the software was demonstrated showing capabilities to assist security managers in evaluating and mitigating the potential impact of cascading effects in their service network through the closure of a metro station.
- DATAFAN (Data Artificial InTelligence-based Analysis Forecasting and ReliAbility EvaluatioN): was used to identify the number of passengers which would be expected to be using a (closed) metro station for a given time period and the capacity for surrounding station to take-up these extra passengers due to the station’s closure.
- TISAIL (Threat Intelligence Service for the Railway sector) /OSINT (Open-Source Intelligence): uncovering potential threats from different services and the cyber domain in a semi-automatic manner. After analysing the threats, some Indicators of Compromise (IoC’s) are extracted to enrich the information. On this basis, an alert is then created to warn infrastructure managers, railway undertakings and other SAFETY4RAILS tools. In the simulation, the risk of unauthorized access to a CCTV camera model was identified, as was a social media message reporting an explosion.
- CURIX: offers a holistic approach to prevent outages, predict critical phenomena and increase resilience in IT Operation and IT Security. During the exercise, CURIX detected the drop in the electrical power consumption (due to the terrorists manipulating an important system), which in turn triggered an alert to the security operators during the detection and response phases.
- PRIGM-SENSATION: the hardware security module was used to ensure secure communication channels are established between physical data sensors and control centres. Connected to the SAFETY4RAILS interoperability architecture during the exercises, it enabled the integrity of the data transferred and the detection of an intrusion to the important room through various sensors.
- GANIMEDE: as a platform used for the management of video/audio content analysis (using artificial intelligence and deep learning), it was mobilized during the scenario to provide an algorithm capable of detecting the presence of unattended objects through CCTV cameras. As it can detect and report the presence of abandoned objects, this tool is used for the purposes of detection and response phases of an incident.
To sum up, during the detection and response phase of the simulation, several tools provided information to create situational awareness: Ganimede detected an abandoned luggage and raised an event of it, PRIGM – Sensation detected the intrusion to the important room by checking various sensors, and TISAIL/OSINT discovered the exposed CCTV and sent the event to S4RIS. CuriX (Cure infrastructure in XaaS) detected the drop in the electric power consumption and created an event. TISAIL/OSINT also generated a social media message report regarding a reported explosion. DATAFAN performed a passenger flow analysis of the connected stations to detect possible anomalies.
The events raised were presented to the operator in the S4RIS (RAM2 GUI), where correlation between existing and incoming alerts were performed and details of the alerts presented. The Security Coordinator received the alerts and demonstrated immediate action to take, supported by the advanced crisis management capabilities of S4RIS Decision-Support System (RAM2).
The entire simulation was created to demonstrate the capabilities of the tools, considering actual and/or potential security threats and their combinations. However, it was not based on any previous or actual operational event(s) occurring within the organizations involved in the simulation.
The next simulation exercise will be organized by Leonardo (LDO) and hosted by Rete Ferroviaria Italiana (RFI) on 31st of May and 1st of June. In the meantime, feedback from the end-users will help to improve the tools and reach a new step with another set of operational data and even more tools integrated in S4RIS platform.
The information appearing in this article has been prepared in good faith and represents the views of the author. Neither the Research Executive Agency, nor the European Commission are responsible for any use that may be made of the information contained in this abstract.