On 28 September 2022, the SAFETY4RAILS consortium successfully organised its final conference at the UIC headquarters in Paris (France) and online with the participation of more than 80 partners representatives, Advisory Board members and external guests (about 50 attendees at UIC and 30 participants online). The conference marked the conclusion of SAFETY4RAILS, an EU co-funded project which was carried out by a consortium comprised of 31 partners from 13 different countries for a duration of 2 years (started on the 1st October 2020).
SAFETY4RAILS aimed to increase resilience against combined cyber-physical threats including natural hazards to railway infrastructure. Throughout the day, the consortium presented the results of the project, notably by demonstrating with a hypothetical scenario the roles and functionalities of several tools of the SAFETY4RAILS Information platform (S4RIS), and outlined plans for future work.
- Opening session
The final conference was introduced by the Project Coordinator (Stephen Crabbe, Fraunhofer EMI), following the welcoming of UIC’s Head of Security Division (Marie Hélène Bonneau). The Coordinator presented an overview of the project, including its objectives, approach and results.
In a nutshell, the project approach was to focus on the combination and extension of 19 contributory tools provided by technical partners which were mostly at a Technological Readiness Level (TRL) 5-6 (i.e. technology validated/demonstrated in a relevant environment, but not proven in operational environment)[1] at the beginning of the project. Efforts were allocated to increase the TRL of each tool brought to the project and to ensure their collaboration/combination thought the SAFETY4RAILS Information System platform (S4RIS), addressing all phases of a representation of the resilience cycle (Identify, Protect, Detect, Respond, Recover).
Following the presentation of the S4RIS architecture, the coordinator described shortly the four simulation exercises carried out in 2022 hosted by end-user partners, each of which tested and collected evaluation on the S4RIS:
- February 2022 – Madrid exercise (Metro de Madrid): combined a cyber-physical attack at a metro station close to a stadium after an important sport event.
- May 2022 – Ankara (EGO and TCDD): series of cyber-attacks and physical attacks targeting sensitive devices and sensors.
- June 2022 – Rome (RFI): Potential terrorist attack via improvised explosive device (IED) hidden in baggage and by a terrorist using firearms inside a railway station.
- July 2022 – Milan (Commune di Milano): Flooding impacting an important transportation hub of the city during the opening of the winter Olympics.
- Live Demonstration
To provide the audience with a global view of the S4RIS functionalities, based on the 19 contributory tools it gathers, the Technical Coordinator (Uli Siebold, CuriX) led a demonstration where the following tools of S4RIS were involved, as follows:
Identify/Protect phase:
- SecuRail: Provides risk indicators for a set of scenarios generated by the initial threat based on network topology and other data on infrastructure and services (e.g., people flow recorded by turnstiles and economic figures of asset), comparison of countermeasures.
- BB3D: Structural damage level – buildings and underground tunnels; casualties.
- iCROWD: Predicted evacuation times and bottlenecks in the station and/or its surroundings, identificatied CCTV blind spots.
- TISAIL: Vulnerability in CCTV operating software, based on open source intelligence.
Detection
- Ganimede: Detection of unattended baggage, sending alerts to RAM2
- PRIGM-Senstation: Detection of a breach of entry into a sensitive room (control room) and sensor data anomaly detection, sending alerts to RAM2
- OSINT: Provision of social media alerts, sending alerts to RAM2
- Curix: Detection of signs of Denial of Service (DoS) attack on CCTV and noise sensors detecting the explosion noise, sending alerts to RAM2
- Wingspark: Detection of overcrowding on platforms, sending alerts to RAM2
- RAM2: Correlation of events providing users with insights into the overall attack and its progression and mitigation plans for each alert. Messages links to tools involved in the Response phase.
Response
- DATAFAN: Prediction of the free capacity of surrounding stations to support re-direction of passengers
- CaESAR: Simulation of the propagation of impact of the closure of a major station through the rail network and evaluation of possible mitigation measures.
Recovery
- CAMS:Assessment of costs and priorities to restore the service after extreme event(s) considering assets damaged / destroyed.
The fictional scenario was developed by the Consortium to demonstrate the S4RIS functionalities in case of a combined cyber and physical attack on a major city’s railways network during rush hour. The chronology of event is illustrated with the below figure:
The hypothetical scenario gathers several aspects of a potential security crisis by combining:
- The physical attack of the central control room, leading to an interference by terrorists in sensors networks triggering a false alarm/alert in the station and to a DoS attack on CCTV and monitoring systems.
- The coordination with an explosive device attack, hidden through abandoned baggage on the station platform.
- The consequence of the attack on passengers, generating chaos in the station and on social medias with citizens spreading the news of the attack.
Following the presentation of the scenario timeline, the demonstration followed the chronology of events and enabled to show to the audience when and how each involved tool plays a role in the detection of events and how alarms are communicated from tools to RAM2, and how they appear for the operator.
Following the demonstration, participants had the opportunity to engage with 9 of the SAFETY4RAILS tool providers in the room and learn more about each tool’s objective, function and future development plans. The following tools were presented:
- BBD3 (RINA)
- CAESAR (FRAUNHOFER EMI)
- CAMS (RMIT)
- CURIX (CURIX)
- DATAFAN (FRAUNHOFER EMI)
- GANIMEDE (LEONARDO)
- SECURAIL (STAM)
- SISC2 (ICOM)
- SYMBIOTE (ICOM)
- TISAIL (TREE)
- Uni|MS (ICOM)
- WIBAS (ICOM)
- WINGSPARK (WINGS)
III. Main Lessons Learnt
The second half of the day was dedicated to the presentation of the main lessons learnt of SAFETY4RAILS and the project’s recommendations for future work. These lessons learnt were presented by theme, as follows:
Technical point of view
The technical coordinator (Uli Siebold, Curix) described the lessons learnt derived from the project content based on the resilience cycle and its five phases. The main issues identified were centred around the availability, security and handling of data.
- Data modelling: To solve issues around the use of proprietary model representations, it would be worth considering well-established model representation fit for purpose or generic.
- Data gathering and availability: It was recommended to share the data stored by individual tools via a repository of data.
- Data security: Similar projects should consider data anonymisation techniques, self-destructing data.
- Guidance through S4RIS: Guidance on these issues throughout the process is needed by the platform itself (switch).
For a more detailed overview of the challenges in each phase of the resilience cycle, please refer to the presentation available at https://safety4rails.eu/2022/10/01/safety4rails-final-conference-was-held-on-28-september-in-paris-france-at-uic-hq/.
To wrap-up, the Technical Manager also identified potential features to be implemented in a production version of S4RIS, notably around authentication and encryption.
End-user perspective:
The presentation of the main lessons learnt continued with the end-user coordinator (Marie Hélène Bonneau, UIC), highlighting that:
- As a highly technological and innovative project, the uptake of results by operators was challenging and required a lot of exchanges and coordination between technical partners and end-users to explain the functionalities and capacities of the S4RIS platform and individual tools.
- The 19 tools brought to the project are very innovative, most of them being based on artificial intelligence which is at a very early stage within rail companies. The integration into rail companies’ legacy systems might be very challenging.
- The evaluation of the S4RIS by end-users, performed via the four simulation exercises, questionnaires and debriefings sessions, demonstrated a positive appreciation as the expected objective were successfully met. Among the key added value of the platform observed by end-users are: the combination of the capacities of the tools with a dashboard grouping all the alerts, the simulation capabilities helpful for management and decision-making and the detection tools. Yet it was noted that railways and metro representatives which took part in the evaluation process could not provide comprehensive feedback from their organisation, considering the diversity of positions and activities carried by railways and metro staffs.
- Areas for potential improvement highlighted by end-users are:
- Simulation capacities would benefit from more accurate data as well as more variables.
- The integration of the S4RS tools with the company information systems would need to be assessed.
- The enhanced integration of tools in the S4RIS platform
- The inclusion of user manuals / guidance, adapted to each type of end-user to ensure the S4RIS implementation in different IT and OT environments.
Policy perspective:
The presentations on the impact of the project continued with EOS (Angeliki Tsanta) presenting the contribution of SAFETY4RAILS for the compliance of end-users with the European framework on critical infrastructure security (ECI & CER Directives) and cybersecurity (NIS and NIS2 Directives).
In addition, the following policy recommendations were drawn from the experiences of the project:
- Encourage operators to adopt a holistic cyber-physical approach to threats
- Align the implementation of CER & NIS 2 Directives in Member States
- Promote formal synergies in their enforcement
- Promote best practices for ethical crisis communication and data management
- Additional effort in standardisation activities to capture new technologies (e.g., AI, Block-chain) and to address specific requirements for supporting tools
Go-to-market roadmap:
Last but not least, the main lessons learnt session was concluded by ETRA (Eduardo Villamor Medina)’s presentation of the Go-to-Market roadmap and proposed next steps for the exploitation of the SAFETY4RAILS tools and platform after the end of SAFETY4RAILS project:
- Exploitation strategy: more than 30 exploitable results (tools, guidelines, methodologies) were identified. Partners committed to engaging in the necessary actions to ensure the impact of the project after the project’s end. As such a 5-year plan for market entry was developed, divided into three phases: one year of preparation, 2 years of industrialisation and 2 final years for commercialisation.
- Market analysis and Business Plans: relying on a competitive benchmark analysis, most of the SAFETY4RAILS tools were identified as innovative or even pioneers when it comes to risk assessment, self-healing, threat intelligence tailored to railways infrastructure and the consideration of cyber-physical security. On this basis, the business plan was presented, explaining key partners, activities, resources, structure, customer relationships and segments, alongside with the identification of risk and mitigation measures related to the commercialisation of S4RIS. Yet, even in the pessimistic scenario, a yearly turnover of nearly €1,83M in the fifth year of the commercialisation would be foreseen.
- Conclusion
The SAFETY4RAILS Coordinator Stephen Crabbe (Fraunhofer EMI) closed the conference with the main conclusions of the project, highlighting the final brochure which gathers the main lessons learnt from the project (available here).
Relying on the positive feedback received during the two-year project, expectations are now to apply SAFETY4RAILS results in real life relying on the S4RIS platform’s high potential for commercial use.
All the presentations given during this final conference are available online at https://safety4rails.eu/2022/10/01/safety4rails-final-conference-was-held-on-28-september-in-paris-france-at-uic-hq/.
CEIS, October 2022