Navigating Modern Rail Cybersecurity with Eddie Thesee

In the heart of the ever-evolving landscape of smart mobility, is Eddie Thesee, Vice President Products and Solutions, Cybersecurity at Alstom, a world leader in green, smart mobility rail solutions, such as rail transportations and infrastructure. Alstom, a trailblazer in green and sustainable rail solutions, has been a witness to the transformation of rail systems from mechanical behemoths to intricately connected, software-intensive networks. Eddie joined the Left to Our Own Devices podcast to discuss what he’s learned on his journey from the Y2K but to today’s modern rail systems.

Alstom, as a leader in the sustainable mobile industry, needed to focus on how to secure their systems as the need for goods and people to move more sustainably. As cities have continued to grow, governments have turned to tried and true rail systems to transport goods reliably– but that meant bringing the system up to date on a wide scale. “If you step back a little bit on the railway, the image is sometimes a little bit outdated. So steam trains and the kind of image of this very mechanical oriented system,” said Eddie Thesee. “The reality is that over the last decade, our system became a very connected, highly software-intensive system. I would say it’s very complex, made of subsystems.”

Over the last decade, the face of rail transportation has changed dramatically. Eddie Thesee sheds light on the intricacies of this transformation, stating, “Our system became a very connected, highly software-intensive system. I would say it’s very complex, made of subsystems.” The integration of data analytics, machine learning, and artificial intelligence has enabled the anticipation of failures, predictive maintenance, and the seamless organization of product security. This technological evolution is not about replacing the entire system but enhancing it. As Eddie puts it, “Without changing the whole system, you can make it better. And that’s always interesting.”

At Alstom the approach is about creating secure systems that can remain secure into the future, knowing that the device will be in service for at least 30 years. It also means that you avoid many of the security challenges that come with changing the whole system. This is vital in a sector that is rapidly developing rail-specific security tools to modernize its assets.

“You feel the change in the industry while it is happening,” said Eddie. “You see things that did not exist yesterday, exist tomorrow, and simply because you don’t need to change equipment, you are just reusing whatever is already there.”

However, with the rise of digitalization comes the inevitable need for cybersecurity. 

Rail cybersecurity, unlike many other industries, had a later start. This delay can be attributed to the unique challenges faced in securing rail systems, such as:

• Large physical exposure and attack surface.
• Railway systems are always a mix of technology. You don’t build the whole network at one time so it’s a quilt of mixed products installed over decades.
• Regulation is intense. Every step of development from development to testing to operating must be guaranteed on the highest level.
• Securing many items that were never designed for railways in the first place embedded within the rail network.
• Integrating this far-reaching security system into very stable decades-old systems without any compromise on safety or reliability 

Simply put, “Cybersecurity is the flip side of digitalization,” Eddie notes. With rail systems often remaining in operation for three decades, maintaining a delicate balance between integrating new technologies and ensuring safety and reliability becomes paramount.

“I have to say that regulation is absolutely necessary,” said Eddie. “We may not like it because it creates constraints, but it’s absolutely necessary. And we welcome norms, we welcome standards, we welcome policies because it’s a very good opportunity to establish common languages and enable sharing across the industry.” 

Working directly with various agencies to issue regulations that properly reflect the needs of the industry, they view compliance as setting a standard and norm. This is critical when you have various OEMs building highly complex devices that may need to interact with one another in mission-critical environments.

To achieve this, Alstom implemented three internal protocols:

• Adjust design principles and development processes to ensure the products will be able to remain cyber resilient into the future.
• Instill confidence by implementing training and processes to continuously reduce risk to operators and customers of existing trains. “Our customer will not understand if we say to them we can protect the future new train, but the one that we sold a couple of years ago is too old, too outdated, too whatever,” said Eddie. They need to make sure that the products are ready for whatever changes may come in the future.
• Maintain systems into the future. This is achieved by acknowledging that threat landscapes change and it is very possible that a team will have to come around and reimagine the cybersecurity controls of a system at a later time. 

All of this is driven by a risk-based approach ensuring security and quality at every level.

As the digital era unfolds, Eddie Thesee is particularly excited about new approaches like zero-trust. “We are doing system integration at a level that you cannot imagine the number of various providers that we may have to deliver a metro People mover, a lot of components,” he explains. Zero-trust, a concept well-established in other sectors, is a novel addition to rail systems, emphasizing the need for constant verification and scrutiny.

Machine learning and AI also play a pivotal role in addressing the challenges posed by the massive amount of data processed and transmitted within the rail ecosystem. However, implementing these systems requires profound railway expertise, considering the diverse components and the cross-country nature of rail networks.

To equip the industry with the necessary expertise, Alstom has taken a proactive step by establishing a Cyber Academy. Eddie Thesee envisions great things from this academy, especially in terms of revolutionizing the learning process. “We really need to train, we need to put learning on, we will need to have more, way, more simple way,” he emphasizes.

The Cyber Academy aims to break down the complexities of cybersecurity, ensuring that everyone involved in the railway system, from maintainers to supervisors, understands the criticality of their actions concerning cybersecurity. The goal is to simplify the learning process, making it accessible to a wider audience and reinforcing the importance of cybersecurity across the railway industry.

In the ever-evolving realm of rail cybersecurity, Eddie Thesee’s journey reflects the industry’s commitment to innovation, adaptation, and a secure future. The complexities of modern rail systems require a multifaceted approach, blending technology, regulation, and education. As we ride the digital rails into the future, the lessons learned from Alstom’s experience provide a valuable blueprint for securing the next era of sustainable and smart mobility.