A cyber attack could have a deleterious impact on Sydney’s still-expanding metro network, and a single facility stands ready to combat threats.
Paris has it and so do Hong Kong, Singapore and Dubai. In May 2019, Sydney joined these cities with its own driverless, fully automated metro rail system.
However, increased automation and greater interconnectedness make such networks more vulnerable to cyber attacks. The sheer spread of railway networks over hundreds of kilometres make them particularly challenging to secure.
There are instances of this happening overseas. Over two days in August 2023, more than 20 trains in Poland came to a halt with the railway’s frequencies carrying the Russian National anthem and a speech by President Vladimir Putin. Fearing it was a cyber attack, Polish securities scrambled to find the cause of the problem – only to discover there was nothing “cyber” about this incident. The perpetrators had broadcast a basic three-tone radio message to the Polish railway’s unencrypted network to interfere with the trains.
There are also “old-school” physical attacks, as happened in Germany in 2022 when fiber optic cables were intentionally severed, disrupting rail traffic in the country’s north.
Sydney Metro’s network is managed from a central facility in Tallawong in the city’s northwest. Here, operators keep a close watch on the 3500 cameras across the network, as well as the signalling and communications systems. The communications and control systems helping to run all aspects of this standalone railway network are part of a closed system and, as a safeguard, have no external connections.
Marie Patane, Sydney Metro’s Executive Director, Enterprise Security, detailed to create the steps taken by the rail network to keep it cyber-secure.
How do you view the growing cybersecurity threat landscape?
Marie Patane: “Cybersecurity threats are increasingly targeting critical infrastructure globally, with both IT and operational technology (OT) systems at risk. The convergence of these systems has expanded the potential risk, introducing new challenges in protecting business functions.
“For Sydney Metro, safeguarding the operation of metro services is a top priority. As we depend on OT systems, any security improvements must be implemented carefully to maintain safety, reliability and efficiency.
“We’re also monitoring the growing risk of cyber attacks on supply chains. Breaches within the supply chain could potentially affect Sydney Metro, so we’re working to ensure our partnerships are secure.
“Our people play a critical role in this defence, as cybercriminals increasingly target employees using sophisticated AI-driven tactics. Ongoing awareness and training are essential to protect against these emerging risks.
“While the threat landscape is challenging, we see it as an opportunity to stay ahead by being proactive and adaptive in safeguarding our systems.”
How are cyber threats informing the way engineers and project managers design and build your projects?
“Cybersecurity is a key consideration in every phase of our project design and implementation. From the outset, we conduct thorough risk assessments to ensure that security is integrated into both the system’s design and its lifecycle.
“We adhere to international standards, such as IEC62443 and CENELEC 50701, and continuously assess and adjust security practices to keep pace with evolving cyber threats. By incorporating security at every stage, from design to operational readiness, we ensure that our systems remain resilient and secure throughout their lifespan.”
What are some good security practices and how do you adopt cyber hygiene?
“At Sydney Metro, we embed cybersecurity principles right from the design phase to ensure that we’re always thinking ahead about risks. We have robust frameworks in place to regularly assess and address cybersecurity threats.
“Our approach includes continuously monitoring and updating security measures, informed by real-world security data. We also focus on fostering a culture of cyber hygiene across the organisation, through training, awareness programs and strict adherence to security protocols.
“Strong leadership is key to raising awareness about cyber risks at all levels, ensuring everyone understands their role in keeping the organisation secure.”
How do you harden your operation against cyber attacks?
“To protect against cyber threats, Sydney Metro focuses on two key areas: leadership engagement and technical expertise. We ensure that senior leaders are fully aware of cybersecurity risks and understand the steps required to mitigate them.
“We follow international security standards as a baseline, but our security strategy is tailored to address specific risks and evolving threats. Regular testing and response drills are also essential to maintaining a high level of preparedness – a quick, coordinated response can make all the difference.”
What are the skills required by engineers and technical staff to better deal with cyber threats?
“A strong understanding of both IT and OT technology is essential for engineers and technical staff dealing with cybersecurity. In addition, the ability to communicate complex issues clearly is important, ensuring that everyone throughout Sydney Metro understands the risks and how to manage them effectively.”
In this EA OnDemand webinar, a cyber defence expert outlines how to strengthen cybersecurity practices in engineering.
