Cybersecurity in tunnel operation and management
In the world of mobility, Technolution is mainly known for traffic management. Not many people are aware that Technolution has, for some years now, had a dedicated business unit focused on cybersecurity. This business unit delivers high-end, high-assurance cybersecurity solutions to clients such as the Ministry for Defense and other government departments. Technolution’s expertise in traffic management and in cybersecurity come together when it comes to tunnel operation and management.
It really is no surprise that Technolution is active in this domain, says Andre Nijholt, Technolution’s tunnel operation and management specialist: “We’ve always been an IT organization that works in operational technology. Now we have acquired knowledge of high-end cybersecurity solutions, we want to use this for tunnel operation and management as well.”
System with vulnerabilities
Willem de Boer, Information Security Officer at Technolution, explains what the situation is in many tunnels: “There are many suppliers of IT and OT products used in tunnel operation and of things such as cameras, barriers, ventilators, and sprinklers. All these suppliers have a system that allows them to remotely access the tunnel for service and maintenance. This remote monitoring is very important. But it does have one great disadvantage: you open the backdoor in terms of cybersecurity. In addition, these systems often run in multiple tunnels. If you’ve infiltrated one system, you can often access several of them.”
Before De Boer describes the solution Technolution has developed, Nijholt briefly explains how tunnel operation and management works. “Tunnel operation takes place 24/7, remotely from a traffic control center. It involves making part of the operation of the tunnel – the monitoring – available to the traffic control center. This part often consists of packages on a standard Windows platform that we prefer not to update any longer because it is prone to error. This means the system does have vulnerabilities. It is physically closed, but can be accessed easily through the network.”
Security by design
Technolution argues that ‘security by design’ should be applied to tunnel operation, and that the right security measures should be included in the design itself. Nijholt: “We have a security-enhanced (SE-Linux) operating system for this, which has security as standard. We then make this system watertight and run our software on it. In this way we ensure that nobody can take over control. The system can be renewed at any moment, on the one hand by adding new functionalities, and on the other by applying new security patches. Doing this ensures your knowledge of the operating and management system remains up to date and doesn’t become obsolete, as is often the case in traditional situations.”
Technolution has no control over the cybersecurity of suppliers of, for example, cameras or barriers. But Nijholt and De Boer don’t think this poses much of a problem. “Our operating system is the outward-facing system. The other partial systems are all behind it. Any malicious actors will have to hack our heavily secured system first before they can access the systems behind it.” Two new large tunnels have since been fitted with Technolution’s system, the Gaasperdammertunnel on the A9 and the Blankenburgverbinding on the A24. In the meantime, Technolution is focusing on existing tunnels with operating and management systems that are due for renovation over the coming years.
Sense of urgency
De Boer says that Rijkswaterstaat clearly has a sense of urgency with regard to the cybersecurity of tunnel operation and management. “The real problem is that the market is slow to pick up on this. There is often a lack of knowledge and uncertainty as to what the best approach is. In addition, the trade-off between security requirements and availability is a real challenge, because tunnels should normally be open 24/7. We can help remedy the lack of knowledge; contact us for more information if you need it.” And there is another incentive to action, says De Boer: the NIS2 law. “This stipulates that everyone who deals with critical infrastructure is obliged to invest more in cybersecurity and cyberresilience. This applies also to the mobility sector, and that includes tunnels.”
Datadiode and VPN
This brings De Boer to the solutions that Technolution has to offer for tunnel operation and management: datadiodes and secure VPN-type connections. “These secure connections make it possible to give people access only on a ‘need to be’ basis. This can very easily be applied to remote tunnel maintenance, by giving only authorized suppliers access at the times that they need it.” Datadiodes further enhance the cybersecurity of the tunnel. De Boer: “A datadiode allows data transmission only in one direction; the other direction is fully shut off. In the case of a tunnel, datadiodes can ensure that data is only allowed to exit the system. This means you can receive monitoring data 24/7, while no one can use this connection to infiltrate the tunnel system. The combination of secure connections and datadiodes offers very robust security for tunnel operation and management.”
