Christian Schlehuber DB Netz AG at the Intelligent Rail Summit 2017

WannaCry virus was ‘wake-up call’ for railway industry

The infection of the Deutsche Bahn systems by the WannaCry virus earlier this year was a wake-up call for the management of Deutsche Bahn, explained cyber security expert Christian Schlehuber from DB Netz AG during the Intelligent Rail Summit 2017 in Vienna. The incident received international media attention as passenger information screens at train stations were infected with the virus.

In May this year, Deutsche Bahn was hit by the WannaCry virus, in which hackers placed a text on the passenger information screens at stations, in which ransom money was demanded. The negative attention and the impact of this incident on the organisation opened the eyes of Deutsche Bahn’s management, Christian Schlehuber explained.

Cyber attacks

On the basis of lessons drawn from the incident, a plan has been made within Deutsche Bahn in which security has been tightened and a reaction to potential future cyber attacks has been devised. “Although none of the critical systems were affected, for our management it was good to see what can happen with the WannaCry virus. After the infection, everyone was alive to the danger. Security has become one of the biggest priorities for our management. We have also expanded our cyber security team and there are still a number of open vacancies.”

In the week after the virus infection, an analysis of what had occurred took place within Deutsche Bahn. Schlehuber: “From this analysis it emerged that out Computer Security Incident Response Team had discovered the WannaCry virus at a very early stage. This happened in the middle of the night. It tried to contain the infection but as no response plans for such an infection were in place, the required responsible persons could not be reached.”

Incident management

Schlehuber explained that Deutsche Bahn’s most important systems, the track safety and interlocking, were not affected. “What was clear is that we had various challenges in terms of employee responsibilities within the organisation and the incident management processes.”

According to cyber security experts, the WannaCry virus was contracted via systems still working on Windows XP that had had no security updates for ten years. These systems were in a protected environment, which employees were not permitted to access. After the attack, the organisation immediately updated the systems.

Disaster procedure

During the conference, Lovan Pushparatnam, head of Systra’s telecom department, emphasised that the processes for cyber attacks must be part of the disaster procedures for rail companies. “Cyber attacks must be treated just as seriously as train accidents. The handling after train accidents and after cyber attacks is quite similar.” According to Pushparatnam, there is now evidence of a shift in which, slowly but surely, rail companies are including cyber security in their general safety and security policy.

Pushparatnam: “It’s all about awareness. A few years ago I tried to get approval for a business case for cyber security measures in our company. Like most internal processes, this process took a very long time. When the WannaCry virus hit the headlines, our director exclaimed that we ‘must do something’. I responded that I already had a plan prepared, but had not received the go-ahead to implement it.” Pushparatnam immediately got approval from the management to put the plan into practice. “You can see that people are more aware of the available technologies, and the media attention helps too.”

Involve stakeholders

Pushparatnam underlined that when defining and determining the policy, it is important to involve all stakeholders. “It’s not about a couple of nerds in the corner. All levels of the organisation must be involved. They must all look at the processes and activities and see how they are related to cyber security. Technology is one element, but processes and people are more important.”

David Rogers from Siemens: “You can see that there are a number of cyber security approaches that are not aligned. This must happen on the European rail corridors, at least. There has to be a shared understanding of this subject, as it’s crucial. WannaCry was perhaps a wake-up call that will help to speed up cyber security measures. The rail sector wants to digitalise, but this needs to be done in a secure way.”

Cultural change

Schlehuber: “The track is a European system. Trains go from Germany to France, and so on. We have to find solutions for all European partners and perhaps ones that can be employed across the globe. That means that we must find a solution that complies with the law and needs of all those partners and that is a big challenge.”

Pushparatnam: “The culture in the rail industry is also a problem. In the rail sector, we have a tendency to be reactive to incidents. If an accident occurs, we change track safety. If a cyber attack happens, we take action. We have to change this culture and way of thinking, and be more pro-active.”

Have you missed the conference and want to look back the presentations? Please visit the conference website for a replay ticket.

Author: Marieke van Gompel

Marieke van Gompel is editor-in-chief of, and, online magazines for railway professionals.

Commenting on this post has been disabled.