India has the fourth longest railway network in the world; and Center for Railway Information Systems (CRIS), the ICT arm of Indian Railways has been the driving force to introduce slew of technological innovations as part of the government’s Digital India initiative. Securing this large ICT infrastructure is also one of the biggest responsibilities of CRIS. Express Computer finds out these new intiatives taken by the CRIS
Driving digital outlook for railways
The collaborative model of working ensures the delivery of cost-effective, sustainable and secure information systems. This autonomus body has been successful in using cutting-edge technologies in practical ways to ensure workable IT solutions for the Railways in many areas, and also ensuring the information security by regular security audits of these new digital services and projects, including such as development of ticketing on mobile phones, tracking of trains in real time through GPS, tracking of rolling stock using radio frequency identification (RFID), setting up a geo-spatial database for the Railways, and the setting up a state-of-the-art data centre to house the Railways’ IT system.
CRIS approach focuses on new ways of conducting business by combining IT innovation and adoption, while leveraging an organization’s current IT assets. It works with the Indian Railways to conceive prudent technology and security strategies and build new services in today’s dynamic digital environment. The firm believes by going digital it can unlock far more than currently utilized capacity of the available infrastructure.
Importance of secuirty audits
All kinds of audits, including information security audits are equivalent to measuring the health, status, work done and posture of Info-Security, etc; as a famous saying goes “We can’t fix / improve what we can’t measure”. Also, everything involving humans tend to slip down with time. So, (independent) audits are a must to verify every claim made about mitigating Info-Sec risks, whether by insiders or outsiders to the organization. Without periodic audits, “ignorance will be bliss” for the business, till a risk actually occurs. After the audits, the compliance fixing as soon as possible, is equally or even more important. This part is also followed-up by the security group thru re-audits.
Being the security group of CRIS which is the ICT arm of Indian Railways,ensures information security in all the layers of IT infrastructure. The security audits of development tools and applications, against the standards and compliance is also key focus of CRIS. As the technical R&D team keep on rolloing out new applications. CRIS secuity arm key task is to ensure the security piece of digital services before the applications being made live. It audits all applications regularly and keep on giving feedback to developers and the risks attached to it. Another area is conducting on-demand audits of changes in applications. At times Indian Railways also asks CRIS to do these on-demand SW audits, especially in the case of web based applications for public users.
Today automation is touching very part of the large organisations and Indian Railways is also driving the change. CRIS feels there is a huge scope for automated self aduits tools. Hence, it has implemented automated self-Audit SAST tools from reputed OEMs, for the development teams to check code for security issues. Now it is also implementing SAST tool in next few months, where application developers will get instant feedback of their coding issues. These are part of our “secure coding” push, so that audits later do not have major issues to fix.
Besides internal and independent audits, to make the secuity audits more proven, CRIS has decided to move the external audits work from STQC , the Audit arm of MeiTY, since past three years. Also CRIS proposed to shift the external Audit tasks from STQC to private party auditors. The selection of private audit agency will be done from within the 20 odd CERT-In empanelled agencies.
Use of Artificial Intelligence (AI) in security
According to CRIS, in the area of information security systems, Data-Correlations (SIEM) and Analytics (Threat Intelligence) may be adequate for now as these are software driven, leading to advancements as per needs. AI may help in automated correlations and risk-costs adjusted actions based on those results, but there can be major pitfalls in terms of potential business, customer and reputation losses due to unsupervised (by human experts) actions. Any kind of AI system, which can learn from the collected data analytics, correlations and human experts, and predict the possible security breaches in the real-time will have potential. Identity, access, recognition, non-invasive VAPT etc may benefit from AI, by reducing their need and the false-positives.
Going Cloud way
As the Indian Railways looking to move some of its web-based applications to Cloud, both in private Cloud and the MeitY approved Indian Public Cloud providers. CRIS has started gearing up for this new move and now holding discussions on the Applications that can be hosted on the Cloud and their Security Architecture. At CRIS, it is also trying to migrate the existing Datacenter to include the Cloud layer making it a Private Cloud for Indian Railways. This move will help, CRIS to unlock far more than the currently utilized compute and storage capacities of the available infrastructure. With new tech advancements, CRIS is looking data security on the Cloud more deeply, as systems will be operating 24×7 across the geographies. It will build new applications such as Assets and Master management solutions on the Cloud.
Role of security group at CRIS
In the opinion of CRIS, Indian Railways is looking at Cloud as the applications facilitator. The Railways expects that Cloud will speed-up the delivery of the applications and response time will improve. From the info-security perspective, the threats will keep on coming-up even on the enhanced Cloud technologies. CRIS secuirty team thinks they have to learn the new techniques to protect the same or improved infrastructure on Cloud.
With the new technology shift and digital assets of Indian Railways growing multi-fold, CRIS has proposed to setting-up a Security Operation Centre (SOC) for Indian Railways in this budget, it will be monitoring multi-lakh PCs and network devices used across the ‘RailNet’, for any malware attacks and unauthorised access in the systems. Also, incidents monitoring of ICT infrastructure and sending alerts, to both users and back-end teams for controlling the incidents and mitigation. But as CRIS knows well Railways’ priorities are first on the safety and security of train running, hence on the IT part also, services get the first focus followed by info-security. The total IT budget of Railways is in the range of ` 3,000 crore, out of a balance sheet of ` 2 lakh crore. Out of that IT budget, info-security gets about two per cent allocation as of now. CRIS is now getting earmarked budget for information security. Earlier it was within the IT budget. Lastly, it has proposed a fresh set of ICT and Cyber Security policy guidelines to the Railway Board for review.