In November 2019, Eylem Thron, Senior Consultant - Human Factors, was invited to speak to the Institution of Railway Signalling Engineers about the importance of personas when planning digital resilience in the rail sector.
From online booking and onboard WiFi, to signalling technologies and remote condition monitoring, digital technologies are transforming day-to-day rail operations.
But as the industry becomes more digitally oriented, so it must also prove itself ever-more resilient to the wider range of vulnerabilities that will emerge.
Cyber security, with its focus on protecting IT systems, is only part of the equation. To be a truly resilient a system must also account for the risks that lie within almost every interface between information networks and human users, including the vast majority of interactions that are non-malicious in nature.
This broader threat landscape calls for analysis that extends beyond the typical “fear appeal" approach to security and utilises techniques such as persona modelling and scenario planning.
Lodz tram incident 2008: An early warning
Consider a widely reported 2008 incident in the Polish city of Lodz. Twelve people were injured when a 14-year-old student was able to hack into the city’s tram system and, using a modified TV remote control, interfere with track points at junctions, resulting in the derailment of four vehicles. The teenager later told police his actions had only been intended as a prank and he had not foreseen the harm he could cause. In subsequent media reports he was described as an electronics enthusiast by his school teachers and was found to have trespassed in the tram depots and studied the network junctions.
One explanation for his relative ease in circumventing existing security measures is that previous planning simply did not see the attack coming.
Assuming its most serious threats lie in sophisticated remote cyber-attacks, the tram network had not accounted for a local enthusiast seeing their system as a challenge to test their self-taught coding skills.
Attackers are human too
Applying a Human Factors approach to network security planning would introduce the concept of personas to the development of threat profiles. Speaking recently to the Institute of Railway Signalling Engineers’ Aspect Convention, Eylem Thron, Human Factors Senior Consultant, Ricardo, explained the findings of research she has been leading in partnership with the University of Bournemouth into how the use of personas can improve our understanding of the behaviours of users who, intentionally or not, will exploit weaknesses within the system.
An engineer’s view of a system is not the same as an attacker's
“Attackers are human after all and central to Human Factors thinking is the assessment of human characteristics – goals, skills, limitations, motivations - to develop personas,” explains Eylem. “In security engineering, responses are usually focused on the assumed threat, or the ‘fear appeal’. But this can overlook actual evidence,” she says.
“As with the incident in Lodz, vulnerabilities can go unseen for the simple reason that an engineer’s view of a system is not the same as an attacker's.”
“For example, a strong but complex password might be an appropriate protective measure from a security perspective. However, a Human Factors engineer would recognise the cognitive load this might have in different contexts, and how it might rationally lead to violations. Such violations may have non-malicious intentions but, in the right context, can lead to an exploitable vulnerability.”
By modelling personas, engineers can begin to understand the skills, workloads, motivations and behaviours of a range of potential actors - from individuals to nation states. These can be used to not only identify vulnerabilities that may be otherwise missed in normal security assessments, but such 'design research' might also lead to new insights and opportunities for innovation.
“In Human Factors”, says Eylem, “We seek to find technical solutions that improve security and usability, rather than blocking it. Rather than just ensuring certain tried-and-tested physical or digital measures are in place, we look to close down risks by approaching the situation look from a human viewpoint.”
Working with Bournemouth University, Eylem has led a project to model personas for a major rolling stock manufacturer using an open source tool called CAIRIS.
Not only did the exercise rationalise existing assumptions, it also helped to identify new vulnerabilities by intersecting safety, security and usability issues. The outcome for the client was a richer understanding of the threat landscape for its products, which enabled them to develop responses during early design stages.
“An engineer’s goal for a system is for it to work, and that it is safe and secure. But they can’t be expected to account for every variable. How they view a system is very different to how an attacker might see it, or even from the point of view of a user who is unable to follow act in the manner intended”, says Eylem.
“Our work developing personas has shown it is possible to think about a much broader range of potential risks, and to account for the threats without impacting on user experience. The objective is to provide not just a secure system, but a usable one too".
For more information about the topics raised in the presentation to the IRSE, please contact Eylem directly
Click here to read more about our digital resilience services for the rail sector
Author: Dr. Eylem Thron, Senior Consultant - Human Factors