31 May 2016

Indian Railways Should Secure Data Before Monetising It

May 27, 2016

Now that Indian Railways has decided to monetise its data, it needs to catch up on ensuring cyber security

IRCTC may or may not have been hacked; the railways doesn’t need to tell you about it because there are no mandatory disclosure laws in India. Indian Railways (IR) has other portals for ticket reservations, IRCTC is just one of the major public-facing portals. Most of these railway portals are still running on unsecured protocols, they don’t use any sort of security certificates yet and thus fall prey for hackers easily.

It is no secret that the railways has bugs in their portals, the infamous bug of captcha being text is always laughed about in quora and reddit threads. If you are a railway fan and are familiar with the Indian Railway Fan Club Association, you would know how the moderators had to block people posting internal data from Integrated Coaching Management System, an internal portal of the railways.

OTAs (Online Travel Aggregators) exploit several security bugs and hit railway servers constantly, data mining thousands of data records. Some even decrypt encrypted content in violation of the IT Act. They are even monetizing real-time railway data against the limited permissions to use them. You can’t possess any railway property illegally according to the RAILWAYS PROPERTY (Unlawful Possession) Act 1966; it follows that railway data is its property too. Right now data like train status, PNR status, ticket availability would fall under the public data. But OTAs accessing it using exploits in code make the data illegal, irrespective of it being public already. These practices of OTAs could prove potent at a time of disaster.

When Estonia was attacked it showed the world how impactful cyber-warfare can be. Everything from banking to communications was hit. When Snowden made the revelations about the scale of NSA security snooping, every other government started strengthening its IT infrastructure and started using the same tactics as the NSA. The Chinese are not far behind the Americans and often use their great firewall for both censorship and attacks.

Railways is critical infrastructure to the nation, any weakness therein can be a serious threat. Realizing that, IR came up with a Basic Security Policy in 2008. But a recent CAG report from 2015 on IT infrastructure for crew management points out that almost 90-100% employees use the same password, sidelining the system designed for role-based access management. Several contract workers are provided with the same user-name and password defying the whole logic of the policy.

The way railways is using Information Technology to reach people and help them over social media is astonishing, but at the same time there is no place for someone to report security bugs to the officials. Bug bounty programs are often used by the industry to address it’s security problems using the expertise from hobbyists and professional security experts. In the current budget year, Indian railways is spending 50 crores to fund innovations in the space of data, part of which focus on cyber-security according to Mr. Suresh Prabhu.

What the railways is forgetting to understand is this: buying a cyber-security solution is not going to solve their problems. It is the culture in CRIS which needs to change. The minister has been emphasizing on the importance of change in the 150-year old organization. If it intends to tackle cyber-security, it needs to improve CRIS personal. Railways can set an example by building an expert IT team to help CRIS and re-innovate itself. The web moves really fast, today’s security is tomorrow’s vulnerability and the railways need to start adapting to it.

Railways recently started adopting the National Data Sharing & Accessibility Policy (2012) to an extent; the chief data officer for railways has opened up some of the train time tables (around 2800 trains) on Open Government Data Portal. The policy requires to classify datasets into public, private & restricted data. It is high time railways start improving its data practices, releasing open data, open API’s and closing security loopholes of sensitive information by potentially adopting a bug bounty program. It is necessary for railways to secure it’s data before it tries to monetize it.

No comments: