Indian Railways Should Secure Data Before Monetising It

by Srinivas Kodali - May 27, 2016 06:46 PM +05:30 IST
Indian Railways Should  Secure  Data Before  Monetising ItIndian Railways tickets (NARINDER NANU/AFP/Getty Images)
  • Now that Indian Railways has decided to monetise its data, it needs to catch up on ensuring cyber security

IRCTC may or may not have been hacked; the railways doesn’t need to tell you about it because there are no mandatory disclosure laws in India. Indian Railways (IR) has other portals for ticket reservations, IRCTC is just one of the major public-facing portals. Most of these railway portals are still running on unsecured protocols, they don’t use any sort of security certificates yet and thus fall prey for hackers easily.

It is no secret that the railways has bugs in their portals, the infamous bug of captcha being text is always laughed about in quora and reddit threads. If you are a railway fan and are familiar with the Indian Railway Fan Club Association, you would know how the moderators had to block people posting internal data from Integrated Coaching Management System, an internal portal of the railways.

OTAs (Online Travel Aggregators) exploit several security bugs and hit railway servers constantly, data mining thousands of data records. Some even decrypt encrypted content in violation of the IT Act. They are even monetizing real-time railway data against the limited permissions to use them. You can’t possess any railway property illegally according to the RAILWAYS PROPERTY (Unlawful Possession) Act 1966; it follows that railway data is its property too. Right now data like train status, PNR status, ticket availability would fall under the public data. But OTAs accessing it using exploits in code make the data illegal, irrespective of it being public already. These practices of OTAs could prove potent at a time of disaster.

When Estonia was attacked it showed the world how impactful cyber-warfare can be. Everything from banking to communications was hit. When Snowden made the revelations about the scale of NSA security snooping, every other government started strengthening its IT infrastructure and started using the same tactics as the NSA. The Chinese are not far behind the Americans and often use their great firewall for both censorship and attacks.

Railways is critical infrastructure to the nation, any weakness therein can be a serious threat. Realizing that, IR came up with a Basic Security Policy in 2008. But a recent CAG report from 2015 on IT infrastructure for crew management points out that almost 90-100% employees use the same password, sidelining the system designed for role-based access management. Several contract workers are provided with the same user-name and password defying the whole logic of the policy.

The way railways is using Information Technology to reach people and help them over social media is astonishing, but at the same time there is no place for someone to report security bugs to the officials. Bug bounty programs are often used by the industry to address it’s security problems using the expertise from hobbyists and professional security experts. In the current budget year, Indian railways is spending 50 crores to fund innovations in the space of data, part of which focus on cyber-security according to Mr. Suresh Prabhu.

What the railways is forgetting to understand is this: buying a cyber-security solution is not going to solve their problems. It is the culture in CRIS which needs to change. The minister has been emphasizing on the importance of change in the 150-year old organization. If it intends to tackle cyber-security, it needs to improve CRIS personal. Railways can set an example by building an expert IT team to help CRIS and re-innovate itself. The web moves really fast, today’s security is tomorrow’s vulnerability and the railways need to start adapting to it.

Railways recently started adopting the National Data Sharing & Accessibility Policy (2012) to an extent; the chief data officer for railways has opened up some of the train time tables (around 2800 trains) on Open Government Data Portal. The policy requires to classify datasets into public, private & restricted data. It is high time railways start improving its data practices, releasing open data, open API’s and closing security loopholes of sensitive information by potentially adopting a bug bounty program. It is necessary for railways to secure it’s data before it tries to monetize it.

Srinivas Kodali is a independent researcher focusing on Intelligent Transportation Systems, with interests in cyber-security. In the past he was at Intelligent Transportation Systems Laboratory, IIT Madras as a project associate.

Get Swarajya in your inbox everyday. Subscribe here.

An Appeal...

Dear Reader,

As you are no doubt aware, Swarajya is a media product that is directly dependent on support from its readers in the form of subscriptions. We do not have the muscle and backing of a large media conglomerate nor are we playing for the large advertisement sweep-stake.

Our business model is you and your subscription. And in challenging times like these, we need your support now more than ever.

We deliver over 10 - 15 high quality articles with expert insights and views. From 7AM in the morning to 10PM late night we operate to ensure you, the reader, get to see what is just right.

Becoming a Patron or a subscriber for as little as Rs 1200/year is the best way you can support our efforts.

Become A Patron
Become A Subscriber
Comments ↓
Get Swarajya in your inbox everyday. Subscribe here.

Latest Articles

    Artboard 4Created with Sketch.