Indian Railways Should Secure Information Before Monetising It

IRCTC may or might not have been hacked; the railways does because there aren’t any mandatory disclosure laws in India n’t need to inform you about it. Indian Railways (IR) has other portal sites for ticket bookings, IRCTC is only one of the major people-facing portal sites. Most of these railroad track portal sites are still running on protocols that are unsecured, they don’t therefore fall victim for hackers easily and use any kind of security certificates yet.

It is no secret the railways has bugs in their portals, the infamous bug of captcha being text is obviously laughed around in reddit and quora threads. If you are a railway enthusiast and are familiar with the Indian Railway Fan Club Association, you’ll know the way the moderators needed to block individuals posting internal data from Integrated Coaching Management System, an internal portal site of the railways.

OTAs (Online Travel Aggregators) exploit several security bugs and hit railway servers continuously, data mining thousands of data records. Some even decrypt encrypted content in breach of the IT Act. They are even monetizing real time railway information against the limited permissions to utilize them. You can’t have any railway property illegally according to the RAILWAYS PROPERTY (Unlawful Possession) Act 1966; it follows that railway information is its property also. At this time info like train standing, PNR status, ticket availability would fall underneath the data that is public. But OTAs getting it using exploits in code make the info illegal, irrespective of it being public already. These practices of OTAs could prove powerful at a time of catastrophe.

When Estonia was attacked it showed the world how impactful cyber-warfare could be. Everything from banking to communications was strike. Every other authorities began reinforcing its IT infrastructure and began using exactly the same strategies as the NSA, when Snowden made the disclosures concerning the scale of NSA security snooping. The Chinese often use their great firewall for both censorship and attacks and aren’t far behind the Americans.

Railways is critical infrastructure to the nation, any weakness can be a serious threat. Understanding that, IR developed a Simple Security Policy in 2008. However a recent CAG report from 2015 on IT infrastructure for crew management points out that almost 90-100% employees make use of exactly the same password, sidelining the system designed for role-based access direction. Several contract workers are supplied with the exact same user name and password defying the whole logic of the policy.

At precisely the same time there is no place for anyone to report security bugs to the officials, although the manner railways is using Information Technology to reach individuals and help them over social media is astonishing. Bug bounty programs tend to be utilized by the industry to address it’s security dilemmas utilizing the expertise from professional security pros and hobbyists. In the current budget year, Indian railways is spending 50 crores to fund inventions in the space of information, part of which focus on cyber security according to Mr. Suresh Prabhu.

What the railways is forgetting to understand is this: buying a cyber security alternative is not likely to solve their issues. It truly is the culture in CRIS which needs to change. The minister has been stressing on the significance of change in the 150-year old organization. If it means to handle cyber security, it requires to enhance CRIS private. Railways can set an example by assembling IT team that was expert to help re and CRIS -innovate itself. The web moves extremely fast, today’s security is tomorrow’s vulnerability and also the railways have to begin adjusting to it.

Railways lately started embracing the National Data Sharing & Accessibility Policy (2012) to an extent; the chief data officer for railways has opened up some of the train time tables (around 2800 trains) on Open Government Info Portal Site. The policy requires to classify datasets into data that is restricted, private & public. It is high time railways start releasing open data, open API’s improving its info practices by possibly embracing a bug bounty program, and shutting security loopholes of sensitive information. It truly is necessary for railways to secure info is ’sed by it before it attempts to monetize it.