2021 has been chosen as the European Year of Rail by the European Commission. The initiative aims to highlight the benefits of rail as a sustainable, smart and safe means of transport to support the delivery of its European Green Deal objectives in the transportation field.
Cybersecurity is a key requirement to enable railways to deploy and take advantage of the full extent of a connected, digital environment.
However, European infrastructure managers and railway undertakings face a complex regulatory system that requires a deep understanding of operational cybersecurity actions. In addition, European rail is undergoing a major transformation of its operations, systems and infrastructure due to digitalization, mass transit and increasing interconnections. Therefore, the implementation of cybersecurity requirements is fundamental for the digital enhancement and security of the sector.
ENISA, the EU Agency for Cybersecurity, and ERA, the EU Agency for Railways, joined forces to organize a virtual Conference on Rail Cybersecurity. The conference took place virtually over two days (March 16-17) and brought together more than 600 experts from railway organizations, policy, industry, research, standardization and certification.
In November 2020, ENISA released a report on Cybersecurity in Railways assessing the implementation in Member States of the Networks and Information Security Directive (NIS Directive), the first EU-wide cybersecurity legislation working to enhance cybersecurity across the Union. The ENISA publication points to the numerous challenges experienced by operators of essential services when enforcing the NIS Directive, including:
- an overall lack of cybersecurity awareness in the sector and challenges of operational technology;
- a strong dependency on the supply chain;
- the presence of legacy systems;
- complexities due to the high number of systems to be secured and managed;
- conflicts between safety and security mind-sets.
The conference heard how the European Commission has proposed the revision of the Network Information Security Directive (NIS2) to strengthen the cybersecurity measures to be adopted by the Member States and applied, among others, by European railway undertakings (RU) and infrastructure managers (IM).
The European Commission’s Directorate-General for Mobility and Transport (DG MOVE) also encourages awareness-raising of railway stakeholders by promoting the use of its Land Transport Security platform. A cybersecurity toolkit was also developed and shared with the conference participants. Cybersecurity is now a major concern for National Safety Authorities. The French rail safety authority, l’établissement public de sécurité ferroviaire (the EPSF) has compiled the related challenges in a white paper, jointly with the French IM and main RU, the French Cybersecurity Agency, ANSSI and ERA.
The Working Group 26 of the European Committee for Electrotechnical Standardisation (CENELEC) delivered the promising Technical Specification 50701 on cybersecurity for railways, now under review by the National Committees. A published version of the technical specification is expected before the summer. A voluntary reference to this standard will be made through the application guides developed by ERA. Railway stakeholders expect the technical specification to lay the foundations of a common risk analysis methodology. As demonstrated by the case study proposed by the Italian railway stakeholders, such methodology will link the security analysis to the safety case.
The joint undertaking Shift2Rail has gained maturity, and the Technical Demonstrator 2.11 on cybersecurity will soon demonstrate the applicability of their findings on specific projects such as Automatic Train Operation or Adaptable Communication Systems.
The conference also heard that technical interoperability standards for EU railway automation are being proposed for consideration in the railway regulatory framework, proposing “secure by design” shared railway services. In addition, The International Union of Railways (UIC), recently launched a Cyber Security Solution Platform, taking a pragmatic approach in building a solutions catalogue to risks and vulnerabilities identified by railway users.
The European Railway-ISAC is attracting an increasing number of participants willing to share concerns or even vulnerabilities to trusted members and ensuring a collective response to the cybersecurity challenge. An open call by Shift2Rail, namely the 4SECURERAIL project, is developing a proposal for a European Computer Security Incident Response Team, allowing for identified threats to be instantly shared with targeted railway stakeholders.
With such developments, the railway industry, represented by the European Rail Industry Association (UNIFE), discussed how ready the sector is to increase the level of cybersecurity. At the conference, UNIFE highlighted several priorities, such as: the approval and usage of the TS 50701, the need for adequate certification schemes on product level,the need for specific protection profiles on interface-specific devices and subsystems. This would allow for a more harmonized approach for manufacturers and system integrators.
Conference participants voted on topics to be discussed at future events, whether virtual or in-person. These included new technologies; cyber risk management for railways; cyber threat landscape; the update of Technical Specifications for Interoperability; cyber skills and training and cyber incident response.