ENISA, the European Union agency for cybersecurity, has released a report detailing best practices in cyber risk management for railway organizations.
ENISA says European railway undertakings (RUs) and infrastructure managers (IMs) need to address cyber risks in a systematic way as part of their risk management processes. This need has become even more urgent since the Network and Information Security (NIS) Directive came into force in 2016.
The purpose of the report is to provide European RUs and IMs with applicable methods and practical examples on how to assess and mitigate cyber risks.
The good practices presented are based on feedback from railway stakeholders. They include tools, such as assets and services list, cyber threat scenarios and applicable cybersecurity measures, based on the standards and good practices used in the sector. The resources can be used as a basis for cyber risk management for railway companies. They are therefore intended to be a reference point and to promote collaboration between railway stakeholders across the EU while raising awareness on relevant threats.
The report notes that existing risk management approaches vary for railway information technology (IT) and operational technology (OT) systems. For the risk management of railway IT systems, the most cited approaches were the requirements of the NIS Directive at a national level, the ISO 2700x family of standards, and the NIST cybersecurity framework.
For OT systems, the frameworks cited were ISA/IEC 62443, CLC/TS 50701, and the recommendations of the Shift2Rail project X2Rail-3, or the ones from the CYRail Project.
Those standards or approaches are often used in a complementary way to adequately address both IT and OT systems. While IT systems are normally evaluated with broader and more generic methods (such as ISO 2700x or NIS Directive), OT systems need specific methods and frameworks that have been designed for industrial train systems.
ENISA says there is no unified approach available to railway cyber risk management yet. Stakeholders who participated in the study indicated that they use a combination of the abovementioned international and European approaches to tackle risk management, which they then complement with national frameworks and methodologies.
For RUs and IMs to manage cyber risks, identifying what needs protection is essential. The report highlights five key areas; the services that stakeholders provide, the devices (technological systems) that support these services, the physical equipment used to provide these services, the people that maintain or use them, and the data used.
The report also reviews available threat taxonomies, and provides a list of threats that can be used as the basis.
Examples of cyber risk scenarios are also analyzed, which can assist railway stakeholders when performing a risk analysis. They show how asset and threat taxonomies can be used together and are based on the known incidents of the sector and the feedback received during the workshops. Each scenario is associated with a list of relevant security measures. The report includes cybersecurity measures derived from the NIS Directive, current standards (ISO/IEC 27002, IEC 62443) and good practices (NIST’s cybersecurity framework).
ENISA and the EU Agency for Railways organized a virtual Conference on Rail Cybersecurity in March 2021. The conference took place virtually over two days and brought together more than 600 experts from railway organizations, policy, industry, research, standardization and certification. One of the top topics voted by participants was cyber risk management for railways, and this motivated ENISA’s latest study.