The ENISA-ERA Conference: “Cybersecurity in Railways” presented the latest cybersecurity developments and highlighted the main challenges in the field.
2021 has been chosen as the European Year of Rail by the European Commission. The European initiative aims to highlight the benefits of rail as a sustainable, smart and safe means of transport to support the delivery of its European Green Deal objectives in the transport field.
Cybersecurity is a key requirement to enable railways to deploy and take advantage of the full extent of a connected, digital environment.
However, European infrastructure managers and railway undertakings face a complex regulatory system that requires a deep understanding of operational cybersecurity actions. In addition, European rail is undergoing a major transformation of its operations, systems and infrastructure due to digitalisation, mass transit and, increasing interconnections. Therefore, the implementation of cybersecurity requirements is fundamental for the digital enhancement and security of the sector.
ENISA, the EU Agency for Cybersecurity, and ERA, the EU Agency for Railways, have joined forces to organise a virtual Conference on Rail Cybersecurity. The conference took place virtually over two days and brought together more than 600 experts from railway organisations, policy, industry, research, standardisation and certification.
Policy
The European Commission has proposed the revision of the Network Information Security Directive (NIS2) to strengthen the cybersecurity measures to be adopted by the Member States and applied, among others, by European railway undertakings (RU) and infrastructure managers (IM).
The European Commission’s Directorate-General for Mobility and Transport (DG MOVE) also encourages awareness-raising of railway stakeholders by promoting the use of its Land Transport Security platform. A cybersecurity toolkit was also developed and shared with the participants. Cybersecurity is now a major concern for National Safety Authorities. The French rail safety authority, l’établissement public de sécurité ferroviaire (the EPSF) compiled the related challenges in a white paper, jointly with the French IM and main RU, the French Cybersecurity Agency, ANSSI and ERA.
Standardisation & Certification
The Working Group 26 of the European Committee for Electrotechnical Standardisation (CENELEC) delivered the promising Technical Specification 50701 on cybersecurity for railways, now under review by the National Committees. A published version of the technical specification is expected before the summer. A voluntary reference to this standard will be made through the application guides developed by ERA. Railway stakeholders expect the technical specification to lay the foundations of a common risk analysis methodology. As demonstrated by the case study proposed by the Italian railway stakeholders, such methodology will link the security analysis to the safety case.
Research & Innovation
Shift2Rail the Joint Undertaking has gained maturity, and the Technical Demonstrator 2.11 on cybersecurity will soon demonstrate the applicability of their findings on specific projects such as Automatic Train Operation or Adaptable Communication Systems.
Technical interoperability standards for EU railway automation are being proposed for consideration in the railway regulatory framework, proposing "secure by design" shared railway services. In addition, The International Union of Railways (UIC), recently launched a Cyber Security Solution Platform, taking a pragmatic approach in building a solutions catalogue to risks and vulnerabilities identified by railway users.
Information Sharing & Cooperation
The European Railway-ISAC is attracting an increasing number of participants willing to share concerns or even vulnerabilities to trusted members and ensuring a collective response to the cybersecurity challenge. An open call by Shift2Rail, namely the 4SECURERAIL project, is developing a proposal for a European Computer Security Incident Response Team, allowing for identified threats to be instantly shared with targeted railway stakeholders.
With such developments, the railway industry, represented by the European Rail Industry Association (UNIFE), discussed how ready the sector is to increase the level of cybersecurity. UNIFE highlighted several priorities, such as: the approval and usage of the TS 50701, the need for adequate certification schemes on product level,the need for specific protection profiles on interface-specific devices and subsystems. This would allow for a more harmonized approach for manufacturers and system integrators.
Conclusions
The participants voted topics for future conferences and these include, among others:
- new technologies;
- cyber risk management for railways;
- cyber threat landscape;
- the update of Technical Specifications for Interoperability (TSI);
- cyber skills and training and cyber incident response.
Both agencies are paying very close attention to all the developments in the field of railway cybersecurity.
The success of the online conference of the last two days shows how railway stakeholders can benefit from close cooperation to ensure that both the cybersecurity and the railway regulatory framework are cross-fertilised.
Background
The EU Agency for Cybersecurity plays a major role in the implementation of the NIS Directive by supporting Member States and the private sector in achieving a higher level of cybersecurity through the ENISA annual work programme. The Agency has collaborated closely with railway undertakings and infrastructure managers over the years. It has engaged in the work on the implementation of the NIS Directive, and with ERA on cybersecurity for the European Rail Traffic Management System.
The Agency also supports the European Railway Information Sharing and Analysis Centre (ER-ISAC) and offers expertise in the CEN CENELEC technical committee on Technical Specifications for Rail.
The Agency teamed up with ERA last year on a webinar to present the Agencies’ joint activities and to stress the importance of cybersecurity to railway stakeholders.
ENISA also released a report on Cybersecurity in Railways assessing the implementation in Member States of the Networks and Information Security Directive (NIS Directive), the first EU-wide cybersecurity legislation working to enhance cybersecurity across the Union. The ENISA publication points to the numerous challenges experienced by operators of essential services when enforcing the NIS Directive, including:
- an overall lack of cybersecurity awareness in the sector and challenges of operational technology;
- a strong dependency on the supply chain;
- the presence of legacy systems;
- complexities due to the high number of systems to be secured and managed;
- conflicts between safety and security mind-sets.
The report also emphasises the need to find the right balance between cybersecurity, competitiveness and operational efficiency.
Further information
The slides presented during the conference are available on the webpage of the ENISA ERA conference.
If you missed the conference, the video is available on ENISA’s YouTube page.
Previous events: Free webinar: Cybersecurity in Railways and 1st Transport Cyber Security Conference.
Contacts
For questions related to the press and interviews, please contact: press(at)enisa.europa.eu
For further questions related to the conferece, contact: ENISA-ERA-Conference(at)enisa.europa.eu