Risk Management: Helping the EU Railways Catch the Cybersecurity Train

Back to News

Risk management for the EU railways drives the attention of a new report by the European Union Agency for Cybersecurity. The report will be announced by Juhan Lepassaar during today’s webinar co-organised with the European Union Agency for Railways.

ENISA, the EU Agency for Cybersecurity, and ERA, the EU Agency for Railways, have joined forces to organise a virtual webinar today on cybersecurity for the railway sector.

While ERA is to present the state of play on cybersecurity in the sector, ENISA is to announce  the release of its report - Railway Cybersecurity – Good Practices in Cyber Risk Management for railway organisations.

Juhan Lepassaar, Executive Director of ENISA, is to present the report in his welcome remark. Josef Doppelbauer, Executive Director of ERA is to address closing remarks to conclude the event.

European railway undertakings (RUs) and infrastructure managers (IMs) need to address cyber risks in a systematic way as part of their risk management processes. This need has become even more urgent since the Network and Information Security (NIS) Directive came into force in 2016.

Objectives of the Railway Cybersecurity report

The purpose of the report is to provide European RUs and IMs with applicable methods and practical examples on how to assess and mitigate cyber risks.

The good practices presented are based on feedback from railway stakeholders. They include tools, such as assets and services list, cyber threat scenarios and applicable cybersecurity measures, based on the standards and good practices used in the sector. These resources can be used as a basis for cyber risk management for railway companies. They are therefore intended to be a reference point and to promote collaboration between railway stakeholders across the EU while raising awareness on relevant threats.

The main takeaways

  • Existing risk management approaches vary for railway IT and OT systems

For the risk management of railway Information Technology (IT) systems, the most cited approaches were the requirements of NIS Directive at a national level, the ISO 2700x family of standards, and the NIST cybersecurity framework.

For Operational Technology (OT) systems, the frameworks cited were ISA/IEC 62443, CLC/TS 50701, and the recommendations of the Shift2Rail project X2Rail-3, or the ones from the CYRail Project.

Those standards or approaches are often used in a complementary way to adequately address both IT and OT systems. While IT systems are normally evaluated with broader and more generic methods (such as ISO 2700x or NIS Directive), OT systems need specific methods and frameworks that have been designed for industrial train systems.

There is no unified approach available to railway cyber risk management yet. Stakeholders who participated in this study indicated that they use a combination of the abovementioned international and European approaches to tackle risk management, which they then complement with national frameworks and methodologies.

  • Asset taxonomies

For RUs and IMs to manage cyber risks, identifying what needs protection is essential. In this report, a comprehensive list is broken down to 5 areas; the services that stakeholders provide, the devices (technological systems) that support these services, the physical equipment used to provide these services, the people that maintain or use them, and the data used.

  • Threats taxonomies and risk scenarios

RUs and IMs need to identify which cyber threats are applicable to their assets and services. The report reviews available threat taxonomies, and provides a list of threats that can be used as the basis.

Examples of cyber risk scenarios are also analysed, which can assist railway stakeholders when performing a risk analysis. They show how asset and threat taxonomies can be used together and are based on the known incidents of the sector and the feedback received during the workshops.

  • Applying cybersecurity measures

Each scenario is associated with a list of relevant security measures. The report includes cybersecurity measures derived from the NIS Directive, current standards (ISO/IEC 27002, IEC 62443) and good practises (NIST’s cybersecurity framework).

Target audience

  • Staff and experts responsible for cybersecurity (CISOs, CIOs, CTOs, etc.) within RUs and IMs;
  • Regulatory bodies and National Competent Authorities;
  • Decision and policy makers.

Background

The study released today builds on the ENISA Report - Railway Cybersecurity - Security measures produced in November 2020 on cybersecurity in the railway sector. This previous report assessed the level of implementation of cybersecurity measures in the sector.

ENISA and ERA organised a virtual Conference on Rail Cybersecurity on March 2021. The conference took place virtually over two days and brought together more than 600 experts from railway organisations, policy, industry, research, standardisation and certification. One of the top topics voted by participants was cyber risk management for railways, and this motivated this study.

The European Union Agency for Cybersecurity supports the development of cybersecurity capabilities of the railway sector by:

  • Issuing guidance and recommendation papers together with the community;
  • Organising physical and virtual events;
  • Participating in discussions with the Railway community on regulatory matters;
  • Validating activities through dedicated expert group in transport security (TRANSSEC;
  • Contributing to standardisation activities.

Further Information

ENISA report - Railway Cybersecurity – Good Practices in Cyber Risk Management – November 2021

ENISA Report - Railway Cybersecurity - Security measures – November 2020

ENISA topic – Critical Information Infrastructures and services - Railway

Videos & presentations: Cybersecurity in Railways

Cybersecurity in Railways Conference: Key Takeaways – March 2021

TRANSSEC – Transport Security Experts Group

ERA – European Union Agency for Railways

Contact

For questions related to the press and interviews, please contact press(at)enisa.europa.eu