The European Union Agency for Cybersecurity (ENISA) released in November 2020 its “Cybersecurity in Railways” report to raise awareness about the cybersecurity challenges facing Europe's railways. The report identifies the current cybersecurity status and challenges as well as proposes cybersecurity measures to combat these challenges and enhance the sector’s security posture. The report is based on data gathered over the last two years from the operators of essential rail services in 21 EU Member States.
The EU railway landscape
The railway sector is a critical infrastructure for the development of the European Union and its member states since it enables the transportation of goods and passengers within countries and across borders. The key entities for the provision of these services are:
- The railway undertakings (RU), who are responsible for the transport of goods and passengers by rail.
- The infrastructure managers (IM), who are responsible for the establishment, operation and maintenance of railway infrastructure including traffic management, command, control and signaling, station operation and train power supply.
Both entities and the railway sector in total are identified as Operators of Essential Services (OES) in the NIS Directive, and they must be compliant to the security requirements of the Directive. To establish and maintain compliance, railway entities must implement the cybersecurity measures defined by the NIS Directive Cooperation Group, which are grouped in four categories:
- Governance and ecosystem – Information system security governance and risk management
- Protection – identity and access management, physical security
- Defense – Crisis management and business continuity
- Resilience – Incident response and management, detection
“For the past years, a lot of focus has been put on the digitalization of infrastructure and services addressing market needs and new ways of working,” says Giannis Kostakis, ICT Security Consultant at European Union Agency for Railways (ERA). “Similar to other sectors across the European Union, technology nowadays plays a vital role, introducing new opportunities together with novel challenges.” Cybersecurity is a key requirement to enable railways to deploy and exploit the full extent of digital technology.
While the railway sector strives to implement the required cybersecurity measures to defend against cyber-attacks exploiting vulnerabilities, they are met with various challenges that hinder their efforts. Overall, the ENISA report notes that “railway stakeholders must strike a balance between operational requirements, business competitiveness and cybersecurity, while the sector is undergoing digital transformation.”
The main cybersecurity challenges highlighted in the report are the following:
- Low cybersecurity awareness. Staff awareness of the need for cybersecurity remains quite low. “Security culture is a meticulous task that requires time to successfully change,” says Kostakis. However, the report indicates that recent security incidents, such as the WannaCry and NotPetya attacks have acted as warning bells to foster efforts to increase the level of awareness.
- Conflicts between safety and cybersecurity requirements. For each security patch and update, safety teams need to ensure that safety mechanisms remain intact. This requires extra time and money. Additionally, the report highlights that it appears to be difficult to deal simultaneously with safety and security requirements, which sometimes overlap or contradict each other.
- Digital transformation of critical services. Most railway companies are undergoing digital transformation and a wide range of IT and connected IoT devices are introduced. However, these components are not properly procured, identified and managed, creating new vulnerabilities and expanding the threat landscape.
- Supply chain risks. “Remote access and interconnected systems have increased attack surface and dependence on supply chain attacks,” says Kostakis, because railway entities are heavily reliant on a wide variety of third-party suppliers and providers for system updates, patch management, and lifecycle management. This can increase the challenge of standardization and the ability to define and implement baseline cybersecurity measures for all systems. Moreover, third-party suppliers are not covered by the provisions of the NIS Directive, so they have less stringent statutory requirements to apply cybersecurity.
- Legacy systems. “Railway Infrastructure consists of various complex hardware systems and components. Some of them can be regarded as legacy systems. Keeping those critical systems updated can be a challenge,” notes Kostakis.
- Cybersecurity requirements complexity. Railway entities need to comply both with the NIS Directive and national security requirements, making compliance a time consuming and resource intensive effort. It also highlights the need for cybersecurity requirements harmonization across all EU members and the requirement for the development of a railway specific NIS profile.
Level of NIS compliance
The ENISA report provides the status of cybersecurity measures implementation across the sector. The findings indicate that each entity has different levels of NIS compliance according to its cybersecurity maturity, digital skills, size, business challenges, suppliers and the resources allocated to cybersecurity.
- Governance, risk management and ecosystem management measures are implemented by 47% of the railway companies, with several reporting that they are currently launching organization-wide cybersecurity programs.
- Protection measures are implemented by 53% of the organizations. Basic cybersecurity, such as access control, or system segregation, seems to be already well implemented and under control. However, the security measures that require higher technical expertise, such as cryptographic controls, or cybersecurity controls on industrial control systems (ICS) are implemented at a lower rate.
- Security measures regarding defense are implemented by 52% of the sector entities. Security measures that require less technical expertise, e.g., communications with competent authorities and CSIRTs, or incident reporting, appear to be well implemented and under control.
- Resilience measures are implemented by 57% of the companies. Although managing crises and incidents is part of the daily business in the railway sector, the established processes for crisis and business continuity management need to be adapted to cover cybersecurity incidents.
The way ahead
The ENISA report on the status of cybersecurity in the European railways provides essential insight for both the railway organizations and the policy bodies in the EU. European authorities should take steps forward to address the challenges highlighted in the report to strengthen the cybersecurity posture of the railway sector. Such steps should include policy standardization and harmonization as well as building a cybersecurity mindset and culture.
Giannis Kostakis offers suggestions for the way ahead: “Strong security culture and top-down support from the management can always help to outperform. A tailored security improvement program based on recognized standards has to be developed and maintained to enhance proactive controls including timely patching management. In addition, railway entities should establish sufficient reactive controls and an efficient collaboration with CERT-EU to address ongoing cyber incidents and sophisticated attacks. Collaboration with European authorities and government bodies ensures prompt decision making and ongoing support.”
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.