Cybersecurity Challenges for the European Railways
The European Union Agency for Cybersecurity (ENISA) released in November 2020 its “Cybersecurity in Railways” report to raise awareness about the cybersecurity challenges facing Europe’s railways. The report identifies the current cybersecurity status and challenges as well as proposes cybersecurity measures to combat these challenges and enhance the sector’s security posture. The report is based on data gathered over the last two years from the operators of essential rail services in 21 EU Member States.
The EU railway landscape
The railway sector is a critical infrastructure for the development of the European Union and its member states since it enables the transportation of goods and passengers within countries and across borders. The key entities for the provision of these services are:
- The railway undertakings (RU), who are responsible for the transport of goods and passengers by rail.
- The infrastructure managers (IM), who are responsible for the establishment, operation and maintenance of railway infrastructure including traffic management, command, control and signaling, station operation and train power supply.
Both entities and the railway sector in total are identified as Operators of Essential Services (OES) in the NIS Directive, and they must be compliant to the security requirements of the Directive. To establish and maintain compliance, railway entities must implement the cybersecurity measures defined by the NIS Directive Cooperation Group, which are grouped in four categories:
- Governance and ecosystem – Information system security governance and risk management
- Protection – identity and access management, physical security
- Defense – Crisis management and business continuity
- Resilience – Incident response and management, detection
The digital transformation of the railways, as in other sectors, presents new opportunities together with novel challenges. Consequently, cybersecurity is a key requirement to enable railways to deploy and exploit the full extent of digital technology.
Cybersecurity challenges
While the railway sector strives to implement the required cybersecurity measures to defend against cyber-attacks exploiting vulnerabilities, they are met with various challenges that hinder their efforts. Overall, the ENISA report notes that “railway stakeholders must strike a balance between operational requirements, business competitiveness and cybersecurity, while the sector is undergoing digital transformation.”
The main cybersecurity challenges highlighted in the report are the following:
- Low cybersecurity awareness. Staff awareness of the need for cybersecurity remains quite low. However, the report indicates that recent security incidents, such as the WannaCry and NotPetya attacks, have acted as warning bells to foster efforts to increase the level of awareness.
- Conflicts between safety and cybersecurity requirements. For each security patch and update, safety teams need to ensure that safety mechanisms remain intact. This requires extra time and money. Additionally, the report highlights that it appears to be difficult to deal simultaneously with safety and security requirements, which sometimes overlap or contradict each other.
- Digital transformation of critical services. Most railway companies are undergoing digital transformation, and a wide range of IT and connected IoT devices are introduced. However, these components are not properly procured, identified and managed, creating new vulnerabilities and expanding the threat landscape.
- Supply chain risks. Railway entities are heavily reliant on a wide variety of third-party suppliers and providers for system updates, patch management and lifecycle management. This can increase the challenge of standardization and the ability to define and implement baseline cybersecurity measures for all systems. Moreover, third-party suppliers are not covered by the provisions of the NIS Directive, so they have less stringent statutory requirements for applying cybersecurity.
- Legacy systems. IMs and RUs manage many legacy or obsolete systems – with lifecycles calculated in decades. These are difficult or even impossible to upgrade to implement cybersecurity measures. Legacy OT requires procedures, policies and human intervention for patches and updates to ensure an adequate security level.
- Cybersecurity requirements complexity. Railway entities need to comply both with the NIS Directive and national security requirements, making compliance a time-consuming and resource-intensive effort. It also highlights the need for cybersecurity requirements harmonization across all EU members and the requirement for the development of a railway-specific NIS profile.
Level of NIS compliance
The ENISA report provides the status of cybersecurity measures implementation across the sector. The findings indicate that each entity has different levels of NIS compliance according to its cybersecurity maturity, digital skills, size, business challenges, suppliers and the resources allocated to cybersecurity.
- Governance, risk management and ecosystem management measures are implemented by 47% of the railway companies, with several reporting that they are currently launching organization-wide cybersecurity programs.
- Protection measures are implemented by 53% of the organizations. Basic cybersecurity, such as access control or system segregation, seems to be already well implemented and under control. However, the security measures that require higher technical expertise, such as cryptographic controls or cybersecurity controls on industrial control systems (ICS), are implemented at a lower rate.
- Security measures regarding defense are implemented by 52% of the sector entities. Security measures that require less technical expertise, e.g., communications with competent authorities and CSIRTs or incident reporting, appear to be well-implemented and under control.
- Resilience measures are implemented by 57% of the companies. Although managing crises and incidents is part of the daily business in the railway sector, the established processes for crisis and business continuity management need to be adapted to cover cybersecurity incidents.
Conclusion
The ENISA report on the status of cybersecurity in the European railways provides essential insight for both the railway organizations and the policy bodies in the EU. European authorities should take steps forward to address the challenges highlighted in the report to strengthen the cybersecurity posture of the railway sector. Such steps should include policy standardization and harmonization as well as building a cybersecurity mindset and culture.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.