Cyber security threats are considered to be an increasing source of concern in the rail sector and in line with this, there is a clear trend in the increase of reported cyber-attacks that are targeting Industrial Control Systems (ICS) and Operational Technology (OT). Within the Rail sector, digital transformation, Industry 4.0 and IIoT technologies are increasing the connectivity of infrastructure and rolling stock systems – these technological advances can however introduce new vulnerabilities, along with existing threats from the supply chain, Commercial off-the-shelf (COTS) products and legacy systems. Therefore, to improve governance and security across the rail industry, new regulations have been created, which in turn creates new actions that must be taken by railway stakeholders.
To protect rail systems from these threats and starting with a compliance programme to meet regulations, organisations must build a holistic security strategy that considers people, process and technology. The strategy should ensure that it targets the organisational level, the overall rail system level, as well as the individual components level.
The strategy should comprise of the following:
- Understand the cyber threat landscape, vulnerabilities, risks and their impacts on the assets and environment.
- Protect the railway assets and environment by implementing secure-by-design methods, providing resiliency against malicious behaviour or cyber-attacks, and limit the likelihood and the impact of the possible risks.
- Detect abnormal behaviour and report these events by implementing a functional and innovative detection and prevention security monitoring system.
- Finally, Respond to cyber incidents and ensure recovery of railway services by implementing a Security Operations Centre (SOC).
Several standards and guidelines can be utilised to assist railway stakeholders in building their strategy. For example, within the business organisational level, NCSC risk management guidance, ISO 27001, and IEC 62443-2-1 standards can be utilised. Guidance for overall rail systems could consider NCSC secure design principles, IEC 62443-3-2, and IEC 62443-3-3. Whereas at the Individual components level, ISO 55001:2014 – Asset Management, IEC 62443-4-1, and IEC 62443-4-2 standards should be considered.
The ongoing cyber security Risk Management Framework (RMF) is essential to be addressed and should be applied to railway assets and infrastructure. This means the RMF must be systematic and repeatable so that organisations can use it to conduct periodic risk assessments and treatment. Figure 1 below illustrates the process:
Considering the Inputs for the RMF, Business Impact Criteria covers the railway services’ availability, reliability, safety, integrity, and confidentiality. Threats and vulnerabilities databases should be updated periodically by sourcing feeds from Cyber Threat Intelligence as well as conducting a periodic vulnerability assessment as well as pentesting exercises.
In the Assessment stage from Figure 1 above, one of the most important activities is to identify the risk level for each railway service (e.g., Passenger Information service), then map it with the business impact. Alongside that, estimate the likelihood of occurrence.
The treatment stage aims to generate an up-to-date risk register that contains all risks for the business – once these risks are defined, the risk treatment plan can be developed. This process is systematic, hence, the assessor (internal or external) can ensure consistency in every risk assessment and treatment exercise. Many tools are available to assist performing a systematic risk management activity.
In 2018, the NIS Directive (Network & Information Systems) came into force, which aims to raise the levels of cyber security and resilience of key systems within critical national infrastructure. Therefore, railway stakeholders are responsible under the NIS regulation for their operations and networks. However, applying NIS regulation is challenging in this sector due to the high-level of shared responsibilities between stakeholders like rolling stock owners, infrastructure managers, train operators, train manufacturers, Department for Transport (DfT), supply chains and other stakeholders. An ideal approach to managing cyber security and compliance with NIS is to have a clear shared responsibility between stakeholders, so that every stakeholder understands their roles and responsibilities that need to be addressed and enforced within the entire lifecycle: Design – Engineering – Procurement – Manufacturing – Testing – Installation – Operation & Maintenance.
Finally, following cyber security best practices, it is essential during the implementation of the cyber security programme and compliance with regulations. Moreover, sharing the knowledge between railway stakeholders can be vital to raise the awareness of the rail sector’s threat landscape and assist them in defending from potential cyber-attacks. Several entities (e.g. NCSC, ISA, NIST, etc.) have released guidelines to help rail sector to assess, protect, and manage their infrastructure. The table below list some of these guidelines, security standards, whitepapers, and reports:
|Description||Standard, Guidelines or Best Practices|
|Cyber Security Strategy|
|Risk Management||NCSC Risk Management Guidance, NIST 800-37, ISO 27005|
|Security Detection and Monitoring||NCSC Intro to Logging for Security Purposes, NCSC SOC Buyers Guide, CREST Cyber Security Monitoring Guide, NIST SP 800-94, NIST 800-137, IEC 62443-3-3,Intelligent security tools,|
|Respond and Recovery|
|Security Awareness||NCSC Certified Training, NIST 800-50|
|Cyber Security Information Sharing||CiSP|
|Airbus Whitepapers and Datasheets|
In conclusion, the regulator’s main aim is to ensure overall cyber security and resiliency of the rail sector through enforcement of regulation such as the NIS Directive. They will oversee the rail stakeholders in building an effective cyber security strategy that can be implemented in a defined roadmap in order to achieve and comply with this regulation. In addition, collaboration between rail stakeholders and the regulator is essential to manage the overall security and gain further visibility over the likelihood of the potential vulnerabilities and threat landscape.
If you enjoyed this article, check out our other article on ‘Securing the Rail Sector: A Directive Level Approach here;
You can also find out more about our approach for cyber security in the Rail sector, by downloading our rail whitepaper.