In order to give you a better service Airbus uses cookies. By continuing to browse the site you are agreeing to our use of cookies. I agree

To opt out of Google Analytics data collection, click here

Thanks. We have set a cookie so that Google Analytics data collections will be disabled on your next visit.

Securing the Rail Sector – What considerations should be in the Regulator’s Point of View?

Published:08/04/21
by Mohammad Jbair, Principal Consultant, OT CyberSecurity and Digital Manufacturing 

Cyber security threats are an increasing source of concern in the rail sector. In line with this, there is a clear upwards trend in reported cyber-attacks that are targeting Industrial Control Systems (ICS) and Operational Technology (OT)[1]. Within the rail sector, digital transformation, Industry 4.0 and IIoT technologies are increasing the connectivity of infrastructure and rolling stock systems. These technological advances can, however, introduce new cyber vulnerabilities, in addition to existing threats from the rail supply chain, commercial off-the-shelf (COTS) products and legacy systems. Therefore, to improve governance and security across the rail industry, new regulations have been created. These oblige railway stakeholders to take action.

To protect rail systems from cyber threats and comply with regulations, organisations must build a holistic security strategy that considers people, process and technology. The strategy should ensure that it targets the organisational level, the overall rail system level, and the individual components level.

The strategy should comprise of the following:

  • Understand the cyber threat landscape, vulnerabilities and risks, as well as their impact on the railway environment and assets.
  • Protect the environment and assets by implementing secure-by-design methods, providing resiliency against malicious behaviour or cyber-attacks, and limiting their likelihood.
  • Detect and report abnormal behaviour by implementing a functional and innovative detection and prevention security monitoring system.
  • Respond to cyber incidents and ensure recovery of railway services by implementing a Security Operations Centre (SOC).

Railway stakeholders can utilise several standards and guidelines to help build their strategy. For example, within the business organisational level, they can look to NCSC risk management guidance, ISO 27001, and IEC 62443-2-1 standards. For overall rail systems, they could consider NCSC secure design principles, IEC 62443-3-2, and IEC 62443-3-3. Whereas at the individual components level, ISO 55001:2014 – Asset Management, IEC 62443-4-1, and IEC 62443-4-2 standards should be considered.

Creating an ongoing cyber security Risk Management Framework (RMF) is essential. This should be applied to railway assets and infrastructure. The RMF must be systematic and repeatable, so that organisations can use it to conduct regular risk assessments and treatment. Figure 1 below illustrates the process:

Consider the above “Inputs” section. First, is Business Impact Criteria, which covers the railway sector’s availability, reliability, safety, integrity, and confidentiality. Threats and vulnerabilities databases should be updated periodically by sourcing feeds from Cyber Threat Intelligence, as well as conducting regular vulnerability assessments and pentesting exercises.

In the “Assessment” stage from Figure 1, one of the most important activities is to identify the risk level for each railway service (e.g., passenger information service), then map it with a corresponding business impact. Alongside that, it’s important to estimate the likelihood of occurrence.

The “Treatments” stage aims to generate an up-to-date risk register that contains all risks for the business. Once these are defined, the risk treatment plan can be developed. This process is systematic, so the assessor (internal or external) can ensure consistency in every risk assessment and treatment exercise. Many tools are available to assist in performing a systematic risk management activity.

Building CNI resilience

In 2018, the NIS Directive (Network & Information Systems) came into force, which aims to raise the levels of cyber security and resilience of key systems within critical national infrastructure. Under the Directive, railway stakeholders are responsible for their operations and networks. However, applying NIS regulation is challenging in this sector due to the high level of shared responsibilities between stakeholders – including rolling stock owners, infrastructure managers, train operators, train manufacturers, the Department for Transport (DfT) and supply chains. An ideal approach to managing cyber security and NIS compliance is to have a clear shared responsibility between stakeholders, so that everyone understands their roles and responsibilities throughout the entire lifecycle: Design, Engineering, Procurement, Manufacturing, Testing, Installation, Operation and Maintenance.

Following cyber security best practices is essential during the implementation of a cyber security programme. Moreover, knowledge-sharing between railway stakeholders is vital to raise awareness of the rail sector’s threat landscape and assist stakeholders in defending against potential cyber-attacks. Several entities (e.g. NCSC, ISA, NIST, etc.) have released guidelines to help the rail sector assess, protect, and manage its infrastructure. The table below lists some of these guidelines, security standards, whitepapers, and reports:

Description   Standard, Guidelines or Best Practices
 

Cyber Security Strategy

 

Risk Management

  NCSC Risk Management Guidance, NIST 800-37, ISO 27005,
 

Secure-by-Design

 

Security Detection and Monitoring

  NCSC Intro to Logging for Security Purposes, NCSC SOC Buyers Guide, CREST Cyber Security               Monitoring Guide, NIST SP 800-94, NIST 800-137, IEC 62443-3-3,Intelligent security tools,
 

Response and Recovery

 

Supply Chain

 

Security Awareness

  NCSC Certified Training, NIST 800-50
 

Cyber Security Information Sharing

  CiSP
 

Airbus Whitepapers and Datasheets

In summary, the key aim of recent regulation, such as the NIS Directive, is to ensure the overall cyber security and resilience of an increasingly interconnected rail sector . In response, rail stakeholders must build an effective cyber security strategy that can be implemented in a defined roadmap. In addition, collaboration between rail stakeholders and the regulator is essential to manage overall security and gain further visibility into the constantly evolving threat landscape.

If you enjoyed this article, check out ‘Securing the Rail Sector: A Directive Level Approach here.
You can also find out more about our approach to cyber security in the rail sector by downloading our rail whitepaper.

Download our Rail Whitepaper here
[1]https://www.sans.org/reading-room/whitepapers/analyst/2019-state-ot-ics-cybersecurity-survey-38995

 

Back to Blog