Cyber-security for rail: Embarking on a safe journey towards digitalisation
Ben Möbius, Managing Director of the German Railway Industry Association (VDB), writes that, for rail to embark on a safe journey towards digitalisation, it is crucial that the European Union (EU) and its member states acknowledge and seize the opportunity for a safe ‘rail 4.0’.
Efficient, interconnected, sustainable: Digitalisation is making railways disruptively more appealing to passengers and more convenient for freight transportation. However, the continuous digitalisation also exposes rail transportation to new cyber-security threats. Today, smart mobility on rails ‘made in Europe’ is characterised by a very high safety level. But, in the future, an ever-growing connection of communication networks, digitalised processes, artificial intelligence (AI) and the generation of big data bring a new level of complexity that demands new levels of cyber-security. As other world regions increasingly dominate information technology sectors, Europe must ensure its position as market leader for clean and smart mobility, as well as its digital sovereignty. To embark on a safe journey towards digitalisation, it is crucial for the European Union (EU) and its member states to seize the opportunity for a secure ‘rail 4.0’.
Digitalisation allows for a new era of rail transportation, but simultaneously creates new challenges that must be addressed. The intelligent networking of mobility requires a higher level of data protection. CCTV, sensor monitoring and mobility apps collect large amounts of data, thus exposing massive quantities of sensitive and personal information to possibly increased misuse. Furthermore, cyber-attacks from hackers, organised crime or intelligence services could target data integrity in terms of industrial and economic espionage or aim to paralyse parts of the network, undermine security systems, or even take over the remote control. Cyber-manipulation could affect the economy and endanger rail passengers in cases of emergency. Central parts of rail transport are a critical infrastructure (CRITIS) because the failure or disruption of the system would lead to dramatic supply bottlenecks or even a threat to public safety.
‘Rail 4.0’ without robust security ‘made in Europe’ generates massive dependencies. Those who no longer sufficiently understand their own CRITIS are bound to lose digital sovereignty. Thus, the technological control of ‘rail 4.0’ must remain in Europe. This must be a key security priority for the EU. Cyber-security and data protection in the mobility sector must rest on two inseparable pillars: the technical and political pillars.
Cyber-security through technological innovation
Perpetual interconnection, generation and storage of more and more sensitive and personal data leaves the rail network vulnerable to entirely new threats. Networks contain thousands of field elements. Potential weak spots include: Active network components, such as routers, switches and access points; and radio communications, for example Wi-Fi and mobile communications; as well as remote-accesses, software and programmable logic controllers. These potential safety and security issues can be addressed in a three-step-approach: Prevention, detection and reaction.
Firstly, crucial elements of prevention are ‘security-by-design’ and ‘security-by-default’. While security-by-design focuses on security aspects during the design process of a product – thus sparing time and resources, contributing to reducing the risk and avoiding the costs of an effective cyber-attack – security-by-default focuses on embedded security, meaning that the default configuration settings are the most secure settings possible. Effective prevention does not only rely on technical solutions, but also on a clear definition of processes and responsibilities, as well as a broad sensitisation of staff and customers to cyber-security threats.
Secondly, every cyber-security approach consists of effective detection systems identifying and isolating threats before they spread. Here, it is essential that systems are easy to patch, as rail systems may remain operational for 20 years or more. Thirdly, in a final step, an adequate reaction is ensured by closing security gaps and providing software updates where necessary.
Cyber-security through digital sovereignty in Europe
As much as cyber-security is a technical challenge, it must also be treated as a political priority. Cybersecurity for the strategic rail sector is an important basis for Europe’s economic and political sovereignty. In the event of a technological loss of control of cyber defence capabilities, Europe would slip into strategic dependence. The pandemic has revealed: Europe must take its strategic interests into its own hands. Policymakers must further develop Europe’s core competencies for secure digital mobility by:
1. Drafting a cyber-security strategy, ‘rail 4.0’
The EU should convene an integrative expert commission to develop a coherent cybersecurity strategy, ‘rail 4.0’, for the intelligent rail mobility of the future. The societal challenges of digitalisation and automatisation of mobility must be anticipated and tackled even more systematically by policymakers, operators and the rail industry, as well as regulatory institutions, under shared responsibility. The EU must promote research and training of young professionals, develop high standards for future data platforms and communication networks and involve relevant European industries to make development, production and operational processes even more resilient. A cyber-security strategy for ‘rail 4.0’ must be coordinated at the European level and consistently implemented by EU member states.
2. Taking cyber-security into account in public procurement
Cyber-security must have a consistently greater weighting in public procurement. Furthermore, European added value should play a crucial role in CRITIS-related tenders. In Europe, personal data must be deleted within fixed time limits in accordance with EU data protection laws. The same level of transparency cannot be warranted for data collected and analysed by non-EU state-owned-enterprises. Could data that is being collected in Europe on European citizens be stored in third countries should non-EU state-owned enterprises (SOE) provide the technology for our smart mobility? Does that create gaps in the protection of passengers’ personal rights? These civil law issues must be openly discussed in connection with public rail procurement.
3. Strengthening cyber-security ‘made in Europe’
Possible critical impacts of takeovers of European companies by non-EU SOE on the cyber-security of the CRITIS rail must be one aspect of a non-discriminatory audit of foreign direct investment, as recommended by the EU Commission.
Digitalisation of rail can be a European success story for the next 20 years. The German Railway Industry Association (VDB) stands ready to support the EU as a reliable and excellent partner for the safe and secure digitalisation of the railways. Quintessentially, for smart and clean mobility ‘made in Europe’.