Establishing cyber-security for next generation mobility

Digitalisation of rail transport is an important lever that continues to grow increasingly sophisticated, improving and continuing to advance the mode’s competitiveness. It has transformed the rail sector’s approach to infrastructure and mass transport, particularly from an operational perspective. Increased sectoral attention to digital security has also boosted the potential for interoperability. The implementation of cyber-security requirements is fundamental for the digital improvement and resiliency of the sector.

The European rail supply industry recognises that mitigating cyber-threats is essential to maintaining safe, reliable rail and public transport. This is no easy task, given the wide array of existing complex interdependencies and integrating ageing infrastructure elements into a digital transport ecosystem. For mobility systems to operate effectively and take full advantage of a connected, digital environment, implementing comprehensive cyber-security technologies and protocols is a prerequisite without which could have grave ramifications. Maintaining business continuity standards is a common goal across the rail sector.

Key role of the European Union Agency for Cybersecurity (ENISA)

The Cybersecurity Act (2019) strengthened ENISA and granted the agency a permanent mandate. This development gave it more resources and a key role in both setting up and maintaining the European cyber-security certification framework by preparing the technical grounds for specific certification schemes. The agency strives to empower communities to achieve sufficient cyber‑security by adding value to the stakeholders, operational cooperation, enhance policy aimed at avoiding fragmentation and support in capacity building to deal with the cyber-threat landscape.

Additionally, ENISA has included the railway sector in building their strategy, releasing some relevant studies – like the Railway Cybersecurity report (released in November 2020) – carrying out public consultations on topics such as the threat landscape report including railways and gathering the railway community to discuss the main challenges within the sector in a specific conference.

Cyber-security: One of the European Union’s most urgent priorities

As digital technology continues to play an ever-present role in modern life and in the aftermath of novel online attacks like WannaCry, the EU has prioritised stepping up cyber-security across the Union to ensure that citizens and critical infrastructures are protected and resilient. In terms of policy, several initiatives have been presented such as the: EU Cybersecurity Strategy, the Cybersecurity Act, the proposal for a Network and Information Security Directive (NIS2) and others. This legislative suite aims to deepen Europe’s cyber-security in a uniform manner across the EU, as cyber-security knows no borders and cyber-threats are constantly evolving.

Considering these developments, UNIFE has developed a new position paper on cyber-security in rail transport to urge Member States to avoid fragmentation, as they seek to empower greater cyber‑security measures needed to achieve cyber-resilience, which is central to enabling business continuity. The six pillars form the association’s strategy for achieving this goal are: Standardisation via CEN CENELEC; the legal framework at EU level; cooperation between railway sector stakeholders; investment in research and innovation; monitoring the latest trends; and considering the specificities of the railway sector.

The short-term high priority challenges and recommendations

In our most recent position paper, UNIFE states that while there are several challenges ahead, several short-term steps can be taken to achieve this end. First, the main milestone for railway cyber-security is the recently published ‘Technical Specification CLC/TS 50701 Railway applications – Cybersecurity, covering, signalling, rolling stock and fixed installations’, developed by CENELEC TC 9X WG 26. This document aims to provide the basis for establishing uniform operational criteria for cyber-security. The Cybersecurity Act strengthens ENISA’s mandate by tasking the body with developing cyber-security certification schemes, at the EU level, to provide criteria for conducting conformity assessments to determine a product, service and process’ degree with compliance with specific cyber requirements. The new CLC/TS 50701 should serve as a basis for the creation of a unified certification system for rail information and communication technology products, services, and processes, as this is the most promising way to remove short-term barriers. In a second phase, UNIFE recommends that CLC/TS 50701 should be introduced to companies and later promoted as a potential International Standard at the International Electrotechnical Commission (IEC). Raising awareness of looming challenges amongst railway stakeholders and cyber-security experts is needed, as it will allow the sector to fulfil these criteria and apply them correctly, in the same manner throughout Europe’s rail network contributing to interoperability and the establishment of a Single European Rail Area.

The policy and regulatory framework are also changing rapidly to address the opportunities and challenges facing Europe as it adopts more and more digital solutions, opening itself up more and more to potential cyber-threats. There are several legislative initiatives that legitimise cyber-security concerns, however, they must be coordinated to avoid regulatory fragmentation and overlapping, conflicting requirements that place limitations on European railway stakeholders.

As cyber-attacks are often transnational in nature, Europe’s cyber-security demands whole-of-Union cooperation. All rail actors need to work together to keep current on the latest threats facing the sector. The European Rail – Information Sharing and Analysis Centre (ER-ISAC) is an available resource for sector participants from all EU Member States. Its uniquely cooperative stance makes it a favourable platform for sharing and assessing the sector’s cyber-security priorities, significantly improving our collective cyber-security toolbox. While utilising the centre is a short-term step in the right direction, our sector must maintain this united front in perpetuity.

The implementation of a common cyber-security approach along the entire supply chain will significantly diminish the sector’s vulnerability in the digital space. NIS2 aims to ensure an appropriate level of cyber-security in this area. Supply chain attacks have been a concern for cyber-security experts for many years, as the chain reaction caused by an attack on a single supplier can endanger an entire network of suppliers and jeopardise their competitiveness. A unified approach would require less resources, lowering costs for companies seeking to construct a new cyber-security framework.

One of the most important enablers for achieving the necessary degree of resiliency, is increasing investment for research and innovation in cyber-security. Cyber-threats continue to evolve rapidly, becoming capable of progressively more pervasive damage, but the flow of new and effective cyber‑defence technologies has grown at a considerably slower rate. The gap between threat and defence has widened, as cyber-criminals deploy increasingly sophisticated offensive technologies and carried out their transgressions with unprecedented resources and global reach. Against this backdrop, there is a need to reduce technologies’ time-to-market as a means of rapidly making innovative cyber-defence approaches more widely available to counter hostile elements. Even if today the Horizon 2020 Shift2Rail Joint Undertaking is working on new cyber-security developments for the signalling rail subsystem, directing greater investments to research and innovation initiatives like those executed under Horizon EU and the future Europe’s Rail Joint Undertaking, will help the rail sector in its transformation

Finally, the specificities of cyber-security in the railway sector should be assessed to ensure that it establishes the correct degree of protection. The organisational and technical measures required to maintain an acceptable level of cyber-security, throughout the lifecycle of the system, are of great importance to the railway sector. Operational Technology Systems are often based on parameters that were secure at the time of installation, but quickly are deemed outdated or obsolete from a cyber-security perspective due to their long lifecycle. The main challenge is to successfully define patch management processes that allow agile, streamlined maintenance in secure conditions, which do not compromise the security of the system. This is especially important for the maintenance of rail vehicles. Furthermore, legacy systems are another unique feature of rail transportation. To meet the new cyber-security measures, proper risk acceptance and assessment for said systems is required. Cryptography must be considered as a pillar of cyber-security to ensure confidentiality, integrity, and authentication.

Several medium- and long-term priorities have been identified

UNIFE’s latest position paper highlights numerous medium- and long-term priorities that present opportunities for more rigorous cyber-security across the EU. Firstly, the European railway supply industry needs to build its IT infrastructure to reach the status of ‘Quantum-Secure’. This must happen before quantum computing becomes widely available. Achieving a level of ‘Crypto-Agility’ will be critical to achieving this goal. Additionally, the incorporation of strict cyber-security criteria in all new technologies used in rail transport is crucial for a more secure system soon (i.e., Artificial Intelligence).
In our sector’s case, securing the entire product lifecycle for next generation systems means that all projects are to be developed from the beginning using CLC/TS 50701 methodologies regarding ‘Security by Design’. Although each means of transportation contributing to multimodality will have its own standards and certification schemes, the development of technologies to secure this interoperable mobility future necessitates that they are all aligned with the NIS2 Directive proposal.

In summary, the European rail sector is facing many challenges today. However, the European Rail Supply Industry’s main recommendations are to promote and implement TS 50701 in the railway sector to avoid fragmentation of cyber-security criteria in the railway sector – this unified rubric must be used as an ICT certification system. Collaboration between different stakeholders is essential to assessing and addressing emerging cyber-security challenges. Additionally, investment in research and innovation is crucial to our efforts to progress beyond the current state-of-the-art in cyber-security methods. Considering the specificities of the rail sector, such as its high level of regulation and the long lifecycle character of its components that derive from legacy systems, all actors in this space must be aware of the dangers posed by the lack of security of our increasingly digital assets and align our shared cyber-security strategy across Europe.