ENISA has announced the publication of its report – Railway Cybersecurity – Good Practices in Cyber Risk Management for Railway Organizations.
European Railway Undertakings (RUs) and Infrastructure Managers (IMs) must address cyber risks systematically as part of their risk management processes. This need has become even more urgent since the entry into force of the Network and Information Security Directive (NIS) in 2016.
The objective of the report is to provide European RUs and IMs with applicable methods and practical examples on how to assess and mitigate cyber risks.
The best practices presented are based on feedback from railway players. They include tools, such as the list of assets and services, cyber threat scenarios and applicable cybersecurity measures, based on standards and best practices used in the sector. These resources can serve as a basis for cyber risk management for railway undertakings. They are therefore intended to be a point of reference and to promote collaboration between railway stakeholders across the EU while raising awareness of relevant threats.
Existing cyber risk management approaches vary for rail IT and OT systems
For risk management of rail IT systems, the most cited approaches were the national level NIS directive requirements, the ISO 2700x family of standards and the NIST cybersecurity framework.
For operational technology (OT) systems, the frameworks cited were ISA/IEC 62443, CLC/TS 50701, and the Shift2Rail X2Rail-3 project recommendations, or those of the CYRail project.
These standards or approaches are often used in a complementary way to adequately address IT and OT systems. While IT systems are normally assessed with broader, more generic methods (such as ISO 2700x or the NIS guideline), OT systems require specific methods and frameworks that have been designed for industrial rail systems.
There is not yet a unified approach to rail cyber risk management. Stakeholders who participated in this study indicated that they use a combination of the aforementioned international and European approaches to address risk management, which they then complement with national frameworks and methodologies.
For RUs and IMs to manage cyber risks, it is essential to identify what needs to be protected. In this report, a comprehensive list is broken down into 5 areas; the services provided by the stakeholders, the devices (technology systems) that support those services, the physical equipment used to deliver those services, the people who maintain or use them, and the data used.
Threat Taxonomies and Risk Scenarios
RUs and IMs should identify cyber threats applicable to their assets and services. The report reviews available threat taxonomies and provides a list of threats that can be used as a basis.
Examples of cyber risk scenarios are also analysed, which can help railway actors when carrying out a risk analysis. They show how asset and threat taxonomies can be used together and are based on known industry incidents and feedback received during workshops.
Application of cybersecurity measures
Each scenario is associated with a list of relevant security measures. the report includes cybersecurity measures from the NIS directive, current standards (ISO/IEC 27002, IEC 62443) and best practices (NIST cybersecurity framework).